Thursday, 17 January 2019

C3C Team Qualify as Lead Auditors for ISO 9001 & ISO 27001

Chapter Three Consulting are delighted to announce that the team have qualified as Lead Auditors for both ISO 9001 and ISO 27001 and C3C are now able to help clients prepare for ISO 9001 and ISO 27001 certification.

ISO 9001:2015 sets out the criteria for a Quality Management System (QMS) which is a collection of business processes focused on consistently meeting customer requirements and enhancing their satisfaction.

Implementing a QMS can help a business to:
  •          Achieve greater consistency in the activities involved in providing products or services
  •          Reduce expensive mistakes
  •          Increase efficiency by improving use of time and resources
  •          Improve customer satisfaction
  •          Market the business more effectively
  •          Exploit new market sectors and territories
  •          Manage growth more effectively by making it easier to integrate new employees
  •          Constantly improve products, processes and systems

ISO 27001:2013 provides the requirements for an Information Security Management System (ISMS).

The ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process.

An ISMS typically addresses employee behaviour and processes as well as data and technology and can be implemented in a comprehensive way that becomes part of the company's culture.

 The key benefits of an ISMS:
  •          Helps protect all forms of information
  •          Increases resilience to cyber attacks
  •          Offers organisation-wide protection from technology-based risks
  •          Helps respond to evolving security threats
  •          Reduces costs associated with information security
  •          Protects the confidentiality, integrity and availability of data
  •          Improves company culture

Contact Chapter Three Consulting by calling 0330 004 0020 or email at

Wednesday, 21 November 2018

New GDPR guidance published by the ICO about passwords and encryption under the GDPR

Passwords in online services

At a glance

Although the GDPR does not say anything specific about passwords, you are required to process personal data securely by means of appropriate technical and organisational measures.

Passwords are a commonly-used means of protecting access to systems that process personal data. Therefore, any password setup that you implement must be appropriate to the particular circumstances of this processing.

You should consider whether there are any better alternatives to using passwords.

Any password system you deploy must protect against theft of stored passwords and ‘brute-force’ or guessing attacks.

There are a number of additional considerations you will need to take account of when designing your password system, such as the use of an appropriate hashing algorithm to store your passwords, protecting the means by which users enter their passwords, defending against common attacks and the use of two-factor authentication.


At a glance

The GDPR requires you to implement appropriate technical and organisational measures to ensure you process personal data securely.

Article 32 of the GDPR includes encryption as an example of an appropriate technical measure, depending on the nature and risks of your processing activities.

Encryption is a widely-available measure with relatively low costs of implementation. There is a large variety of solutions available.

You should have an encryption policy in place that governs how and when you implement encryption, and you should also train your staff in the use and importance of encryption.

When storing or transmitting personal data, you should use encryption and ensure that your encryption solution meets current standards.

You should be aware of the residual risks of encryption, and have steps in place to address these.

Visit the ICO at

Contact Chapter Three Consulting by calling 0330 004 0020 or email us at

Monday, 9 April 2018

GDPR Awareness e-Learning Course

GDPR specialists, Chapter Three Consulting are delighted to announce the launch of the GDPR Awareness e-Learning Course on the Eliademy training platform.
Learning objectives
The EU General Data Protection Regulation (GDPR) aims to give control of personal data back to individuals by addressing modern concerns about data protection in the digital age.
The way we use data has changed significantly over the last 20 years, specifically in relation to how personal data is acquired and dealt with.
Whilst cyber-attacks resulting in data breaches dominate the headlines the truth is that most data breaches occur due to human error:
  •         A dropped memory stick
  •         Sending something to the wrong e-mail address
  •         Adding data to the wrong Dropbox folder
  •         Not following a policy on encrypting data
  •         Not taking care of paper files while out of the office

