S3 E8: Selecting the Right ISO Readiness Partner

Audio version

Selecting the Right ISO Readiness Partner

Transcript

Jordan Eisner: Hello to all our CompliancePointers fans, listeners, and viewers. You see a familiar face on the screen here today and that is David Forman of Mastermind.

Hey, David. How are you?

David Forman: Hey, Jordan. I’m doing well today. A little bit hungry. I haven’t had breakfast yet, but we’re going to make this work.

Jordan Eisner: There you go. Yeah. We’ll be lean and mean so you can eat a nice healthy breakfast or it will be lunch by then and be lean and mean.

Normally, I say that CompliancePointers is brought to you by CompliancePoint because it is, and that’s our consulting firm that I’m a part of and most of our guests are part of.

But David, you’re not part of CompliancePoint directly. You’re part of Mastermind, your own company. This podcast today is brought to you by CompliancePoint and Mastermind.

David Forman: Thank you for that. I would say we’re indirectly involved. I mean, we have a very clear partnership at this point. No, I’m not on payroll for CompliancePoint, but I do feel like I have vested interest in your success.

Jordan Eisner: There you go. Yes, and we appreciate that.

For our listeners and viewers, I’m going to read off the rap sheet that is David Forman and his accolades before we get into these questions today. He is CEO of Mastermind. Mastermind is a certification body. It’s accredited to assess and certify governance programs against standards established by the ISO, International Organization for Standardization. It’s the first company actually in the United States to focus exclusively on ISO certification.

I’m sure most of our listeners are probably aware, but if they’re not, ISO certs are one of the most trusted forms of third-party assurance I’d say used by technology service providers.

Before that, David, he worked for EY, he worked for CoalFire. In fact, he built the global assurance team at CoalFire, increased I think revenue 30X or something over the seven years you were there. David transformed it really into one of the largest assessment practices in North America.

He’s a certified lead auditor. I have this list here, David, ISO 27001, ISO 9001, ISO 27701, ISO 22301, and ISO 42001, which of course is the newer ISO framework around artificial intelligence.

Today, we’re going to be talking about finding the right partner as you prepare for an ISO audit, because you can’t be the cook and the critic with ISO. You’re not supposed to be able to be the cook and the critic in a lot of these assurance frameworks, but ISO is probably the most scrutinizing and serious in terms of holding that line.

David, as an auditor, is going to talk to me, and I’m going to ask him some questions about what he looks for in a readiness partner, which CompliancePoint serves in that capacity for his firm. There’s some familiarity here for this discussion.

David, anything you want to add before we get into these questions?

David Forman: No, I’d say you nailed it. ISO, and I’ll say the ISO family of standards does have this requirement around basically you can’t audit your own work. Thank you, Enron, but ISO was actually first to say that as well. But essentially, the hard rule, it comes from what’s known as an accreditation standard, ISO 17021. It says that basically the certification body, so the auditor, cannot provide any form of what’s known as management system consultancy. That could be pen-to-paper policy procedure development, that could be controls, that could be cloud environment builds, whatever you want to call it, but that’s all consultancy. You can’t do that for any part of a two-year period preceding the audit.

That’s not just the individual auditors working for the audit company, that is the audit company as a whole. There is a very strict impartiality requirements there.

Then just to tie back to a few other, I’ll say popular frameworks, FedRAMP has a very similar requirement as well around a two-year cool-off period per se, between consultancy and be able to audit that same scope.

We won’t get into this topic, but FedRAMP is also based on an ISO standard for accreditation, that’s ISO 17020. They all come from very similar requirements there.

Jordan, I do want to call out, you just spout off about half a dozen ISO standards and you did it. I’m going to say in the colloquial manner, meaning you said like ISO 22301, not ISO 22301. You said ISO 270001, not ISO 27001. You’re getting a hang of this, that’s competency. Very good job.

Jordan Eisner: I do what I can. I also like your Enron reference.

I’ve never told you about the time my dad, who has never worked in corporate America. My dad’s a physician, but this is only a few years ago he was walking around. I was visiting, he was walking around my parents’ house and he had an Enron T-shirt on.

David Forman: I’ve seen a meme I think before of Enron risk management department or something like that, someone will wear a T-shirt like that.

