We use strictly necessary cookies to run this site, and — only with your consent — analytics & marketing cookies (Google Analytics, Google Tag Manager) to improve it. No analytics or marketing cookies are set unless you accept. See our Cookie Policy and Privacy Policy.

The CyberSigma Newsletter

Compliance insight worth reading

Sharp, practical takes on PCI DSS, ISO 27001, SOC 2, DPDP and VAPT — from CERT-In empanelled senior auditors. A few times a month, no fluff. Every edition is free to read below.

Compliance insights, no spam. Unsubscribe anytime.

Latest editions

15 editions · updated regularly
The DPDP deadline nobody’s ready for
Edition #15 · DPDP Act

The DPDP deadline nobody’s ready for

India’s Digital Personal Data Protection Act is law. Most teams are treating it like a policy update. It isn’t.

Read now →
Your PCI DSS scope is bigger than you think
Edition #14 · PCI DSS

Your PCI DSS scope is bigger than you think

Scope is the single biggest driver of PCI cost and risk — and almost everyone draws the boundary too small.

Read now →
What auditors actually look for in ISO 27001
Edition #13 · ISO 27001

What auditors actually look for in ISO 27001

It isn’t the size of your policy binder. It’s whether the ISMS is alive.

Read now →
SOC 2 in India: the questions US buyers keep asking
Edition #12 · SOC 2

SOC 2 in India: the questions US buyers keep asking

For Indian SaaS selling into the US, SOC 2 has quietly become the price of entry.

Read now →
The RBI cyber audit findings that repeat every year
Edition #11 · RBI

The RBI cyber audit findings that repeat every year

Regulated entities keep getting written up for the same handful of gaps. Here are the usual suspects.

Read now →
VAPT vs a real attacker: where reports fall short
Edition #10 · VAPT

VAPT vs a real attacker: where reports fall short

A clean pentest report is not the same as being hard to breach.

Read now →
Why “we use AWS” isn’t a compliance answer
Edition #9 · Cloud

Why “we use AWS” isn’t a compliance answer

The cloud provider secures the cloud. Securing what you put in it is still your job.

Read now →
The access review everyone fakes
Edition #8 · Access

The access review everyone fakes

Rubber-stamping a user list once a quarter is not an access review — and auditors can tell.

Read now →
Vendor risk: the breach that starts in someone else’s network
Edition #7 · Third-party risk

Vendor risk: the breach that starts in someone else’s network

Your data doesn’t care whose logo is on the door it walks out of.

Read now →
PCI DSS v4.0.1: the requirements catching teams off guard
Edition #6 · PCI DSS

PCI DSS v4.0.1: the requirements catching teams off guard

The future-dated requirements are here now. Several need lead time you may not have budgeted.

Read now →
Ransomware readiness: the 5 controls that actually matter
Edition #5 · Resilience

Ransomware readiness: the 5 controls that actually matter

You can’t patch your way out of every ransomware scenario. You can make one survivable.

Read now →
The audit evidence you should be collecting today
Edition #4 · Audit

The audit evidence you should be collecting today

The most stressful audits are the ones where evidence is reconstructed at the end.

Read now →
DPDP consent: what “valid consent” actually means
Edition #3 · DPDP Act

DPDP consent: what “valid consent” actually means

A pre-ticked box and a buried privacy policy won’t clear the DPDP bar.

Read now →
Cloud misconfigurations: the silent compliance killer
Edition #2 · Cloud

Cloud misconfigurations: the silent compliance killer

No exploit required. A single wrong setting is often all it takes.

Read now →
How to build a security program your board will fund
Edition #1 · Leadership

How to build a security program your board will fund

Boards don’t buy fear. They fund risk they can see, measure and defend.

Read now →