In the digital age in which we live, the associated reputational damage arising from a data breach can be fatal to any business.
Target audience
The course provides a practical application of the GDPR. On completion students will understand the purpose of the GDPR and the best practice processes and procedures that are required to be followed when handling personal data.
The GDPR requires companies to record and monitor employee training and this is a vital aspect of evidencing that a company is complying with the GDPR. The learning platform is ideal for employees and individuals alike.
Course structure
Everyone needs to understand the care they need to take when handling personal data whether it be in the workplace or in their personal lives.
The course contains 8 Units covering:
  •         An overview of the GDPR and the rights of the individual
  •         The do’s and don’ts for information and Cyber security
  •        Best practice procedures for data access, handling and records management
  •         The risks of mobile working
  •         Employee responsibilities under the GDPR
  •         Incident management and disaster recovery

There are 8 Assessments, one for each Unit and students are emailed a certificate upon successful completion.
All this for only €49! or use this coupon for a 10% discount GDPR10%
Contact Chapter Three on 0330 004 0020 or for group pricing.

Friday, 19 January 2018

Chapter Three Consulting Become ISO 27001 Accredited

Chapter Three Consulting are delighted to announce that they have achieved ISO 27001 accreditation awarded by the British Assessment Bureau.

ISO 27001 is the internationally recognised Information Security Management Standard (ISMS) that proves an organisation’s commitment to the security of their customers. With ISO 27001 in place, Chapter Three Consulting are able to minimise risks to potential data security breaches and reduce errors and costs, while demonstrating credibility and trust.

An ISMS is a set of policies, procedures, processes and systems that manage information risks, such as cyber-attacks, hacks, data leaks or theft. Businesses have been encouraged to identify risks of all shapes and sizes for many years now, and once identified they must be managed, and risk mitigation must be considered.

Cyber-attacks are increasing in volume and strength daily, and the financial and reputational damage caused by an ineffectual information security system can be fatal. Implementing an ISO 27001-certified ISMS helps to protect an organisation against such threats and demonstrates that the necessary steps have been taken to protect the business.

An IBM Survey, allocates 49% of breaches to malicious activity, 23% to system glitches and the remaining 28% to human error.

The Standard is designed to ensure the selection of adequate and proportionate security controls that help to protect information in line with increasingly rigid regulatory requirements such as the General Data Protection Regulation (GDPR), the NIS Directive and other cyber security laws.

The benefits of certification to ISO 27001 include:
  •         Proving to clients an organisation keeps their information secure
  •         Achieve operational excellence
  •         Minimise risk of potential data security breaches
  •         Protects reputation
  •         Reduces errors and costs
  •         Increases business profitability
  •         Engages employees

The Standard also helps businesses become more productive by setting out clear information risk responsibilities and ensuring continual improvement.

Chapter Three Consulting are a business support consultancy who focus on bringing specialist knowledge and expertise to companies who wish to fulfil their compliance obligations.

Providing specialist compliance knowledge and GDPR expertise to SMEs they are able to assist with auditing, managing and maintaining compliance.

Visit the website or call 0330 004 0020 for more information


Tuesday, 21 November 2017

Is your business ready for the introduction of the new General Data Protection Regulation known as the GDPR in May 2018?

A recent IT Security survey found that 61% of UK companies don’t realise that the new Regulation applies to them.

A further study has shown that 21% of senior management have little or no awareness about the effect that the GDPR will have on their organisation. While 31% of the companies questioned had experienced an incident in the last 12 months due to staff negligence or bad practice.

It is essential that companies are made aware of the changes and new obligations in the legislation by May 2018 and time is running out.

The Regulation contains new rights for people to access the information companies hold about them, obligations for better data management and a new regime of fines. Incidents with serious consequences can have fines of up to €20 million or 4% of a firm's global turnover whichever is greater.

Companies covered by the GDPR will be more accountable for the handling of people's personal information. This will include having data protection policies, data protection impact assessments and data mapping showing how the data is processed.