Jordan Eisner: This was a legit from when Enron was, well, I don’t know that they’re legit, but thought of as a legit company. It was Enron, whatever diagonal E, however it was. I said, where did you get that shirt? He was like, I don’t know, it’s just my shirt.

David Forman: It’s like goodwill or something?

Jordan Eisner: I was like, you know about Enron, right? He goes, well, yeah, I know they were doing something like that stuff. It was funny. It was just hilarious in that moment. But it’s probably worth something, that shirt.

David Forman: Yeah, I mean, it’s definitely like nostalgia. It’s like if you go back and try to find like an old Apple computer, like T-shirts and like that, people sell that stuff online.

Jordan Eisner: There’s a demand for this generation. My niece is in college and we were on a family trip and she had a Bell South sweatshirt on. I was like, what friend did you take that from? Who took that from her dad? They worked there in the 90s, right?

David Forman: I mean, I’m sure it has like resurgence at some point too. I mean, with any vintage apparel. I mean, me and you are both from Atlanta. So it’s like 1996 Olympics, Atlanta, like T-shirts, like all that apparel is still popular to this day. And it’s been 25, 30 years.

Jordan Eisner: All right. I’m sure we could talk about all this stuff for a long time. It’s probably not what our listeners and viewers want to hear from us, at least.

So like you just said, there, well, you were talking about how I rattled off 27001 and that, but even some of the other things, you know, in this space when you’re talking about readiness, advisory, certification body, auditor, internal audit, risk assessment, management review, there’s many terms in this space and they’re not always clearly defined. So break down some of the differences, right? And set the stage for this conversation when we talk about what to look for in a readiness partner, your certification, you know, but group.

So what are the differences between readiness, implementation, consulting, advisory, advisory services versus assessment, attestation, audit services? Give the listeners and viewers a 101 on those before we dive further into questions.

David Forman: I think the easiest way to explain it is actually start on the audit side because that’s so clear cut. So you mentioned already we’re a pure play audit company based in the US. And all we focus on is accredited ISO certification audits.

So if you ever engage with Mastermind, all we are doing is basically coming out with the objective of is this management system, this governance program, is it eligible to be certified against these normative references, these ISO standards?

So anything else that is not an accredited certification audit, kind of by definition is the other half of this, which is the management system consultant side. So management system consultancy, I keep turning around that term. That is actually a term that you will find in the ISO standards. It’s in 17021 and it’s referenced across the entire like 27000 family, but also the 42000 family as well. You’ll keep seeing this kind of recurring theme within these management system standards. And it covers all these activities you’re talking about.

So if you want to get down to like actual requirements of the standard and like where you can get consulting advice from, development policies and procedures, like so a scope and boundaries, a risk management methodology for the first time, so some governments elements as well.

But also like I want to help like getting the risk assessment conducted by a third party for the first year. And then I’ll take it over and start updating and maintain that risk register. Maybe I might have a third party like CompliancePoint would come in and perform just the second-party internal audit that is required under these standards as well. That’s still even though it says audit, it’s a form of consultancy to get you ready for that external third party certification body, certification audit under accreditation.
So that’s I think where people get a little bit hung up. But ultimately, like you’re totally right. Like in the professional services profession and consulting, we throw around all these kind of fancy terms like readiness partner, implementation partner, advisory partner. All of that is essentially the same thing in terms of ISO standards. It’s the consultancies piece, getting you ready to go through an accredited certification audit.

Jordan Eisner: If it’s not an external audit, right?

David Forman: If it’s not the third-party external audit, then it is consultancy, even if it is an outsourced second-party internal audit, which can be a little bit confusing.

Jordan Eisner: It’s like that, this is going to be a terrible analogy, but I don’t know the politician that said it, but he was talking about the definition of pornography. And he’s like, well, I can’t define it, but I know what it is when I see it. I know what it is.

David Forman: If there’s smoke, there’s fire, it sounds like.

Jordan Eisner: OK, so where do internal audit services fit into the landscape? You talk about all the readiness, let’s dive into that one. So particularly in distinguishing first party, second party, third party assessments.

David Forman: Yeah, and maybe that’s where we start. So like a first-party audit or assessment is typically a self-assessment. That’s like Jordan controls this thing with his organization. You’re in sales, so you can’t then go perform an audit over sales. Like you run the sales organization at CompliancePoint.

