S2 E31: Why ISO Makes Sense Even Without a Customer Requirement

Audio version

Why ISO Makes Sense Even Without a Customer Requirement

Transcript

Jordan Eisner: Welcome to Compliance Pointers. I’m your host, Jordan Eisner, here in video in the virtual flesh. Once again, with David Forman, my friend and CEO of Mastermind.

Hey, David, good to have you audibly and visually.

David Forman: Thanks, Jordan. I guess I didn’t do well enough last time to be actually invited to CompliancePoint offices, but I’ll try harder today.

Jordan Eisner: Well, we can’t just give it to you all at once. You know what I mean? You probably deserve enough of it, but we got to keep you stringing along a little bit, or else you’re just going to ditch us like a bad habit.

David Forman: Like give and take relationship, playing hard to get. Thank you.

Jordan Eisner: Exactly. For our listeners, if you don’t recall from the original podcast with David, he’s CEO of Mastermind. Mastermind is a certification body accredited to assess and certify governance programs against standards established by the International Organization for Standardization, also known as ISO.

Mastermind is the first company in the United States to focus exclusively on ISO certifications, which is one of the most trusted forms of third-party assurance used by technology service providers.

Before founding Mastermind, David began his career at EY, and he also built the global assurance team at Coalfire. He increased practice revenue by more than 30X over a seven-year period, transforming the in-house certification body into one of the largest assessment practices in North America.

He’s a certified lead auditor for ISO 27001, 9001, 27701, 22301, and 42001. Probably by the time we’re done with this, maybe another one.

David Forman: Thank you. A lot of confidence.

Jordan Eisner: Yes. On 42001, David, correct me if I’m wrong, but Mastermind was the first official to be able to perform those certifications, correct?

David Forman: Yes. The official term, first to be accredited in the world by any of the recognized accreditation bodies under the IAF, we’re starting to see a few others pop up, namely through ANAB as of this week. It’s exciting to see that the market is starting to expand.

Jordan Eisner: He also wants our listeners to know that he has a deep passion for sushi. I texted him just earlier today about a place I went to in LA, and he was already well-versed in it. Made me feel even better about how much I enjoyed it.

David Forman: Sugarfish has been around for a few years.

Jordan Eisner: It’s good for our listeners. Sugarfish, LA, highly recommend it. Hope that’s okay to say.

He’s an enthusiastic world traveler, been to 49 countries and counting.

David Forman: Yeah, give me about, I made four more months here, I’ll hit the 50 mark. I’m excited about an upcoming trip to the Caribbean.

Jordan Eisner: I’m just Jordan Eisner, just VP of Sales CompliancePoint and podcast host, Compliance Pointers.

We’re going to talk about ISO standards as you would imagine 27001, 27701, 42001 specifically. But really the theme is why implementing these frameworks can be a good idea even if you don’t have any external pressure requiring it, downward pressure, client requiring it, partner, so on and so on.

Why is it just inherently good to build a program around these?

Let’s start right there. Why would an organization put themselves through an ISO audit, any of them, David, without somebody saying you have to do this without some sort of, I guess, direct risk to revenue?

Maybe that’s a cynical viewpoint for me. But a lot of times, just doing this for a long time, it’s usually some sort of risk to revenue.

Now, there’s the obvious one. If you have more controls, less loss can happen. But I mean, a more direct risk to revenue. If you don’t do this, you lose this client, you lose this business, that sort of thing.

David Forman: Yeah. I think you’re touching on, I’ll reframe this as just why do companies go after ISO certification? We’re talking about three management system standards as we call them. If you’re unfamiliar, 27001 is an information security management system, 27701 is a privacy information management system, and then the new 42001 is AI management system.

They all follow the same structure. The use case, I’ll say 80 percent of the time is exactly what you’re talking about. There’s an external driver there, meaning you call it risk to revenue. So we’d say that’d be more or less table stakes, like a direct competitor already has these certifications, and they’re throwing it in your face as being, you should work with us because we have more trust behind it, and you now have to level up to that benchmark.