Companies will need to obtain consent and demonstrate why people's information is being collected and processed, providing descriptions of the information that is held, how long it is being kept for and descriptions of the technical security measures in place.

As well putting new obligations on the companies and organisations collecting personal data, the GDPR also gives individuals more power to access the information that is held about them free of charge.

To help prepare for the GDPR the ICO has created a 12-step guide which includes steps such as making key people aware of the Regulation, determining what information is held, reviewing current privacy notices, identifying the lawful basis for processing the data and what should happen in the event of a data breach.

Chapter Three Consulting are a business support consultancy who provide specialist compliance knowledge and GDPR expertise. As an ISO accredited organisation their consultants are able to assist in auditing, supporting the implementation of any changes required and maintaining ongoing compliance.

For further information contact us on 0330 004 0020 or email

Tuesday, 4 July 2017

What is GDPR?
The General Data Protection Regulation is a new set of rules that governs the privacy and security of personal data and replaces the Data Protection Act.

GDPR will apply from 25th May 2018 and from this date, all companies must be fully compliant.

Any fines imposed for not being compliant are required to be effective, proportionate and dissuasive and can be up to €20 million or 4% of turnover, whichever is the greater.

The definition of 'Data' is more detailed than before and includes online identifiers such as IP addresses. 

GDPR applies to both automated personal data and to manual filing systems where personal data are held.

In summary, if you keep any customer or staff records you will need to comply with the new rules.

Lawful processing
For processing of data to be lawful under GDPR, you need to identify a lawful basis before you can process the data. You need to identify the lawful basis for the processing and document it, before the processing takes place.

You are expected to put in place comprehensive but proportionate governance measures and in some circumstances, privacy impact assessments and privacy by design are legally required.
These measures are aiming to minimize the risk of data breaches but will mean that more policies and procedures are required.

How we can help?
We are able to audit and provide a gap analysis to identify where work is required to become GDPR compliant.

We can assist with data impact assessments, provide regular support and audits to prove compliance, and have a comprehensive toolkit to make the process of preparing the required policies and procedures as easy as possible.

Visit or call us on 0330 004 0020 to find out more.

Tuesday, 30 May 2017

Chapter Three Consulting ISO 9001 Case Study - British Assessment Bureau

Chapter Three Consulting are a leading compliance consultancy specialising in Licensing, GDPR, and Health & Safety compliance.

We achieved certification to the internationally recognised ISO 9001 standard earlier this year. 

Click on the link to see the British Assessment Bureau’s recently published case study about our success.

The independent assessment was conducted by the British Assessment Bureau, a leading Certification Body, and demonstrates Chapter Three Consulting’s commitment to use this for ISO 9001: customer service and quality in delivery.

About ISO 9001

ISO 9001 was first introduced in 1987 and requires organisations to demonstrate that they do what they say they do. That they have a Quality Management System in place to ensure consistency and improvement; leading to high levels of performance and customer satisfaction.

Certified organisations are committed to continuous improvement and are assessed to ensure progress is being maintained.

The benefits of certification to ISO 9001 include:
  •          Streamlining an organisation’s procedures
  •          Bringing consistency to an organisation’s service delivery
  •          Reducing cost and rework
  •          Improving an organisation’s management practices
  •          Enhanced status
  •          Competitive advantage
  •          Lower insurance premiums

About the British Assessment Bureau

The British Assessment Bureau’s reputation was established in 1969 as a specialist in certification scheme management. In 1997, the Secretary of State for Trade and Industry approved the use of the word ‘British’ in their title, in recognition of their pre-eminent status.

Today, they certify organisations to recognised standards, including ISO 9001 (quality management), ISO 14001 (environmental management), ISO 27001 (information security management) and OHSAS 18001 (occupational health and safety management). 

They also design and manage bespoke assessment schemes. Such schemes are based on the establishment of standards, which can be developed to be recognised company-wide, industry-wide, nationally, or internationally.

Visit us at or call us on 0330 004 0020 for more information about our services.