ISO 27001 Getting Started | Everything you need to know | ISO 27001 Basics

Stuart Barker

18 Feb 202243:33

Summary

TLDRThe video script offers an in-depth exploration of the governance risk and compliance framework, focusing on the implementation of ISO 27001. It emphasizes the importance of senior management buy-in and establishing a management review team to ensure policies and procedures are aligned with business risks. The speaker compares ISO 27001 with other standards like SOC 2 and PCI DSS, highlighting the differences in audit approaches—point in time versus continuous auditing, and risk-based versus rule-based frameworks. The script also provides practical advice on engaging with certification bodies and managing client expectations throughout the certification process, including costs and timelines.

Takeaways

📈 Senior Management Buy-in: The importance of having top-level leadership support for any governance, risk, and compliance framework, including ISO 27001, cannot be overstated.
🔑 Management Review Team: A key component of the framework is the establishment of a management review team that ensures policies and procedures are implemented and followed across the organization.
🛡️ Risk-Based Approach: ISO 27001 is a risk-based model, meaning that controls are tailored to the specific risks and business needs, rather than a one-size-fits-all rule-based approach.
🔒 Policies and Procedures: Clear distinction is made between policies (what the organization does) and procedures (how it is done), which are based on risk and subject to regular audits.
🔍 Internal Audits: Organizations must perform internal audits at least annually, focusing on the most risky aspects of the business to ensure compliance with policies and procedures.
🚫 Incident Management: Incidents, or deviations from policy or procedure, are expected and managed as part of the continual improvement process.
🔄 Continual Improvement: The script emphasizes the need for ongoing assessment and enhancement of policies and procedures to adapt to new risks and challenges.
🌐 International Standard: ISO 27001 is an internationally recognized standard for information security management, making it a valuable asset for global businesses.
💰 Cost Considerations: The costs associated with ISO 27001 certification can vary widely based on the size of the organization and the certification body chosen.
⏱️ Timelines for Certification: The process of achieving ISO 27001 certification can take up to 12 weeks or more, depending on the certification body's availability and the organization's preparedness.
🔑 Accurate Documentation: It is crucial to document current practices accurately, as auditors will verify these against the documented procedures, with discrepancies potentially leading to audit failures.

Q & A

What is the primary purpose of implementing ISO 27001?
-ISO 27001 is typically implemented due to commercial requirements, as it provides a framework for information security management systems (ISMS) and helps ensure that an organization's information assets are adequately protected.
Why is senior management buy-in crucial for the success of an ISO 27001 implementation?
-Senior management buy-in is essential because it sets the direction for the organization and ensures a culture of top-down leadership. Without it, there can be struggles with political, budgetary, and resource allocation issues, which are critical for successful implementation.
What is the role of a management review team in the context of ISO 27001?
-A management review team oversees and approves policies and procedures, ensuring that tasks related to the ISMS are completed effectively. It represents different areas of the business and is responsible for continual improvement and addressing any deviations or incidents.
How does the concept of 'policies' differ from 'procedures' in the script's context?
-Policies are statements of what an organization does, set by the leadership, while procedures are statements of how tasks are carried out within the organization. There is a conceptual separation where policies define the 'what' and procedures define the 'how'.
What is the significance of risk-based versus rule-based approaches in the context of ISO 27001?
-ISO 27001 adopts a risk-based approach, which means that the controls are tailored to the specific risks and risk appetite of the business. This contrasts with rule-based systems like PCI DSS, which have specific, mandatory controls that must be implemented regardless of the business's risk profile.
How does the script differentiate between an incident and an audit?
-An incident is a deviation from a policy or procedure, such as a security breach or a system outage. An audit, on the other hand, is a systematic review of policies and procedures to ensure they are being followed and are effective, based on risk.
What is the importance of continual improvement in the ISO 27001 framework?
-Continual improvement is a core concept in ISO 27001, emphasizing the need for an organization to constantly evaluate and enhance its ISMS. This process is managed by the management review team and involves addressing risks, audit findings, and incidents.
How does the script describe the process of external audits in relation to ISO 27001?
-External audits are conducted by accredited certification bodies and can occur as part of the certification process, customer onboarding, or regulatory requirements. They assess the organization's compliance with ISO 27001 standards.
What are the key differences between ISO 27001, SOC 2, and PCI DSS as discussed in the script?
-ISO 27001 is an international risk-based standard for ISMS. SOC 2 is an auditing procedure that assesses service organizations, with Type I being a point-in-time audit and Type II being a continuous audit over a defined period. PCI DSS is a rule-based standard specifically focused on entities that store, process, or transmit cardholder data.
Why does the script suggest starting with ISO 27001 before pursuing other standards like SOC 2 or PCI DSS?
-The script suggests starting with ISO 27001 because it provides a foundational management system that can be built upon. Other standards like SOC 2 and PCI DSS often require controls that are already covered by ISO 27001, making it a more efficient starting point.