Or there’s the flip side of it where it can be more of a revenue enabler, maybe you’re early to market, especially 42001 is a new standard. So there’s very few certificates that have been issued so far, and you might look at it as a revenue differentiator. You can sell with it.

But then you have this use case third, which is about, I would say 20 percent of the time, it’s an internal driver. Your question is rooted in, why might that be an internal driver? Who wants to sign themselves up for audits? Let me start there. You can adopt any of these ISO frameworks and not get certified. There’s no requirement that just because you go buy a license to ISO 27001 per say, go implement it fully, that you still have to go through a certification audit.

You do not have to do that exercise. You can just use it as a framework to adopt it and align to.

Now, why might you do that? Well, hopefully, you are using some common scheme or framework when you are building your security organization or building your privacy organization. You’re not just shooting from the hip and thinking, hey, it’d be nice if we had a privacy policy on our website.

Hey, it’d be nice if we had some acceptable use policy or some policy on regulating whether or not our employees can use ChatGBT as part of their regular work.

We need to be thinking about these in some structured framework.

That’s where I think ISO standards are actually really good. Because there’s a component of them that I’d say that a lot of security practitioners debate all the time. But they’re intentionally high-level. So it can be viewed as a pitfall. It can be viewed as advantageous as to why you would adopt ISO standards.

But it doesn’t get down to, for example, passwords where we talk about character link limits. It just says you need a strong or secure authentication mechanism. That could be a password. That could be something else. It doesn’t say you have to have eight characters in the link. It doesn’t say you can’t use the last three passwords, etc. Whereas some of these other frameworks are a little bit more rigorous or prescriptive in nature for these given controls. So it allows for flexibility.

I always say whether you’re a two-person startup, or you have 200,000 employees worldwide, ISO standards can be flexible to adapt to your risk landscape or who you are as a business.

Jordan Eisner: I like the ability to rotate passwords. Personally speaking.

David Forman: Generally, best practice.

Jordan Eisner: I don’t have a lot of tricks, David. I need to recycle some here and there.

David Forman: Capital letter, maybe throw an exclamation point at the end.

Jordan Eisner: Here and there. Yeah, exactly. Exclamation point has to be the most common one. Especially character.

David Forman: I don’t have the official data point on there. There’s going to be some security god practitioner that watches this, and they’re going to be able to fact-check me. So I’m not going to opine on this.

Jordan Eisner: Yeah, that’s a good point. For those listening, I always use non-exclamation points in my passwords.

So you talked about management system there. How does that help organizations prepare for the unexpected? That’s the whole point of a lot of this, is what you’re trying to avoid, and that’s the unexpected.

David Forman: Yeah, it’s interesting when you say it back to me, I realize that I probably should be using more layman’s terms. So management system is a very specific ISO glossary item. What we actually mean when we say management systems, putting it in terms more common to other frameworks, it’s just governance.

And so if you understand, I’ll say, the foundations of a good governance program, then you can address officially any of the risks that are ingested by that governance program.

So I kind of rephrase that a little bit. If you understand you are building a policy suite, just for example, and it’s going to address basic information security of your employees and whatever is their day-to-day operations, that policy suite should be designed based on whatever you see as the risk to the environment.

So in this case, employees are bad actors, employees are negligent, and they’re accessing websites they shouldn’t access. They’re creating data leakage out of, again, negligence, or just poor information security practices. You create design, AKA a policy, to meet that underlying risk.

So your question is, isn’t the point of a management system, AKA a governance program, isn’t it designed to kind of flex? And that’s exactly kind of what we check for when we do a certification audit.

Again, not a requirement. You go through a third-party audit.

But my objectives as an auditor is I’m looking at, one, your specific risk landscape as your business. So again, a two-person organization versus a 200,000-person organization is going to look very different on what that risk landscape might be.