Additionally, a second-party audit might be another internal employee or coworker. It could be outsourced and they are reviewing Jordan’s activities for the sales organization. Well, I think of it that way. That’s traditionally what we would call an internal audit, second party.

Some key characteristics of a second-party audit that often come up is it’s not necessarily independent, meaning maybe you go tap one of your other delivery resources and you say, hey, you’re not in sales, but you do work for CompliancePoint. You can come audit my process, but you’re not totally independent because you want to see CompliancePoint still succeed. You still get paid by CompliancePoint. You might have equity ownership and CompliancePoint. You might want to see them still have success. So from that standpoint, there’s bias with the assessor performing that second-party audit.

And then finally, you have this traditional form of third-party audit, which is traditionally external. That’s how people try to think about it. But internal audits can also be external in theory. And that external audit is typically assigned with independence, where I’m an auditor. I’m coming in there. I have no part in this system that I’m auditing or the scope on auditing. I didn’t put pen to paper on any of this. I didn’t provide consulting advice on it. And additionally, I don’t really care. Like, it sounds bad, but I don’t care if CompliancePoint passes or fails this assessment. It doesn’t hurt me individually. It doesn’t hurt our company individually as well. So it’s that idea of independence.

Jordan Eisner: Yeah, and that’s part of what makes it so difficult to…Because I’ve seen a lot of times organizations come to say, well, you know, we got a bad mark or non-conforming or whatever it’s called because our internal audit wasn’t independent enough.

David Forman: Yeah, I’ve seen that before. So the standard actually doesn’t require independence. It doesn’t require independence on behalf of the certification body. So I use it interchangeably here in discussions like this, like independence with impartiality, which is actually the requirement.

Impartiality of a certification body, say you’re a publicly traded company at CompliancePoint, I can have stock in CompliancePoint and still audit you. Like that is permissible for an ISO conformity audit. It is not permissible under like SEC rules if I was to do a financial statements audit of you and you’re a publicly traded company. And so that’s where you have to kind of separate them.

Now, the finding you’re talking about as part of the second-party audit, the internal audit that’s found in clause 9.2 of these standards, it does not require independence. It doesn’t require even impartiality. All it requires is that you are not able to, I think it says the auditor must be able to opine over the scope objectively, meaning you can’t audit your own work.

So theoretically, if Jordan was responsible for the sales organization at CompliancePoint and he wants to have another salesperson do parts of the internal audit that that salesperson individually never actually influenced, they could do that. And then Jordan could then audit the pieces that he wasn’t technically responsible for, maybe only an accountable party. So you can get creative on how an internal audit works as long as you’re not auditing personally your own work.

Jordan Eisner: OK, that’s helpful. So when selecting a readiness partner, if you decide, OK, I could do this internally, right? The first or the second. But I want to do a third party internal audit or third party services in general readiness. So what what qualities should an organization prioritize to ensure good fit?

David Forman: Yeah, and so there’s actually two key requirements that we’re looking for as a certification body when we’re assessing internal audit and whether or not that activity was done well. So first one really for is that objectivity piece we just talked about. But the second piece is competence. So you’re getting more and more competent by the podcast episode. So you’re able to start talking about these ISO standards more and more colloquially.

But in all reality, like ISO is it’s not difficult. I always say it’s just nuanced and that nuance comes with competence as well. So if you break down the definition of competence, it’s a combination of skills or knowledge with experience or exposure. And so the run-of-the-mill internal auditor or internal audit department at a company that’s first implementing ISO 27001 just use as an example, may not have internal staff that are competent, meaning they have the knowledge in addition to the experience or exposure to go assess ISO 27001.

Now, they might understand what a risk is and a control is, but are they going to be competent enough to understand the management system references found in clauses four through 10 that really make up the meat of the standard? Probably not without some sort of additional training.

So what you see in theory or in practice often is first-time certification clients or audits, they are often outsourcing that internal audit piece because they don’t have that competence in house yet. So very common in year one, especially sometimes it happens in year two and year three, as well as more of a managed service offering.

Initial applicants for certification will consult with a readiness partner like CompliancePoint and say, hey, come in here and do my internal audit. It’s an outsourced internal audit, so awesome. We’re going to meet the objectivity piece immediately. But you guys do ISO all the time. So you’re going to be competent and you’re going to give me kind of this like stage zero audit flavor to the assessment, be much more rigorous and difficult on me than what my certification by is going to do ultimately. And I have a little bit more warm and fuzzy is going into that real external audit.

