Case Study Type: Latest

Case Study: International Law Firm

Learn more about how CRMG helped a prestigious law firm specialising in construction and insurance law secure ISO 27001 certification.

ISO 27001 certification is now a must for many organisations, especially those that gather and store large volumes of sensitive data.

This globally recognised certification can be granted to businesses in a wide range of industries, and at CRMG we had the pleasure of working with an international law firm specialising in construction and insurance law in its effort to apply for and achieve ISO 27001 certification.

The company was mature in its approach to cybersecurity but knew it had work to do if it was to meet the requirements needed for approval.

An essential step in achieving ISO 27001 certification is having an Information Security Management System (ISMS) that applies to the enterprise and covers offices, people, assets and third parties. When the company approached us, it did not have an ISMS in place.

There were other challenges to overcome, too. The geographies in the scope of the company’s ISMS were diverse with each having its own local business demands and different levels of cybersecurity maturity. There was also a need to highlight the benefits of gaining commitment and motivation for certification from the different business units.

To learn more about how CRMG worked with the international law firm to support its ISO 27001 certification, and the result of the collaboration, read the full case study below.

➡️ CRMG Case Study

    Book A Meeting.

    From Us To You.
    Explore Our Resources.

    VIEW RESOURCES

    Cracking the Code:

    Understanding Harmonised Cyber Security Control Frameworks

    READ MORE

    Understanding the Proportionality Principle in DORA:

    A Balancing Act for Financial Entities

    READ MORE

    The Cyber Resilience Act: Implications for Businesses

    Strong cyber security is crucial for companies across all industries as cyber attacks become more sophisticated and pervasive. In response

    READ MORE

    Meet Our Leadership Team.

    At CRMG, our senior leadership team brings a rich history and deep expertise in cyber security. Spearheaded by consultants who are influential figures in the industry, our leaders are highly networked and well-established, with backgrounds in the ‘Big- Four’ firms.

    LEARN MORE

    Simon Rycroft

    CO-FOUNDER AND CEO

    Former Head of Consulting at the ISF. On a journey to bring accessible risk management to growing enterprises.

    Nick Frost

    CO-FOUNDER AND CHIEF PRODUCT OFFICER

    Former Group Head of Information Risk, PwC. Motivated by the need to implement cyber risk principles for the real world!

    Dan Rycroft

    DELIVERY DIRECTOR

    Former Head of Delivery, Cyber Security at DXC. Delivers risk-based cyber security programmes with maximum efficiency.

    Matt Brett

    DELIVERY LEAD – CYBER RISK SOLUTIONS

    Former Portfolio Director, Tech Security & Risk, GSK. Specialises in implementing efficient, pragmatic cyber risk solutions.

    Martin Tully

    DELIVERY LEAD – GOVERNANCE AND COMPLIANCE

    Twenty years’ experience in delivering fit-for-purpose cyber governance initiatives.

    Louis Head

    CONSULTANT – GOVERNANCE AND COMPLIANCE

    An expert in everything ISMS-related, and how compliance works in practice.

    Guy Asch

    COMMERCIAL DIRECTOR

    A seasoned Commercial Director, driving P&L business leadership through innovative strategies.

    Ryan Hides

    DELIVERY LEAD – THIRD PARTY RISK MANAGEMENT

    Project Management and Six Sigma expertise. Specialises in turning effective third party risk management into a scalable reality.

    Sarrah Ahmed

    HEAD OF MARKETING

    Bringing over 17+ years of marketing expertise, passionate about crafting innovative marketing campaigns.


    [email protected]
    0203 811 8727
    Meet The Team
    Our Approach
    Our Heritage
    Our Locations
    Values & Ethos
    GRC Solutions
    Consultancy
    Compliance & Certification
    News
    Case Studies
    Contact
    Book A Demo
    Cookies
    Privacy Policy

    Proud To Partner With

    © Cyber Risk Management Limited. All Rights Reserved.

    Understanding the Proportionality Principle in DORA:

    A Balancing Act for Financial Entities

    If you’re familiar with the EU Digital Operational Resilience Act (DORA), you’ll know it is framed in prescriptive language. However, within its detailed mandates, it also includes principles like this:

    “Financial entities shall use and maintain updated ICT systems, protocols, and tools that are appropriate to the magnitude of operations supporting the conduct of their activities, by the proportionality principle as referred to in Article 4.”

    In essence, Article 4 instructs financial entities to implement DORA’s requirements in a way that takes into account their size, overall risk profile, scale, and the type of services and operations they conduct. That’s a lot of subjectivity to work with.

    This isn’t new for those well-versed in cyber security risk management. We’ve been using risk profiling to shape our security programmes for years. The term criticality is second nature to us. We’ve developed methodologies to quantify business impact and are accustomed to the language of threats, vulnerabilities, and controls, ensuring that security measures are proportionate to the risks we calculate.