And then I’m looking to see, hey, is that governance program, I’ll say, sufficient in terms of who’s participating in it? What is the competency of that participation? But also, do they have adequate resources in terms of technologies, policies, even outsourced suppliers to actually meet the demands of their risk landscape?

So to your point, let’s use a very common example. A new law emerges. We see legislation all the time. And it says, you have to respond to a data subject to access request within three business days from receiving that inquiry from a data subject. Do you have the appropriate tools to help you meet that new demand? Maybe previously it was 30 days.

And so that’s what we’re looking for in terms of evaluating a management system or governance program is, can this management system flex based on, I’ll say, anticipated changes that the external environment might bring into it?

And so that’s, again, why you want to focus really on the foundations, the governance, versus trying to get too much into the weeds of these controls early on.

Jordan Eisner: So what another way for me, simple-minded, it’s tailored to your specific risks and threats. And that’s what I’ve always liked about ISO as opposed to starting with, here’s a bunch of policies that work for all these different organizations, one size fits all. It’s like, here’s some general practices. But let’s first understand your organization, your scope. What are the risks and threats to that? And then we build the governance layer, the policies, if you will, based on actual things pertinent to you and your business.

David Forman: Yeah, absolutely. Tailor, that sounds like something a salesperson would say. We have a tailored service offering.

But you are correct. Yes, it should not be one size fits all. Now, I’ve seen policy template sets out there. Those can be good to give you a starting point. But you should challenge those. It can be a delete exercise even in some cases to find stuff that’s not applicable to your environment. Or you might need to beef it up and enhance those requirements, especially if you feel like they aren’t addressing, again, that underlying risk that’s pertinent to your specific organization, the data you encounter, and the type of services you deliver to your end customers.

Jordan Eisner: So shifting gears a little bit, I just got back from a privacy security and risk conference. And there’s a lot of company culture talk, a culture of security, a culture of data privacy. How can ISO help with that? How can ISO be used as a vehicle to enhance or increase company culture around the issue of security, the issue of privacy, the issue of how AI is being leveraged and utilized?

David Forman: Yeah, let me speak of this from an audit perspective first. And then I’ll get more into the advisory and implementation side of it, if you don’t mind.

From an audit standpoint, one thing that we’re looking for during initial certification audits, like stage one and stage two audits, is we’re trying to just keep this warm and fuzzy feeling as an auditor that this management system is being maintained, and there’s accountability kind of racy, more than one person.

And what I mean by that, just to give you a true anecdote here, is there’s been several cases over my career where we’ve done these initial audits. And it’s the Jordan Eisner show. He was the one that originally decided they were going for it. They wanted to get certified at ISO 27001, one-man shop in terms of a GRC function or security organization, build all the policies himself, went and implemented him. His name is the control owner on whatever internal spreadsheet across all 93 controls.

And we look at it and we say, it’s not necessarily wrong, but we do ask the question now, where’s the supporting cast members, especially if the organization’s more than like two people. So we’re always looking for this kind of endorsement or sponsorship from not only top management or leadership in the organization, but also from kind of, we’ll say comparative departments, even if they aren’t necessarily an InfoSec or GRC kind of traditional function.

And so to answer the question on like privacy security culture, one of the things I recommend when an organization is saying, hey, like we’re considering a framework and we want to go through our first kind of third-party assurance exercise, why ISO 27001? Just use that as an example.

I’ll say, well, it’s great from a controls perspective because those controls cover so many different domains or functions within an organization. It’s one of the only frameworks I’m aware of from, you know, kind of an information security standpoint that’s going to touch HR, it’s going to touch procurement, it’s going to touch your facilities team if you have on-site premises, it’s going to touch your engineers. And then, of course, it’ll touch like legal, GRC and kind of like traditional security functions.