Jordan Eisner: OK, so peace of mind, confidence, right? And what you get into it, you know, a situation I run into as well is. An organization might have that themselves internally, and they’re super competent. They’ve been through ISO, maybe a different organization, maybe that current organization have been through ISO audits. They need an internal audit for right objective view of it, and so they see the benefit of using a third party for it. But. And you tell me this is right or wrong, and this is, you know, getting a little off course of what we talked about. They know everything. Imagine you’re working in an organization, right? David Foreman with all your accolades and ISO and you’re preparing somebody for it, but you want the, you know, the independent objectivity of an internal audit or so you got to do it. And they’re just looking for the best price because it didn’t really matter because they just want somebody to come in, call it, check the box. But they’re so confident security and their program and competence of it that they’re going to do fine on their external audit that it’s like we want that objective opinion. So it’s third party, but we’re going to pay the bare minimum best price because it doesn’t really matter because we’re going to do well in our external audit. What’s your rebuttal if you have any or thoughts around that?

David Forman: I’ll give kind of two scenarios here.

So the first one is if they have somebody with like my type of experience internally in the company, I’ll say more often than not, that person, that individual is responsible for the entire implementation effort for getting them ready to be certified. So often that person is qualified out as being the appropriate person to be appointed as that internal auditor for the organization. Rarely do you see two of those types in a company, even an enterprise company of size. Like it’s just it’s not a competency that you see every day because there’s probably not demand enough for it in an industry.

The piece that you’re talking about here, which is like, let me make my internal audit assessment more, check the box, because I have confidence in how we’ve implemented this. You’re doing yourself a disservice. And it’s because it’s this kind of unwritten rule in ISO standards around what we call double jeopardy. You’re not going to find double jeopardy if you control up the standard.

But we talk about this idea of you want to maintain the management system and promote continual improvement throughout the cycle, which is typically a 12-month calendar year. And you want to do that ahead of a certification body audit.

And so if I was like, put that in real layman terms, you want to be finding stuff in your system, not the third party auditor. And we will check that you are finding stuff in your system through like a corrective improvement of actions type log or tracker to make sure that there’s stuff coming up either through self-assessment, second party audits, customer feedback, complaints against the system, whatever it might be from external resources throughout the year.

And then when we come in as a certification body, we shouldn’t be able to find anything. It should be a system that is like kind of like proactively identifying issues and then coming up with plans to remediate those issues.

Now, very commonly, there are issues that are still open by the time we come into the external audit. And that’s where I’m talking about the double jeopardy. If you’ve already identified it, you have a plan in place, you’re executing against that plan per defined milestones. We’re not calling it out as a finding that has already been identified by the system. The system is working. We don’t need to call it out on our report as well. Just we’re purge taking your report.

So use that internal audit function to call out the dirty laundry. And you will do yourself favors with the certification body at that point, because now we have confidence that this thing is working between annual audits. And we don’t need to be astringent in these areas.

Jordan Eisner: OK, so if I’m playing that back and understanding correctly, more competent the internal auditor, even if it perhaps costs more, the in essence smoother your external audit could go.
David Forman: Yeah, let’s put this into like real timelines. If you come up with your own internal audit program and internal audit scheme, I’ll define that like. You might have a different definition for what is considered a nonconformity of the type of findings or negative exceptions we have in the system for ISO. And so if you identify what you think is a minor or major nonconformity, traditionally you only have 30 or 60 days to correct these items of an external audit finds it.

Now, if you find as an internal audit, you could say, hey, I’m going to get myself six months or 12 months to fix that thing. That’s your system. You’re allowed to do that based on risk. And so you can give yourself more time to go fix these items as long as you are practically identify them and able to, again, show that kind of milestone correction improvement throughout the corrective action log. If you wait to find it, it’d be more of a fire drill.

Jordan Eisner: It’s a risk-reward thing again. So it depends on the confidence that are you willing to risk a potential finding that’s overlooked by your internal auditor and found by your external auditor that then you have a shorter window to remediate to cure, then pay a little bit more. Catch some of that stuff on the front, giving yourself a longer window remediated according to your system and your management system and its rules than if the external auditor found it.