    Applying the Right Level of Resources

    One key challenge for organisations is understanding how much resource allocation is required to meet DORA’s requirements. Some organisations may assume they need to dedicate extensive resources to compliance when, under the proportionality principle, they may fall into a category that demands a more measured approach. The thresholds outlined in DORA ensure that smaller or less complex organisations are not overburdened but instead apply a level of security and resilience appropriate to their specific risk landscape.

    Conversely, organisations must also avoid underestimating their obligations. While proportionality provides flexibility, it does not mean minimal compliance. Each entity must carefully assess its position within the regulatory framework and ensure that its resource allocation is justified, efficient, and aligned with its true risk exposure.

    For Mature Governance and Risk Functions

    The subjectivity in DORA’s proportionality principle should be manageable for financial entities with well-established governance and risk management approaches. Many larger organisations already have the methodologies in place to assess risks in a structured manner – and to implement controls that are aligned with their risk profiles. These organisations will naturally integrate DORA’s requirements into their risk frameworks without much friction.

    For Less Mature Organisations: No Easy Escape

    However, for less experienced organisations or those without robust risk governance structures, the proportionality principle might seem like a loophole for a ‘light-touch’ approach. Some may attempt to use Article 4 as a justification for minimal compliance, arguing that they are tailoring their strategy according to their size and risk profile. In the long run, this approach won’t hold up under scrutiny.

    Why? Because any decisions made under the proportionality principle (Article 4) will require backing up with sound logic and evidence. And to provide that evidence, organisations must:

    • Conduct thorough risk assessments
    • Apply reasoned judgment about security decisions
    • Develop clear documentation detailing exactly how they arrived at their conclusions.

    Without these elements, regulatory bodies will likely challenge whether an organisation genuinely applies DORA’s proportionality principle in good faith.

    Best Endeavours vs. Reasonable Endeavours

    A helpful way to think about DORA compliance is in terms of best endeavours versus reasonable endeavours, a concept often seen in legal compliance. Regulators won’t necessarily expect perfection, but they will expect an organisation to demonstrate that it has taken its obligations seriously. This means that even if some aspects of an organisation’s approach are later deemed to be flawed, they must show that they acted with diligence, applied the right level of resources based on their risk environment, and made informed decisions throughout the process.

    Failing to provide evidence of effort and structured thinking will make it challenging to claim proportionality as a defence in the event of an audit. Organisations must ensure they can substantiate their decision-making processes, proving that they acted in good faith and aligned their approach to the risk profile they determined.

    The Opportunity within DORA

    DORA is more than just another regulatory requirement—it represents a real opportunity. If approached correctly, it can act as a catalyst for significant improvements in:

    • Operational resilience
    • Cyber security and risk governance
    • Risk management effectiveness
    • An organisation’s ability to withstand external scrutiny.

    When treated with care and respect, the proportionality principle allows organisations to implement DORA efficiently and in accordance with their unique risk landscape. However, it should never be misinterpreted as an excuse to do the bare minimum.

    Different Approaches for Different Organisations

    How an organisation reacts to DORA will depend heavily on its nature and business model. Large multinational financial entities with complex infrastructures will inevitably need a more rigorous and layered approach than smaller, more niche firms. However, regardless of size, the fundamental expectation remains the same:

    Assess criticality and risk. Document your decisions. Be prepared to justify them.

    The proportionality principle within DORA offers flexibility, but with flexibility comes responsibility. Organisations that properly leverage this principle will find themselves in a stronger position—not just for compliance but overall operational resilience. Conversely, those who see it as an easy way out may face increased regulatory scrutiny.

    DORA challenges financial entities to prove they have taken a structured, risk-based approach to ICT and cyber security resilience. Whether you are a large or small entity, you must navigate the subjectivity of proportionality with diligence, thus ensuring that your security measures are appropriate, evidence-based, and defensible in the face of evolving threats and regulatory oversight.

    The Cyber Resilience Act: Implications for Businesses

    Strong cyber security is crucial for companies across all industries as cyber attacks become more sophisticated and pervasive. In response to this growing issue, the EU is introducing the Cyber Resilience Act (CRA), a legal framework to improve cyber resilience across the EU’s digital ecosystem. Unlike other regulations that focus on specific sectors or types of services, the CRA applies to a broad range of digital products and services, ensuring that cyber security is integrated at every stage of the product’s lifecycle.

    Understanding the Cyber Resilience Act

    On September 15, 2022, the European Commission presented the Cyber Resilience Act, an ambitious effort to standardise cyber security regulations for digitally enabled products. The CRA aims to accomplish the following by establishing a uniform baseline for cyber resilience:

    1. Strengthen security for all digital products: Many digital products now available on the market lack proper security features, making them vulnerable to exploitation. For example, smart home devices such as connected thermostats or security cameras can be particularly susceptible to cyber attacks if not properly secured. To address this, the CRA requires secure development techniques, vulnerability management, and security standards at every stage of a product’s lifespan.
    2. Empowering customers and companies to make informed decisions: The cyber security aspects of digital products are often not prominently featured, making it difficult for consumers to assess their risks. The CRA helps both businesses and consumers make informed choices by requiring greater transparency regarding these products’ cyber security features.