And inherently, how that framework is set up, you cannot be successful in even a small organization unless you are engaging your peers in these other departments. Because simply put, like, you’re just not going to control the day-to-day. And 27001, in this case, it requires you to have operational control over the day-to-day.

So to your question around security and privacy cultures in a company, ISO, in my opinion, it almost demands participation in some form or fashion from these other groups. And so all of a sudden, when you go say, hey, guys, we got ISO 27001 certified, everyone’s high-fiving and clapping each other because they all participated in it. It wasn’t just Jordan Eisner’s little pet project he’s been working on for the last nine months. So I like that element of it.

Now, are they require these other kind of comparative functions to be involved in as heavily as, you know, the head of security? Absolutely not. But they still feel like they have some skin in the game from it. And I think that starts driving the culture element you’re talking about. And then, of course, this trickles down to team leads. And then eventually, your lowest level employees who all feel like they have some part of the compliance initiative as well.

Jordan Eisner: Now, I want to segue that in the next question. Because that makes sense.

More ownership, ultimately, on the organization becoming certified. Can’t be a one-man show. Can’t be a stopgap there. It’s the age-old what happens if that person wins a lottery and leaves.

David Forman: you’re more optimistic than me. I always go negative, they get hit by a bus.

Jordan Eisner: You know, that’s the old one. But I don’t hear people say that one as much, I guess. I like it, David. I like the continuation of the old traditions on that one, too.

You never know, you say that to the wrong person these days.

David Forman: Many people have gotten hit by a bus, I guess. Probably shouldn’t talk about that.

Jordan Eisner: Yeah, you got to say to the person, that’s not what we wish for them in most cases. It’s just a scenario. It’s a hypothetical.

But OK, my point, you’ve got the culture. That’s great. Multiple people involved. More ownership. These frameworks change. And the businesses that are certified against them certainly change. They evolve. There’s a need for ongoing or continuous improvement, or at least adaptation as an organization evolves. To me, that’s part of a culture of privacy. That’s part of a culture of security.

I would imagine ISO has an answer to that, if it can be a baseline and it can foster more ownership and culture around these things. It’s going to have to have pieces of it for continuous improvement.

So talk to me about that.

Davd Forman: Yeah, so you’re touching on, obviously, a very, I’ll say, a large principle of ISO standards, which is this idea of continuous improvement, continuous improvement cycle.

It was formerly more commonly referred as Plan, Do, Check, Act, PDCA model, if you’ve heard that in the past. But how I would think about this is, from an audit point of view, when we are assessing whether or not to initially certify an organization to one of these standards, one of the things we are looking for, and this is definitely a read between the lines for the requirements, is what we call staying power of the standard and staying power of the management system post-certification.

And what I mean by that is there’s a three-year commitment when you think about going through an ISO certification audit within a credited certification body. If you get certified, you get a certificate after a positive decision on stage two, and then that certificate’s issued with an expiry date three years out from that issuance date.

But it comes with this certificate agreement or requirement for annual surveillance reviews or monitoring audits. Those surveillance reviews, what we’re looking for is continuation and maintenance of the management system.

And to your point, a business changes 12 months at a time. Even a small business, you’re going to have very different customer profiles, revenue risk, new employees are coming on board. Maybe you introduce a new product line, maybe you go through M&A, maybe you start getting involved with other geographies, and those geographies bring with them different legal ramifications as well.

All these kind of elements of a growing or even dying business will change the underlying risk landscape. And from that, the management system or governance program should be able to adapt. We talked about it flexing beforehand.

And so one of the things we’re evaluating for as an auditor is also your future state, which is frustrating for some compliance professionals. One of the most common controls, just as a quick aside, is around outsourcing development. And an organization today might say, we don’t do any outsource development. We don’t have outsourced developers. You’re like, awesome. And they’re like, it’s out of scope for us. You’re like, is it? And they’re like, yeah, we don’t have any outsourced developers. And you’re like, well, what if you engage outsourced developers over the next 12 months between our annual external audits? They might say, well, I would do x, y, and z in order to onboard those outsource developers. And you’re like, cool. You just explained to me control design. That means you’re doing it. They just don’t have any records of operating effectiveness because you don’t have any developers today that are outsourced.