David Forman: That’s really the business case for keeping an outsourced internal audit in your two year, three and year one. You have a bad internal audit and then now the external auditors finding all this stuff like there’s really no hard deadline and fixing stuff. It’s just you’re not going to get certified until the stuff’s fixed in year two, year three. Now you’re already certified and you’re trying to get what’s called a continuous decision to maintain the continual certification status. You have hard deadlines and you miss those deadlines. You’re going to suspension status publicly. And then after that suspension status runs out, like worst case scenario, you could then go into revocation and withdrawal of that certification. So it becomes a lot bigger issue in year two, year three post-certification. If you I’ll say, regress on the internal audit activity compared to what initially got you certified.

David Forman: Now, that’s interesting. I didn’t know that before. Like you said, I continue to learn more every time I do these podcasts.

But yeah, I mean, that’s where it comes down to what are the contingencies put on you being ISO certified. Is this something you’re doing practically as a business? Maybe take a little bit more risk on the internal auditor because the suspension or even the revocation isn’t going to, you know, cause you to lose an account or something. I agree. A great portion of revenue. But if you have big contingencies and reliance on that cert.

David Forman: I mean, look at like some companies that are in the news, like even this month, like Meta just had layoffs and they’re talking about like low performers. And there’s all this like bad press right now talking about is like, did they really evaluate the workforce or they just like cutting heads and like trying to chase base salaries to recoup.

So often we see with customers that have been certified for five years and then all of a sudden we come in for the annual external audit and we’re like, what happened in the last 12 months? Like, where is everybody? And it’s like maybe there was a reduction of force. But also when we think about a lot of these like functions like internal audit, that’s typically like a back office, an S.G.N.A. type function. And oftentimes we see people either get stressed over workloads or cut altogether and then management doesn’t understand kind of the value that was provided to the system. And so when we see large turnover that presents sometimes an existential risk against that entire management system, even if they’ve been certified for five years.

Jordan Eisner: OK, that’s helpful. Good points. OK, so on that note, you’re talking about quality. You’re looking for a readiness partner and internal auditor. What about warning signs, right? Things to be cautious of when you’re evaluating a potential readiness partner. And again, I’ll reiterate, we’re talking for building your risk assessment for the internal audit, of course, and other clause requirements that you’re going to need to get ISO certified for the first time. So I think that’s a category. But then even in subsequent years, right, in preparing for the surveillance audit, you know, red flags with a potential readiness firm.

David Forman: Yeah, one thing that I always kind of sniff out when I’m talking to potential partnerships or even just interviewing like an internal auditor, for example, as part of the external audit that comes up pretty frequently is what I call sequencing. And sequencing is basically how you are implementing or maintaining the standard based on how you’re reading it in the reference itself.

So if you just go clauses four through 10, I know we just kind of spout that off all the time. There is a certain sequence you’re supposed to actually implement. And so it starts with scope or context of the organization clause four, then it gets into like roles and responsibilities. So define your steering committee, your leadership team. And then it talks about creating a risk management methodology, identifying those risks, treating those risks, using controls to treat those risks, developing a statement of applicability, internal audit management review, all this stuff.

Once you get certified, that readiness partner now turns into more of a managed services partner almost. And the way they will sequence those recurring annual activities tells me a lot about their experience. And in all reality, right after you are done with that external audit for the year, you should be going right back into maintenance mode and saying, hey, are there any things we want to change in the scope? Yes or no?
Do we want to onboard some new services? Do we want to add some certificate locations? Do we want to add in some new departments? Or we’re thinking about taking that acquisition from a year ago and assimilating them to our policy set, that kind of stuff. That should be happening very early in that 12-month cycle.

And then from there, you’re performing a risk assessment, risk assessment, influences, treatment plans, and the statement of applicability, maybe the selection of controls. And then after all of that is at a stable state and we get it kind of to like this, I’ll say, breaking point where we can say, hey, this has been completed again for the next year. That’s when you’re performing the internal audit. And then finally, when the internal audit has to report out, you’re performing what’s called that requisite management review.

When you start screwing up with that sequence and thinking about how long these activities take, that’s a huge indicator for us. You call it a red flag. I’ll use that term, too, but that you don’t have much experience going through these type of cycles. Now, for a small company, you might be able to get away with it and do that entire kind of maintenance piece, or we call it a management review cycle, and maybe a 60-day period annually.