Outlines

00:00

📚 Introduction to Governance, Risk, and Compliance

The speaker introduces the concept of governance, risk, and compliance (GRC) and explains how ISO 27001 fits into this framework. The discussion highlights the importance of senior management buy-in for a successful implementation of ISO 27001. It emphasizes establishing a top-down leadership culture and the challenges that arise without executive support. The speaker also outlines the structure for a management review team, which is crucial for ensuring that tasks are completed and that policies and procedures are overseen and approved. The talk also touches on the separation of policies and procedures, with policies being high-level statements of what the organization does, and procedures detailing how it is done.

05:01

🔒 The Importance of Policy and Procedure Distinction

This paragraph delves deeper into the distinction between policies and procedures. Policies are defined as high-level statements set by leadership, dictating what the organization does, such as implementing antivirus on every machine. Procedures, on the other hand, are detailed instructions on how to execute these policies, like setting up automatic scans and defining protocols for alerts. The speaker stresses the need for clear separation to allow for better documentation and management. Additionally, the paragraph discusses the importance of these documents in meeting client demands and due diligence processes, as well as the risk-based approach of ISO 27001, which allows organizations to implement controls appropriate to their specific risks and business needs.

10:04

👀 Auditing and Incident Management in ISO 27001

The speaker discusses the auditing process and incident management within the context of ISO 27001. Policies and procedures are subject to regular audits to ensure they are effective and aligned with the organization's risk profile. The auditing process is based on risk, with more critical areas being audited more frequently. Incidents are defined as deviations from policy or procedure, and they are an expected part of the continual improvement process. The management review team plays a key role in addressing incidents and driving the process of continual improvement, which is a core aspect of ISO 27001. The speaker also mentions the importance of having a risk-based approach to controls and the flexibility it provides compared to rule-based systems.

15:05

🛠️ Continual Improvement and External Audits in ISO 27001

Continual improvement is a key component of ISO 27001, and this paragraph explains how it is managed and reported by the management review team. The speaker describes the process of identifying, assessing, and treating risks, as well as the role of internal audits in this process. Incidents that occur are also addressed by the management review team, which makes decisions on necessary actions, such as resource allocation or policy updates. External audits are also discussed, highlighting the different contexts in which they may occur, such as part of a certification process or as a requirement from a new customer. The speaker emphasizes the cyclical nature of updating, auditing, and improving policies and procedures.

20:06

🏗️ Building a Structured Approach to Compliance

The speaker provides an overview of how to build a structured approach to compliance, starting with ISO 27001 as the foundational management system. The paragraph explains the concept of 'bolting on' additional standards and frameworks, such as GDPR and PCI DSS, to the base ISO 27001 framework. This approach allows for a comprehensive and scalable compliance structure that can adapt to various regulatory requirements. The speaker also discusses the importance of common modules and the benefits of starting with ISO 27001 before moving on to other standards.

25:07

📈 Understanding Different Audit Frameworks and Standards

This paragraph explores various audit frameworks and standards, such as ISO 27001, SOC 2, and PCI DSS. The speaker explains the differences between these standards, including their geographical focus, the nature of their audit processes (point in time vs. continual), and their management structure. The discussion also touches on the complexity and cost implications of implementing and certifying these standards, with a particular focus on the rigorous and costly process associated with SOC 2 Type 2 audits compared to the more structured and generally less expensive ISO 27001 certification.

30:07

💰 Costs and Processes Associated with ISO 27001 Certification

The speaker discusses the costs and processes involved in obtaining ISO 27001 certification. They mention that certification costs can vary depending on the size of the business and the certification body chosen. The paragraph outlines the importance of getting multiple quotes and highlights the potential for significant cost differences between certification bodies. The speaker also emphasizes the need for transparency in ongoing audit fees and warns against hidden fees or unnecessary services. The paragraph concludes with advice on setting realistic expectations for the certification timeline and the process involved in achieving certification.

35:07

⏱️ Timeline and Expectation Management for ISO 27001 Certification

The speaker provides insight into the timeline and expectation management for clients pursuing ISO 27001 certification. They explain that the certification process can take up to 12 weeks but is dependent on the certification body's availability and the client's ability to implement and evidence the required controls. The speaker advises setting a realistic timeline of about three months for implementation and emphasizes the importance of managing client expectations regarding the time it takes to receive the actual certificate. They also suggest strategies for安抚 clients who may be requesting the certification, such as showing commitment dates and engagement letters from the certification body as proof of progress.

40:08

🛡️ The Role of Advocacy in the Certification Process

In this final paragraph, the speaker reflects on their role as an advocate for their clients during the certification process. They discuss the importance of countering key red flags and ensuring that clients are well-represented and informed. The speaker also hints at a future discussion about the roles involved in an engagement and audit, the perspectives of different stakeholders, and the realities of the situation. They aim to provide insights that can help manage the complexities of the certification process.

Mindmap

Keywords

💡Governance Risk and Compliance (GRC)

Governance Risk and Compliance refers to the framework that organizations use to ensure they operate in a manner that is compliant with laws and regulations, manages risk effectively, and is accountable to stakeholders. In the script, GRC is the overarching theme, with the discussion focusing on how ISO 27001 fits into this framework, emphasizing the importance of senior management buy-in and a top-down approach to leadership for successful implementation.