And we always try to challenge companies who are going through that initial certification to think, again, about possible future state implications that were roughly a 12-month time frame.

Another common example is business continuity and disaster recovery. One might say, hey, I don’t have an additional AZ within my Amazon region for AWS. And we only are in one AZ. And I’ll be like, are you actually in one AZ or not? There’s some typically built-in redundancies. But they say, yeah, we don’t actually go test a warm site for redundancy every 12 months or something like that.

Not a problem. Can we do some sort of tabletop exercise instead? And we think about it more from just the what-if scenario. We don’t actually have to go through a live test just to show that we do have some mechanisms in place for redundancy in the case of a failover, if that’s the case.

So we, again, challenge this to think about what could possibly impact the business, the program, here over the future state.

You were giving an example of just thinking about it more from maybe an emerging regulation standpoint, which I think is probably very pertinent, especially for US-based customers.

We always are kind of on the tail end of this somehow. But when you look at the EU, there’s a lot of new initiatives coming out there around not only digital assets. We saw AI systems for the EU AI Act. But also, even just looking at the evolution of the GDPR since it went into force in 2018, it feels like the US is finally kind of catching up.

And we’re talking about a federal privacy law now that’s kind of in draft and is being discussed as bipartisan support. That’s awesome. But what happens if this stuff goes into effect tomorrow and you’re kind of playing catch-up or it goes into effect and they say, you have three months to basically get compliant with it. Does your governance program allow for you to make these kind of swift decisions, actions? If not, then we might have some observations there from an audit point of view in terms of whether or not you’re actually built for resiliency.

So I always try to think of these management systems as beyond just like the standard. Like, I’m not going to give you a finding for something that’s not written in the standard. But I do try to think about them from the standpoint of like, can they actually match the growth that you’re expecting for your business?

Jordan Eisner: Well put. So we’ve established with ISO, it’s tailored or custom. In a sense, framework is going to look at it.

David Forman: Risk-based. That’s what we would say.

Jordan Eisner: Risk-based. It wants to understand your risks, your threats for your business, and then build the management system, the policy suite, the governance from that.

It calls on company culture to improve around the area that’s subject, security, privacy, AI management by creating redundancies or more ownership.

And now it’s got, or now you speak to, the continuous improvement nature of it as an organization evolves or even as the regulatory landscape evolves. So pretty good stuff for an organization, whether they’re forced to do it or not.

Maybe this is a good ending question because some of our listeners might already have a framework they’ve adopted. They might already have an annual SOC 2 audit. They might be a NIST shop or something else out there. HITRUST. I don’t know.

So they’ve already adopted a control set. Do they need to backtrack into one of these ISO standards? Can they borrow? What would you say to somebody considering ISO or the benefits of ISO that’s already set up on one of those mentioned frameworks or another?

David Forman: Use the word backtrack. I feel like that’s such a fighting word. It’s like, who’s going to backtrack their security system?

But the obvious answer, obviously, you don’t need to regress your system. You don’t need to become more immature to become conforming to ISO 27001 or any of these other ISO standards. But if you look at ISO 27001, 27701, 42001, these are all standards that have a set of controls appended to their actual requirements.

And those controls, if you read them just black and white, they appear very high level, which good and bad with that. But they are designed inherently to be actually control objectives. And those control objectives are meant to, again, get more rigorous based on the underlying risk.

So if you read those controls just black and white, it is not a very secure or privacy protected system, for example. In fact, you should not implement the controls one for one how they are described. You should be, again, tailoring those controls based on risk.