But for a large organization, that really that clock really needs to start at month one of a 12-month cycle immediately following the external audit. Otherwise, you can’t start making material changes or continuous improvements to that management system.

So sequencing tells us a lot about readiness partners experience.

Jordan Eisner: Interesting. OK. Not where I expect you to go, but good.

David Forman: I’m always here to surprise.

Jordan Eisner: So on that note, so and I think you’ve alluded to some of this, so maybe this is a rinse and repeat some of the things you’ve mentioned, right, timeline and not fitting in and increasing the timeline on two ways, right? Not allocating enough time to prepare for initial audit surveillance audits, but also a bad readiness partner can mean that something gets picked up in your external audit that decreases your time to remediate some of these things. So that’s maybe one. But what are some other risks in choosing the wrong partner?

David Forman: Yeah, we’ve been talking about being rigorous on yourself. Like, I’m actually going to take it from a different angle now.

There are elements where you can sample instead. And sampling like actually love hearing when companies go through sampling programs versus just audit everything every year or have the right assessment or readiness partner review just everything. Ultimately, we’re all constrained by budget and time, even for certification body audit as well. I might be in a system for four days in a given calendar year. Like, how am I supposed to opine on this system, whether or not it’s functioning for the rest of the 12 months? Like, I’m here just to gain reasonable assurance that the system is continuing to work.
But readiness partner after year one, especially, you should be looking at basically picking significant audit trails or key processes similar to a certification body. So there’s 93 controls found in Annex A of ISO 270001, 38 controls found in 42001. Like, that’s a lot of controls to be looking at every single year at the same depth.

It makes more sense to sampling programs and instead of going a mile wide, inch deep, now go a mile deep in each of those areas and kind of rotate them throughout the year based on risk or throughout the audit program over a multi-year term.

Jordan Eisner: That’s that 33%, 33%, 33%.

David Forman: Yeah, you can do that, especially in the second cycle after recertification. What makes more sense in the initial cycle is you do 100% that first year. So like make sure all design is looking good and controls are all implemented across the system that are required. And then starting year two, year three and go maybe 50, 50 if they’re made or that cycle and then go 33, 33 if you want to get into year four, five, six.

Yeah, you don’t want to do a third in year one before certification. Yeah, that’d be rough.
Jordan Eisner: OK, this has been very meaningful as always. A wealth of information. Let’s let’s ask one more.

And you alluded to this earlier too, you were talking about there are some things that an auditor can actually provide feedback on. But we talked about how strict ISO is in some of these areas.
So auditors not allowed to audit their own work, but there are nuances of this rule. So where’s the line drawn? Can an auditor provide any form of feedback? How prescriptive can that be? Or is the role just strictly limited to evaluation and enforcement?

David Forman: Yeah, you’ll get varying answers on this. I’ll admit that. And that’s why people hate auditors. It’s like they never give something clear-cut. I’ll tell you my opinion on this. And it’s been vetted to an extent as well.

In the certification by space, we have what’s known as witness audits. Those witness audits is where an accreditation body, so our oversight, has to sit in on a Zoom Teams call while we’re doing walkthrough meetings with client and witness the entire activity from start to finish, opening, meeting and closing meeting.

And I’ve pushed the line over the years to see like to get opinions from these accreditation bodies based on how I respond to questions that naturally come up throughout an audit. Audities are always looking to improve, especially they care about the system, and they will ask you like, hey, what are you seeing?
Like, did we do a good job here? Like, you know, all right, I understand where the negative finding is. But like, could you help us a little bit more just direction wise where we should go next to continue improving this piece of activity?

So to answer that question, the first thing I always say is always ask your auditor to provide opinion on your scope and your scope statement, specifically your scope. There’s this kind of like common notion where you want to make it so narrow that like all this stuff that isn’t controlled is out of scope. But also the scope has that value and has to have weight.

So I always tell customers that I said my goal as your auditor is to make sure that if you go through this painful activity of certification and you go through a certification audit and you pass both stages initially and then you get that certificate award. I want that certificate award to stand on its own. I do not want there to be additional questions coming back from readers of that report and users and receive that certificate as part due diligence saying, hey, I have questions about the scope statement or I don’t see my product listed, that kind of thing. I want that thing to serve all its value and have weight in the market when you go through and get this achievement.