💡ISO 27001

ISO 27001 is an international standard for information security management systems (ISMS). It provides a systematic approach to managing an organization's sensitive information in a secure manner. The script discusses how ISO 27001 is implemented within the GRC framework and how it serves as a foundation for other standards and frameworks, such as GDPR and PCI DSS.

💡Management Review Team

A Management Review Team is a group within an organization that oversees and approves policies and procedures. In the context of the script, this team is crucial for ensuring that the organization's actions align with its policies, and it plays a key role in the continual improvement process, which is central to the ISO 27001 standard.

💡Policies and Procedures

Policies and procedures are the documented rules and steps that govern an organization's operations. Policies state what the organization aims to achieve, while procedures detail how to achieve it. The script explains the importance of separating policies and procedures and how they are applied to staff and third parties within the organization.

💡Risk-Based vs. Rule-Based

The script distinguishes between risk-based and rule-based approaches to implementing standards. Risk-based approaches, like ISO 27001, involve determining appropriate controls based on an organization's specific risks and risk appetite. In contrast, rule-based systems, such as PCI DSS, have predefined controls that must be met without flexibility. Understanding this distinction is crucial for organizations when choosing which standards to implement.

💡Internal Audit

An internal audit is a process where an organization examines and evaluates its own policies, procedures, and operations to ensure they are effective and compliant with regulations. The script mentions that internal audits are based on risk and are a critical part of the continual improvement process under ISO 27001.

💡Continual Improvement

Continual improvement is the ongoing process of enhancing an organization's performance and operations. In the script, it is highlighted as a key component of the ISO 27001 standard, with the management review team playing a central role in overseeing and managing this process.

💡Incident Management

Incident management refers to the process of identifying, reporting, and addressing deviations from policies or procedures, known as incidents. The script explains that incidents are expected and form part of the continual improvement cycle, where they are reported to and managed by the management review team.

💡External Audit

An external audit involves an independent third party reviewing an organization's systems, processes, and documentation to verify compliance with standards like ISO 27001. The script discusses the process of engaging with external auditors and the importance of preparing for these audits as part of the certification process.

💡Certification Body

A certification body is an organization that provides official certification to companies that meet specific standards, such as ISO 27001. The script mentions the importance of selecting an accredited certification body and getting quotes from different bodies to ensure a fair and transparent process.

💡Stage 1 and Stage 2 Audit

The certification process for ISO 27001 typically involves two stages. Stage 1 focuses on evaluating the documentation and initial implementation of the ISMS, while Stage 2 involves a more in-depth audit of the actual implementation and operation of the controls. The script explains the importance of both stages in achieving certification.

Highlights

Governor's risk and compliance framework integration with ISO 27001 for effective information security management.

Importance of senior management buy-in for successful implementation of ISO 27001.

Establishing a management review team for oversight and approval of policies and procedures.

Conceptual separation of policies and procedures for clarity and effectiveness.

Risk-based approach of ISO 27001 allowing flexibility in control implementation based on business needs.

Difference between risk-based and rule-based systems exemplified by ISO 27001 and PCI DSS.

Internal audit processes and their significance in maintaining and improving policies and procedures.

Incident management as a deviation from policy or procedure and its role in continual improvement.

Management review team's responsibility in addressing continual improvement and resource allocation.

External audits' role in the certification process and their impact on client engagements.

Foundational role of ISO 27001 in the governance framework and its compatibility with other standards.

Bolt-on approach to integrating additional standards like GDPR and PCI DSS on top of ISO 27001.

Comparative analysis of ISO 27001, SOC 2, and PCI DSS in terms of implementation complexity and cost.

Advantages of starting with ISO 27001 before pursuing SOC 2 or PCI DSS certifications.

Cost implications and the importance of obtaining multiple quotes for certification audits.

The certification process timeline, including stages 1 and 2 audits, and annual continuing assessments.

Strategic approach to dealing with clients expecting rapid certification and setting realistic expectations.

Recommendation to use an accredited certification body and the benefits of comparing different providers.