So using our password one again, it’s a secure authentication control. It doesn’t say MFA. You won’t find MFA anywhere in that ISO standard 27001 specifically. But we all know multi-factor authentication is generally a best practice for organizations that are dealing with any form of sensitive or confidential data.

So if we look at the underlying risk and we say, OK, the service or service provider is ingesting or processing sensitive data or PII, something along those lines, we would say pretty automatically, we need to have a better access control mechanism into whatever system is holding this data than maybe a four-character PIN.

So that’s where we kind of start providing scrutiny on these standards. And I always hate it when I see I’m LinkedIn or otherwise. Someone’s like, ISO 27001 is not security. And it’s like, yeah, it’s not. It’s a governance framework. But also, if you are adopting these controls one to one as they are written and not actually applying them based on the governance requirements found in clauses four through 10 of the standard, you’re going to miss the entire point. Those controls are the starting point.

But you need to, again, tailor it based on the risk that we’re identifying the system. This warrants an aside here. A lot of organizations, when they first start implementing these ISO standards, they pop open the standard after they buy the license. And they go straight to the controls and start implementing, start writing policies.

That is incorrect. You were supposed to start on the clauses four through 10. Those are the audible clauses. You start with scope. So you may not do the entire organization. You might just focus on a system.

Then you go through a risk management exercise that identifies that risk landscape we keep talking about. From those inherent risks, we apply controls. And those controls are then mapped to the annex, which through this mechanism is a statement of applicability.

And from there, we determine how we’re actually going to design these controls to adequately and sufficiently address that risk. So if you start with the controls, you just completely failed on the implementation. You have to start with scope and risk management and then move to the controls. Otherwise, those control descriptions will not make sense.

So to answer your question in short, never regress a system. Never make a system more immature just to meet some common framework or scheme, whether ISO or otherwise. But at the same time, if you’re using ISO 27001, which is an example correctly, then you should be improving on or aligning an existing security system to 27001 or to meet it. That’s if you have existing third-party assurance like SOC 2 or NIST to your point.

Jordan Eisner: Well put. If I were a listener and I just heard that and I were looking into ISO, my next question would probably be, how do I get in touch with that guy? So as a wrap up, David, thank you once again for coming on and joining the podcast. How does a listener get in touch with you and Mastermind?

David Forman: I’m actually going to caveat first. Like don’t get in touch with me if you just want advisory support because Mastermind is a pure play certification body. All we do is the accredited certification odds for these standards. We are the end game. We provide the deliverable should you want to get certified.

CompliancePoint, Jordan would be excellent if you need assistance implementing these standards.

If you are ready to go through a certification audit or you have it on your roadmap at this point, you can find Mastermind at mastermindassurance.com. You can also connect with me directly on LinkedIn.

I believe very much, and Jordan, I think you share this, that people buy from other people. I want you to have a direct access, direct line to myself. It is sometimes advantageous to hear from the horses or the auditor’s mouth here in terms of how they interpret these high-level requirements we just talked about.

And I’m never too good for a 15-minute meeting just to discuss interpretations to make sure that you’re not spinning your wheels and you’re thinking about this correctly.

But yeah, LinkedIn. And you can find me on there, David Forman. There’s no E in my last name. Please don’t do what Jordan did.

Jordan Eisner: That wasn’t me. Depends on what day I was emailing you and how much was going on.

Thank you. I think that’s very clear for everybody.

And if you’re a regular listener of this podcast, you should know by now how to get in touch with CompliancePoint. But in case this is your first time, I’m going to echo David, CompliancePoint.com. You can email us at connect@compliancepoint.com. I welcome any and all connections on LinkedIn if you want to find us that way.

And yes, David, thank you again for indicating that if you’re not audit ready and you’re looking for advisory or readiness-type work, CompliancePoint is set up to do this.

We have a strategic alliance with Mastermind, actually, and prepare and ready organizations for audits by then.

David Forman: Thanks, Jordan, for having me.