And in order to challenge scope statements, you can ask questions about like, is there even value here? Like, I’m looking at your website as just like a dumb third party, like reviewing it for the first time, and I see your systems as X, Y and Z, yet you’ve articulated as A, B and C over here. Like, we can provide that type of feedback.

Additionally, scope is one of those few items where the certification body, I think, can provide even more type of, I’m careful to say consulting or advice, but feedback in the sense that we don’t want to misrepresent what we actually assessed. So we will provide feedback in that lens where we say, hey, we’re looking at this department only, yet you’re calling out five other departments here. Like, we need to merge these two kind of processes together, otherwise we’re getting either out of scope or we’re not covering the full scope for what we should be covering based on how you create your boundaries. So we can always provide that feedback.

Now, we’re using some choice words here. Feedback. Customer can always get feedback from the auditor. They can’t get consulting advice at all. Now, what’s the real difference between those two?
Feedback is more generalities, and the standard does call out that a certification body can provide training and even interpretation of certain requirements. That is not considered management system consultancy. They do that literally within the same definition of that term, management system consultancy. They have two footnotes underneath it. And some of that feedback or implementation kind of interpretation, that’s very helpful to understand like an auditor’s point of view. So we can always give points of view. We can always give interpretation of a requirement.

The key here is we can’t give tailored advice. And so typically how we do that, if we really are trying to get a point back to the auditee, is we get more benchmarking type data. So we say, hey, for organizations that are in your sector or similar size or initially going through a 27001 audit, we commonly see X, Y and Z. Consider that for your system. That is about as far as we can go in terms of providing that type of gray area consulting advice for feedback to make sure that we are not auditing our own work.

But you will see some auditors who aren’t super clear on that gray area, therefore they will avoid it altogether. And they’ll say, I’m just the police. I’m just enforcing the standard. You tell me how you did it. And that’s where I think you get a little bit more butting heads in this industry and auditors get the bad rap.

Jordan Eisner: Wealth of knowledge. That’s you, David. Wealth of knowledge foreman.

David Forman: I appreciate it. No. And Jordan, I want to do it justice and I want to spend the time here on these type of podcast episodes. If I didn’t feel similar about your team to your team, I know the individuals that make up the implementation advisory readiness team, all the same thing. We just discussed that for these management systems, for various ISO standards as well.

And I think where that’s I’ll say where I think Mastermind has really decided to invest in CompliancePoint is knowing that your team has that background of not only being implementation advisors, but also previously wearing that auditor hat, too. And I think you kind of have to wear both hats in order to be truly effective in this space. So sometimes a little bit chicken before the egg. You got to get the experience somewhere. Not the case of CompliancePoint. You guys definitely have built that team well.

Jordan Eisner: Appreciate it. And I’d respond with and now we’re just, you know, buttering each other up for the audience. But, you know, to have the ultimate confidence in who you’re throwing your clients over to from an audit standpoint or even, you know, prospects when you’re talking about your readiness and, you know, an eagerness to say, hey, do you want to talk to an auditor? Because we’ve got one and, you know, we work together and you’re not going to leave that conversation, not getting a question answered to the team. And so, you know, it’s great. So and getting to these podcasts and our Korean barbecue and sushi lunches is just an added benefit.

David Forman: Thank you. I enjoy our meals together as well.

Jordan Eisner: So and I always ask you to do this right. That’s from the horse’s mouth. How can our viewers and listeners best get in touch with you?

David Forman: Of course, if you’re not already connected with me on LinkedIn, please send over that connection. You’ll find my handle. MastermindDavid. Also, you can find us on our website.

Mastermindassurance.com. Big contact button there on the home page. If you are more the email type hello@mastermindassurance.com. But you can also go through Jordan. Jordan knows my cell number.
Jordan Eisner: There you go. Oh, man. Yeah, there you go. Don’t get that out. You’re a LinkedIn open connector. You’re a lion, but you’re not giving out your cell.

David Forman: That’s pretty accurate.

Jordan Eisner: And for our viewers and listeners that want to get a hold of CompliancePoint, even if it’s just me to get to David, we’re OK with that.

Compliancepoint.com. Connect@compliancepoint.com or look us up on LinkedIn until next time, because I know there will be a next time.

David, thanks. And there you go. A few minutes early. Go enjoy some lunch.