Transcripts

00:00

so what you're going to see here is the

00:01

um

00:02

this is how i see governor's risk and

00:04

compliance working and this is how 27001

00:07

sits into that governance risk and

00:08

compliance framework

00:10

so

00:11

when we're doing a

00:13

27001

00:16

implementation

00:18

normally

00:19

people are going to be doing it because

00:21

they've been uh driven by a commercial

00:23

requirement we'll come back to that as

00:25

well so what they want to understand is

00:27

how does 27001

00:29

fit

00:30

what we have when we develop a

00:32

governance risk and confront compliance

00:33

framework is we're doing it in more

00:36

generally

00:37

so we are going to implement specifics

00:40

in for 27 0001 but we are going to try

00:42

and put something in that's a little bit

00:44

more general i'll do that so i can see

00:46

be awkward when you record it because

00:47

it's going to be recording you recording

00:49

me recording you but anyway

00:51

so uh so yeah so we're going to put in

00:53

something that's a little bit more

00:54

general so this will apply no matter

00:56

what standard you're implementing you

00:58

know and technically it would apply if

00:59

you were doing a data protection

01:01

implementation you know you're going to

01:03

be doing 9001 pci dss stock one sort two

01:05

whatever it is it's going to be

01:07

so what all of the standards and all of

01:08

the frameworks i'm looking for is that

01:10

senior management buy-in so what we have

01:13

is at the top level we've got senior

01:14

management and senior management needs

01:16

to set the direction of the organization

01:19

there are things that that we can do

01:21

we'll talk about role

01:23

uh in a little while but there are

01:25

things that we can do to help to

01:26

evidence that

01:28

but what you're hoping for is that when

01:29

you go into an organization there is a

01:31

culture of top-down leadership that

01:34

there is top-down buy-in

01:36

you are going to struggle in any

01:38

organization where your engagement is

01:40

either sea level or even below

01:42

so if the demand or the requirement is

01:45

coming from like a pro a product manager

01:47

a development manager a network manager

01:50

and even head of ops you know on his own

01:53

or her own then you are going to

01:55

struggle with it and and it's mainly

01:57

around politics it's going to be around

01:59

budget it's around getting buy-in and

02:01

resources to do what it is that that

02:03

needs to be done

02:04

so in very very practical terms you need

02:06

that senior management buy-in

02:08

and leadership from the top if i'm

02:10

engaging on a project i want at least

02:12

one of those

02:14

uh senior members uh sitting in in my

02:17

management meetings and we'll talk about

02:19

them as well as it goes for a bit

02:21

so senior management at the top sets the

02:23

direction underneath that we're going to

02:24

implement the concept of a management

02:26

review team now some companies have this

02:28

already this terminology will come up

02:30

time and time again

02:32

depending on the size of it there may be

02:33

an existing structure that you can

02:36

hijack and that you can jump off of the

02:39

back of

02:41

even in those environments even in

02:43

larger organizations i'm still mind

02:45

minded to create what i call a

02:47

management review team okay

02:49

so what the management review team is is

02:51

it ensures that things get done

02:53

now when i build the management review

02:55

team i'm going to share with you all of

02:57

the templates and documents as we go

02:58

through

02:59

when i when i set up a management review

03:01

team i want on that management review

03:03

team a representative of each area of

03:06

the business ideally so i'm looking for

03:08

somebody from hr i'm looking for that

03:11

one senior leadership manager that's

03:12

going to buy in i'm looking for

03:14

representation from it

03:17

if i've got a software development

03:18

function i want somebody from software

03:20

development call center ops whatever it

03:22

is so the size of the organization

03:24

now in a smaller organization it might

03:26

only be two of you and that's mine too

03:28

right you know but we just got to have

03:30

this we've got to have this structure

03:33

now the standard is going to call to

03:35

that as well so it's going to say right

03:37

i i need you to demonstrate certain

03:39

things i need you to demonstrate clearly

03:41

buying and this is one of the ways of

03:43

the way that we do it and we want to

03:45

demonstrate in communication we want you

03:47

to demonstrate things like continual

03:48

improvement so there are a number of

03:50

things that that need to happen that

03:53

this management review team is going to

03:54

satisfy and again we haven't even really

03:57

got to a standard yet right but in those

03:59

in those principles so we've got this

04:01

management review team

04:02

so what do they do

04:04

so they oversee

04:06

and they approve

04:08

policies and procedures

04:10

at the end of the day that is on the

04:11

left-hand side of this cycle that is

04:13

what that management review team is

04:14

doing depending on the size of the

04:16

organization they may be doing the doing

04:18

so they may be writing it and then they

04:20

may be improving it that's fine that's

04:22

fine but there's a conceptual separation

04:25

that the management review team oversees

04:28

and approves policies and procedures

04:31

in our world or in my world from a

04:33

practical perspective i separate out for

04:36

client policy and procedure

04:39

a policy is a statement of what we do

04:44

a procedure is a statement of how we do

04:48

it

04:48

and i separate those now what you find

04:50

when you go on a client is you're going

04:52

to find a mix

04:53

so if they try to do it themselves or

04:55

depending on where they're coming from

04:56

you might have some that's policy

04:58

statement uh mixed in with some process

05:01

statement uh and it can be a little bit

05:03

messy

05:04

okay a couple of reasons why i want to

