The Frameworks That Matter to UK Organisations
Six major frameworks across information security, data protection, payment card, network security, and cybersecurity programme management — with current updates and what they mean for your organisation.
Information Security Management System
ISO 27001:2022 is the international standard for information security management. The 2022 revision introduced 11 new controls covering threat intelligence, cloud security, data masking, and secure coding. Certification demonstrates to customers, partners, and regulators that your security is systematically managed — not ad hoc.
- ›ISMS scope definition and risk treatment plan
- ›Annex A controls mapping (93 controls across 4 domains)
- ›Statement of Applicability (SoA) preparation
- ›Internal audit programme and management review
- ›Certification body audit preparation and support
Data Protection & Privacy
The UK GDPR (retained from EU GDPR post-Brexit) and the Data Protection Act 2018 impose legal obligations on any organisation processing UK residents' personal data. Article 32 requires "appropriate technical and organisational measures" — which must be evidenced through documented controls, risk assessments, and incident procedures.
- ›Article 32 technical measures — encryption, access control, backup
- ›Data Protection Impact Assessments (DPIA) for high-risk processing
- ›Records of Processing Activities (RoPA) maintenance
- ›Breach notification procedures (72-hour ICO window)
- ›DPO appointment and data subject rights processes
NCSC UK Government Certification
Cyber Essentials is mandatory for organisations bidding on UK government contracts involving handling of sensitive information. The scheme defines five technical controls proven to prevent over 80% of common attacks. CE Plus adds independent technical verification through hands-on assessor testing.
- ›Firewall configuration (boundary and host-based)
- ›Secure configuration (default credentials, unnecessary services)
- ›User access control (least privilege, MFA for internet-facing services)
- ›Malware protection (AV/EDR, application allow-listing)
- ›Security update management (critical patches within 14 days)
Payment Card Industry Standard
PCI DSS v4.0 (effective March 2024) introduced significant changes including customised implementation options, enhanced MFA requirements, and new requirements for targeted risk analysis. All organisations that store, process, or transmit cardholder data must comply — assessed via SAQ (self-assessment) or QSA (qualified security assessor) depending on transaction volume.
- ›Cardholder data environment (CDE) scoping and segmentation
- ›Network security controls (firewalls, access lists)
- ›Vulnerability management and patch cadence (Requirements 6 & 11)
- ›Access control and authentication (MFA for all CDE access)
- ›Monitoring and logging (Requirement 10 — immutable audit trails)
Network & Information Systems Security
NIS2 (effective October 2024) significantly expanded the scope of NIS regulations across the EU — covering more sectors, imposing stricter requirements, and introducing personal liability for senior management. UK organisations in essential and important sectors remain subject to the UK NIS Regulations 2018, with alignment expected to evolve post-Brexit.
- ›Risk management measures across all ICT systems
- ›Incident handling and reporting (24-hour early warning, 72-hour full report)
- ›Business continuity and crisis management measures
- ›Supply chain security — assessing ICT supplier risk
- ›Senior management accountability and training requirements
Cybersecurity Framework
NIST CSF 2.0 (released 2024) added a sixth function — Govern — to the original Identify, Protect, Detect, Respond, Recover framework. It provides a common language for describing and measuring cybersecurity posture, widely adopted by UK organisations seeking a vendor-neutral framework for security programme management alongside formal certification.
- ›Govern: cybersecurity risk strategy, policy, and roles
- ›Identify: asset management, risk assessment, supply chain
- ›Protect: access control, training, data security, resilience
- ›Detect: continuous monitoring, anomaly detection
- ›Respond & Recover: response planning, communications, improvements
How Servnet Solutions Map to Compliance Frameworks
One product deployment often satisfies controls across multiple frameworks simultaneously — reducing cost and complexity.
Compliance Requirements by Industry
FCA-regulated firms face overlapping obligations from PCI DSS (for payment card data), UK GDPR (customer personal data), ISO 27001 (many use as an ISMS baseline), and FCA SYSC operational resilience requirements.
NHS organisations must complete the Data Security and Protection Toolkit annually. Most NHS Digital registered suppliers require CE Plus. Health data is special category under GDPR, imposing the highest protection obligations.
Retailers processing payment cards must comply with PCI DSS. E-commerce platforms collecting customer data face UK GDPR obligations. Many retailers pursue Cyber Essentials to demonstrate baseline security to enterprise customers.
CNI operators — energy, water, transport, digital infrastructure — are subject to UK NIS Regulations and must apply the NCSC Cyber Assessment Framework. NIS2 scope expansion affects many organisations in the supply chain.
From Gap to Certified
Compliance Gap Assessment
We map your current controls against the requirements of your target framework(s) — identifying gaps, overlapping controls across multiple frameworks, and quick wins that improve multiple compliance positions simultaneously.
Controls Mapping & Remediation
We translate framework requirements into specific technology controls — mapping each requirement to the right product from our security portfolio, prioritised by risk impact and implementation effort.
Evidence Collection & Documentation
We help document policies, procedures, and technical controls in the format required by auditors and certification bodies — from ISO 27001 Statements of Applicability to PCI DSS network diagrams and risk treatment plans.
Certification & Audit Support
We accompany you through the formal certification process — preparing responses to assessor questions, managing evidence requests, and resolving findings — to achieve certification with the minimum number of audit cycles.
Which frameworks apply to your organisation?
A compliance gap assessment identifies your obligations, maps your existing controls, and produces a clear remediation roadmap — so you can achieve and maintain compliance without duplicating effort across frameworks.