    The CRA sets mandatory cyber security standards for digital goods producers, distributors, and operators to accomplish these objectives.

    Timeline and Important Compliance Checkpoints

    Businesses should be aware of the following significant dates and milestones as the CRA moves through the EU legislative process:

    • Political Agreement: After several revisions and stakeholder engagements, the European Commission reached a political agreement on the CRA on December 1, 2023. This agreement shows broad support for the CRA’s goals.
    • Compliance Window: Following legislation, companies will have specific deadlines to comply:
      – 21 Months: To fulfil the CRA’s event and vulnerability reporting obligations.
      – 36 months: To ensure complete adherence to all CRA regulations, particularly those about EU certification, secure development procedures, and transparency.

    Businesses may organise compliance activities using this staged timeframe, but early action is essential to prevent disruptions.

    Implications for Businesses Across Sectors

    The CRA impacts various businesses that deploy digital products, with software and hardware developers likely to be the most directly affected. The CRA’s provisions also extend beyond the European Union, meaning that non-EU companies that offer digital products or services within the EU market must also comply with the CRA’s requirements. This means that any business, regardless of its location, must ensure its products meet the CRA’s cyber security standards if they are to be used within the EU. The following summarises the potential effects of the CRA on different business types:

    1. Vendors of digital services and technology providers

    The CRA places strict standards on businesses that create software or offer digital services, including secure development, vulnerability management, and regular updates. Technology providers must prioritise vulnerability reporting and implement secure coding practices to reduce security risks across widely used platforms and applications.

    2. Manufacturers of IoT devices and hardware

    Security elements must be incorporated into the design and development stages for manufacturers of digitally integrated hardware, including Internet of Things (IoT) devices. These companies might be scrutinised, primarily if they produce “high-risk” goods affecting public safety, healthcare, or vital infrastructure. The CRA may also require hardware modifications to guarantee safe, future-proof goods that meet EU standards.

    3. Distributors and Retailers of Digital Goods

    Distributors and retailers contribute to cyber security by ensuring their goods meet CRA regulations. They must also enable traceability, keep up-to-date records of cyber security features, and inform customers about the security characteristics of their products.

    4. Healthcare Providers and Critical Infrastructure

    Cyber threats can target organisations that oversee vital infrastructure, including transportation, healthcare, and energy. The CRA establishes a requirement for strict incident response procedures and monitoring of real-time cyber security metrics for these industries.

    5. SMEs (small and medium-sized enterprises)

    Despite the CRA’s broad applicability, SMEs may encounter difficulties because of limited resources. The CRA encourages SMEs to implement basic security procedures that improve resilience without putting an undue financial burden on them.

    How to Prepare for CRA Compliance

    As the CRA and associated implementation guidance develops, businesses have an opportunity to take the initiative in aligning their operations, services and products with the requirements of the Act.

    Ryan Hides outlines his top 5 key areas of focus for businesses to ensure they’re CRA-ready:

    1. Risk Management and Assessment

    Conduct thorough risk assessments to identify potential vulnerabilities in your systems and processes. Implement robust risk management strategies to mitigate identified risks and ensure continuous monitoring to adapt to new threats. The CRA requires that manufacturers incorporate security measures from the design and development phases to ensure products have fewer vulnerabilities

    2. Data Protection and Privacy

    Ensure that all data, especially personal and sensitive information, is adequately protected. Implement strong encryption methods, access controls, and regular audits to comply with data protection regulations and safeguard against breaches.

    3. Incident Response Planning

    Develop and maintain a comprehensive incident response plan. This should include clear procedures for detecting, reporting, and responding to cyber incidents. Regularly test and update the plan to ensure it remains effective against evolving threats.

    4. Employee Training and Awareness

    Invest in regular training programs to educate employees about cyber security best practices and the importance of compliance. Foster a culture of security awareness to reduce the risk of human error and insider threats.

    5. Vendor and Third-Party Management

    Evaluate and manage the cyber security practices of vendors and third-party partners. Ensure they comply with CRA standards and integrate their security measures into your overall cyber security framework to prevent supply chain vulnerabilities.

    The outlook for cyber resilience and the CRA

    The Cyber Resilience Act is a proactive step towards creating a more secure digital future for the EU. In addition to avoiding fines, CRA compliance helps businesses build consumer trust, improve brand reputation, and lower cyber risk.

    Compliance with the CRA sets the foundation for a resilient future in which security is integral to every digital product and service offered within the EU.