05:06

do that the policies about what we do if

05:10

you think about it in from a

05:11

hierarchical point of view is going to

05:13

be set by the leadership right the

05:14

management they say what do we do well

05:16

we do antivirus on every machine

05:19

antivirus you know reports up to central

05:21

management

05:23

uh

05:24

is set to you know auto

05:27

disinfect like we want antibiotic we

05:29

want decentralized managed um antivirus

05:33

so it's a statement of what we do it

05:35

doesn't say we use symantec we log on we

05:39

download definition files every 24 hours

05:42

we set auto scan to run at 7 30 in the

05:44

morning if an alert comes it goes to bob

05:46

in it at this email address bobbin it

05:49

then does this and raises a ticket with

05:51

it it's a complete separation now

05:55

what that allows us to do as i say is we

05:57

can give bob

05:58

the uh sorry the the framework for him

06:00

to record what he does and we can give

06:03

the managers the framework to record a

06:05

high level what we do bob is doing how

06:07

we do it

06:09

what you're also going to find is that

06:10

pretty much every client that your

06:12

client engages with wants policies

06:15

so what they're going to say to your

06:16

client is i want a data protection

06:18

policy i want a clear desk policy i want

06:21

a working from home bring your own

06:22

device change management software

06:24

development

06:25

policy

06:26

so what we want to be able to do is

06:28

we're going to build our policy suite in

06:30

such a way

06:31

that it

06:33

makes their life easier right

06:36

it'll kind of make clients life a little

06:37

bit a little bit easier but it's all

06:39

about making the the

06:41

the requesters life easier so if they

06:43

say if you've got software development

06:44

on policy costs we have here you go bang

06:46

and it's written in a way that looks

06:47

like a software development policy they

06:48

can understand it

06:50

and they can respond to it

06:52

so we've got these policies that say say

06:54

what we do what we haven't then included

06:56

in it is all this personal information

06:58

right there's all bob's email addresses

06:59

in there

07:00

you know if we had a business continuity

07:02

policy and it said all right this is our

07:04

emergency call tree in the policy i

07:06

can't share that as part of a due

07:08

diligence on boarding

07:12

so we've got these policies what we do

07:15

we've got procedures within our

07:17

organization about how we go about doing

07:19

it

07:20

and when we've got policies and

07:21

procedures we apply those to staff and

07:24

third parties on the left hand side

07:27

so we can't expect staff employees

07:30

human beings

07:32

to do the right thing if we don't tell

07:34

them what it is that we expect them to

07:36

do yeah so it's part of that

07:38

communication framework so it's this

07:40

governance risk and compliance

07:42

so we've got our policies and we're

07:44

going to apply them to staff and staff

07:47

and third parties are going to operate

07:48

them and hopefully everything is going

07:50

hunky-dory

07:52

now our policies and procedures

07:55

good good for your knowledge

07:57

with your knowledge are based on risk

08:00

okay so policies and procedures are

08:01

based on risk

08:05

we're going to take a step back for a

08:07

moment

08:08

when it comes to

08:09

implementing a

08:11

standard

08:13

there are typically two approaches

08:15

risk-based and rule-based

08:19

27001

08:21

is a risk-based model

08:23

and i like it for that reason so what

08:26

27001 says is when it comes to controls

08:32

you are going to operate the controls

08:35

that are appropriate to your business

08:37

based on your businesses risk

08:39

to a level

08:41

that is appropriate to your business and

08:42

your business is risk appetite

08:45

so it could be the situation that you

08:46

don't have certain controls in your

08:48

organization

08:50

it could be that you have controls in

08:51

your organization that other people

08:53

would deem to be not sufficient

08:56

okay so i'll give you an example

08:59

27001 as one of its controls says your

09:02

password management system

09:04

it doesn't say what that password

09:06

management system is you define it so

09:08

you could say our password

09:10

password management system it's one

09:12

character long we never change it

09:15

right it's our risk it's our risk

09:17

redeemed it's our risk

09:19

now i can show you how you would have to

09:20

manage and report that and how you'd

09:23

have to control that but the theory

09:24

stands

09:26

you also have

09:27

rule-based systems right rule-based

09:30

systems are cyber essentials pci dss

09:34

to some extent sock what a rule-based

09:37

system says is you will have this

09:38

control to this level and if you don't

09:40

you will fail

09:42

there is no no ifs no buts no no no

09:44

nothing around it right

09:46

so it is within the rounds of

09:48

possibility in a risk-based system to

09:50

have quite a weak control framework

09:53

uh and still certify and pass whereas in

09:56

a rule-based system you're going to be

09:59

governed by whatever the rule is it's

10:00

yes or no black or white tick or fail

10:03

but either way i say our policies and

10:06

procedures are based on risk

10:08

so what what it is that we do as a

10:10

business is based on our businesses risk

10:12

appetite and how we do it is going to be

10:14

based on risk as well

10:18

when we have policies and procedures

10:20

they are subject to audit they're going

10:22

to get checked and they're going to get

10:24

checked a lot right

10:26

so as a

10:28

function

10:29

we have to perform internal audits on

10:31

our organization at least annually

10:35

when we deep dive into some of these

10:36

areas you'll see some of the caveats but

10:38

i'll touch on it now

10:40

if an auditor asks you a question how

10:42

have you devised your internal audit

10:44

plan the answer is always

10:47

based on risk

10:49

now the reality may not be that and

10:51

again we'll touch on that later

10:53

but what they want to see in an internal

10:55

audit plan is that the things that are

10:57

the most risky to your business have

10:59

been audited probably more than once

11:02

okay

11:03

right so you're going to audit based on

11:04

risk if i know you know i don't know if

11:07

i'm in a high transaction environment

11:09

for financial services

11:11

you know and

11:13

what could be capacity management maybe

11:16

you know was an issue then that might be

11:17

an area that i ordered every month just

11:19

to keep an eye on it and make sure that

11:21

all the controls are working so we've

11:23

got policies got procedures based on

11:24

risk risk is defined the level that

11:26

we're going to implement them and then

11:27

we're going to audit them

11:28

we're going to internally audit them

11:31

you can internally

11:32

or you can internally audit

11:35

with your with your own staff with your

11:37

own self like the head of it could

11:39

internally order it it's got limited

11:41

value to it what we would say is part of

11:43

our implementation is ideally you want

11:45

somebody with a level of independence

11:48

either somebody in the business whose

11:50

job it isn't normally

11:52

like to operate that process and

11:54

procedure but in our best case scenario

11:56

bringing in a consultant like us

12:01

when we've got these policies and

12:02

procedures that staff are operating in

12:04

the middle what you can see is they've

12:06

got incidents

12:07

now what is an incident an e an incident

12:09

is a deviation from a policy or a

12:11

procedure

12:13

so

12:14

in like the audits terms call it a

12:16

non-conformity right so what do i mean

12:18

by an incident it could be that a policy

12:20

says um what we do and actually we found

12:24

not to do it

12:25

uh or a procedure says something and

12:28

we've not followed the steps within the

12:30

procedure

12:31

so

12:32

typical incidents right people leaving a

12:35

laptop on a train that's an incident

12:37

you know um an outage of your system for

12:40

30 minutes that's an incident you know

12:42

it's a deviation from the norm

12:45

uh

12:46

i had a call

12:48

yesterday with a client they had

12:49

outsourced

12:51

uh account provisioning

12:53

to a

12:55

support company an it support company

12:57

and they discovered that the it support

12:58

company had been cloning

13:00

rather than creating ids from scratch

13:03

and they've been cloning senior managers

13:05

ids

13:07

and allocating them to new starters and

13:09

you start as therefore had all the

13:10

access rights of the senior manager

13:13

and this has been going on for some time

13:14

deviation from the norm right

13:17

so we've got things will go wrong and

13:19

that's fine we expect that right there's

13:21

always going to be things that go wrong

13:23

so i can find

13:24

uh i'm going to perform my risk

13:26

assessment i'm going to do my internal

13:27

audit and incidents and things are going

13:28

to go wrong that bit in the middle

13:31

leads into your continual improvement so

13:34

we're gonna we're gonna drive a process

13:36

now of continual improvement

13:39

so 27001 doesn't necessarily expect you

13:43

to have everything right day one and

13:46

actually baked into it is a process of

13:49

continually improving

13:51

now we can look further down the line at

13:53

the benchmark of what would be expected

13:56

for a certification even though it could

13:57

be quite low but the concept is we've

14:00

got continual improvement

14:02

so a continual improvement

14:04

is reported to and managed by the

14:07

management review team

14:09

and again i'll show you the templates

14:11

that make that up

14:12

so what do i mean by that so if i've

14:14

gone through my risk identification and

14:16

i've highlighted that there is a risk um

14:20

you know there could be a we're going to

14:22

open a new office there's no reception

14:23

in the office

14:25

uh and there's no entry controls so i've

14:27

identified a new risk so i've got to do

14:29

something about it

14:30

so through risk management and risk

14:32

treatment and risk treatment i'm either

14:34

going to accept the risk

14:36

i'm going to reduce it mitigate it

14:38

offset it so i'm going to do something

14:40

with that risk but the body that makes

14:42

that decision is the management review

14:44

team the management review team is the

14:46

one that reports it so it is the one

14:48

that oversees it

14:50

when i go through my internal audit and

14:52

i go against the controls and i find

14:54

that something is wrong or is not

14:56

operating effectively then i'm gonna

14:58

have to

14:59

make a recommendation and something's

15:01

gonna have to happen

15:03

that goes into the management review

15:04

team an incident occurs it could be a

15:07

one-off or it may require something

15:11

and that something could be

15:13

people

15:14

it could require time

15:16

it might be people need training or

15:18

educating i might need tooling i might

15:21

need technology

15:22

you know there's whatever it is there's

15:23

going to be something that needs a

15:24

decision to be made and it's the

15:26

management review team that would

15:27

approve that

15:28

so through the processes that i'll show

15:31

you and the reporting and all the

15:32

templates and how it works

15:34

ultimately it's the management review

15:36

team that says yes

15:37

you can have the resource to do whatever

15:39

it is that you need to do we'll plan it

15:40

we'll track it we'll manage it or we

15:42

accept the risk

15:44

and again we've got different levels of

15:47

authority on who can approve what levels

15:49

of risk but that's roughly the structure

15:51

of how it works so you've got this cycle

15:54

this continual round and round update

15:56

your policies update your procedures

15:58

then audit them they didn't quite work

15:59

continually improve them update them

16:01

roll them out audit them again audit

16:04

them again audit them again on and on it

16:06

goes

16:08

when it comes to your audits

16:10

one of the first things is when we come

16:11

off of this is i'll talk you through the

16:13

process of how 27001 works

16:16

but you are going to get externally

16:18

audited now external audits for clients

16:21

happen in a number of different ways

16:23

right they can happen as part of a

16:24

certification process

16:26

they can happen as part of a onboarding

16:30

a new customer

16:32

so typically you're going to see

16:34

questionnaires requests for certificates

16:36

but they can also come and audit you and

16:38

review you

16:39

um and obviously worst case scenario is

16:42

going to come in and audit you as well

16:43

but you know hopefully you never get to

16:45

that point

16:49

so let's look at the framework so that's

16:51

how the management of it all hangs

16:52

together

16:54

so if i look at what does the governor's

16:55

framework the top two remain the same

16:58

you think of it as an inverted

16:59

pyramiding effects but i like to work

17:01

bottom up top down but you see where

17:03

we're going so the top two remain the

17:05

same management is still set in the

17:06

direction the management review team is

17:08

still ensuring it gets done

17:10

what we're looking at now is where does

17:12

27001 logically fit within this

17:14

structure

17:15

and

17:16

for me and

17:18

through my experiences 27001 forms the

17:21

foundation

17:22

it is the base level management system

17:26

as an organization that i would be

17:28

encouraging any any client to go for

17:30

first

17:31

so there's some debate in uh you know

17:33

out there i've got clients that come to

17:35

me and they go oh i want to do sop 2

17:36

right we want to do sop 2 first

17:40

again we can have that discussion but i

17:41

would always discourage that and say

17:42

let's go 27001 first

17:45

if 27001 is on your roadmap let's do it

17:48

first then build on it because pretty

17:51

much every other standard that you've

17:53

got that's out there builds on 27001 as

17:56

a framework

17:58

so your bolt-ons when we build our

17:59

structure you're going to be able to

18:01

bolt on gdpr

18:03

pci dss

18:05

sock

18:07

and the way that we're going to do that

18:09

and the way that we would encourage to

18:10

do that is to build these common modules

18:13

i want to create a risk management

18:15

approach template structure that is

18:18

sufficient to support gdpr and to

18:21

support pci and actually it support the

18:24

wider business

18:26

and i you know many engagements i go on

18:28

business will say actually your risk

18:29

register is better than the one we use

18:30

for the company let's take that and

18:32

apply that to the wider business

18:35

so we want to build supplier management

18:37

in a way that it satisfies all

18:38

requirements

18:39

policies operating procedures etc

18:43

what i mean by the bolt-on section is

18:45

and again for knowledge really is that

18:48

if something like 27001 says

18:51

you need a password management system

18:54

based on risk

18:56

it could be one character long it could

18:58

be no characters long it doesn't care

18:59

pci comes along and says oh by the way

19:01

your password management system will be

19:03

28 billion characters long with all of

19:06

this level of complexity in it

19:07

you know what oh well that's okay right

19:09

it's what it's just like tweak to

19:11

whatever an ad setting on a group

19:12

whatever you know but we're building up

19:15

on that we're building upon that

19:17

foundation

19:18

gdpr as well so we will have a look at

19:21

where that fits but the principles six

19:24

maintain adequate security 27001

19:27

satisfies a lot of that but there may be

19:28

some additional steps that we want to

19:30

take just to enhance it a little bit

19:33

for

19:33

special category data or whatever it is

19:35

that the gdpr is

19:38

his driving is down

19:42

so that's kind of

19:44

high level

19:45

how it hangs together and that's high

19:47

level

19:48

where the 27001

19:51

fits in within that structure

19:55

there's all things you already knew

19:57

anything that any questions that you

19:58

don't cover

19:59

no questions all make sense

20:02

perfect

20:06

perfect

20:08

so hopefully that's just recorded me and

20:09

you now which is fine

20:17

so in terms of today let's talk about

20:19

standards

20:21

let's talk about if you were advising

20:22

client okay client says oh i want stop

20:25

two

20:26

we can do more deep dives into

20:28

the sort two as well further down the

20:30

line

20:31

and but they say in general right i'm

20:34

looking at doing i'm looking at doing

20:35

this top two

20:37

pci

20:38

so let's understand where these uh

20:40

frameworks fit fit within that structure

20:44

27001 as we say international standard

20:47

for information security management an

20:49

international standard

20:51

driven by the bsi the british standards

20:54

institute an iso standard that is

20:57

aligned from a management perspective

20:59

with things like 9001 22301 business

21:02

continuity so the management structure

21:05

actually side of it

21:06

you're going to see on more than one

21:08

occasion if you're going to a more

21:09

complex client you know if i go into one

21:12

that's doing 9001 i'm like well you'll

21:14

be already having a management structure

21:15

you've already got continuum improvement

21:17

these things that we can bolt on

21:19

together

21:20

it is to say it's the baseline right

21:22

it's the minimum level

21:23

risk-based system minimum level

21:26

the main requirement and driver for it

21:28

tends to be out of the uk from my

21:31

experience so it's very uk and european

21:34

centric

21:36

if your client is operating within

21:37

europe 27 01 is probably the one again

21:40

the one they're going to be pushed for

21:43

as you start to move across some more

21:44

into the americas the americas would be

21:47

driven more by a requirement for sock

21:51

and it is typically a stock 2

21:53

requirement that they have

21:58

and you get that of uh you get that out

22:00

of australia as well

22:02

depending on the size of the

22:03

organization that's requesting it

22:05

they're probably going to ask for both

22:07

so i've got clients in financial

22:09

services you know you start working with

22:10

the large banks before they're asking

22:13

they're just they're asking for both

22:14

just straight out of the back

22:16

so let's look at or let's look at orders

22:18

of magnitude

22:20

yes both stand uh both standards can

22:22

operate to any organization i deal a lot

22:25

though with startups 27 0001 you can

22:28

implement pretty well for a startup sort

22:30

2 would be a little bit more complex

22:33

so

22:35

if i look at what does sock 2 do

22:38

sock 2 is driven from an accounting

22:41

uh practice right so it's an account in

22:44

structural framework really and it

22:47

actually sits within a broad or a audit

22:50

uh accounting audit

22:52

process

22:54

when it comes to sock there are two

22:56

types

22:57

there's a sock one audit

22:59

and a sock two audit

23:01

and we'll cover this again don't worry

23:02

but it's just conceptually so the

23:04

client's saying to you i want to stop

23:05

toward it what does that mean

23:07

so you've got an accounting standard

23:08

with an accounting audit that goes at

23:10

the back of it that can do one of two

23:11

things a sock one or a stock two to

23:13

start with

23:14

a stock one

23:16

audit typically is of an organization

23:18

that does something that can materially

23:21

or fundamentally impact

23:23

the financial reporting of that

23:25

organization fundamentally it's going to

23:27

impact on the accounting reporting of

23:30

that organization

23:32

soc2

23:34

is usually applied to businesses as a

23:36

general

23:37

control set it's just a general set of

23:39

controls

23:42

you then have within socked two types of

23:45

audit

23:46

27001 is a point in time audit

23:50

so when we do our order it just looks at

23:52

basically the information that it can

23:54

see at the time

23:55

a sock

23:56

one two

23:58

but type one audit is a point in time

24:00

audit so you get a point in time audit

24:02

you're good to go

24:04

a sock to audit is a continual audit

24:08

for a defined period of time

24:12

typically your client is going to take

24:13

12 months so what that means is when

24:16

they audit it they can say right show me

24:18

evidence that it works in january in

24:20

february in march in april give me a

24:21

sample from november right the rigor

24:24

that's associated with it just

24:25

absolutely goes goes through the roof

24:28

so

24:29

differences between different audits

24:31

point in time audit point your time

24:32

audit and or a continuing order

24:35

27001 is a structured framework

24:38

right it's got 114 controls in it

24:40

dropping to 90 whatever dependent when

24:42

it goes when it comes out in its next

24:43

iteration

24:45

and

24:46

sock is not a defined framework

24:50

allegedly

24:51

so what the sock

24:53

requires you to do is for you to define

24:55

your controls

24:57

and then they will audit you against the

24:58

controls that you've defined

25:01

typically

25:03

it's not quite actually the real world

25:05

right because what happens is when you

25:06

engage with these uh third-party audit

25:08

companies they've got their own portals

25:11

and tools and they ask you for

25:12

documentation and it's all the standard

25:13

stuff right so there is some work to do

25:16

to like define controls but ultimately

25:18

what they're looking at

25:20

is the stuff that we look at day in day

25:22

out

25:23

but if i look at it conceptually to the

25:24

client and client i'm saying look you've

25:26

got stock two over here it doesn't have

25:28

a set of controls with it you've got

25:30

twenty seven thousand one over here it

25:31

does so let's implement twenty seven

25:33

thousand one eighty percent of what

25:35

we're going to need is going to be

25:36

delivered by twenty seven thousand and

25:38

one and then we'll bolt on the extra

25:40

that we need and the extra little bit of

25:41

rigor if and when you want to do sop2

25:44

no issue

25:47

okay

25:50

so that's the difference between those

25:51

two

25:52

pci dss that fits in follows the various

25:54

signal stretches about 344 controls

25:56

depending on which

25:58

level of business you are you do

25:59

self-assessment or you do your report on

26:00

compliance

26:02

we can go through all of that but

26:03

fundamentally pci dss is a control set

26:06

and depending on what kind of business

26:07

you are is what business uh which of

26:09

those controls apply is rule-based yes

26:11

or no pass or fail um and again that

26:14

applies to anything that stores

26:16

processes or transmits data

26:19

sorry cardholder data yeah

26:21

and so again the level of rigor that

26:23

goes with that can be quite high start

26:25

with 27 0001 build on what you want as

26:27

you go through it

26:29

if we look at costs

26:31

client says i want twenty seven thousand

26:32

one

26:34

twenty seven thousand one to certify

26:37

to get the certificate

26:39

is going to range anywhere

26:42

between maybe

26:44

four

26:45

to maybe 12 grand maybe

26:47

again it depends on the size of the

26:49

business right

26:51

so what will happen is when you go for

26:52

your 27 0001

26:55

certification

26:56

they follow a structured format

26:59

and it spits out a number of audit days

27:01

at the end of it

27:02

small organization like me it was three

27:04

days i've got a small organization that

27:06

are based out of brazil that i'm taking

27:08

through at the moment one is aries

27:10

they're six people software development

27:13

no on-prem

27:15

all in the cloud three-day audit yeah

27:18

tomorrow i start a stage one audit for a

27:21

large uk charity it's a three-day stage

27:24

one and a 12-day stage two

27:26

massive right

27:28

so there is variation in it

27:30

but you can get a feel for it that it's

27:32

not really

27:34

technically it's not not that expensive

27:37

so you know a couple of couple of people

27:38

in a room if you were to go for it

27:40

you're probably going to be looking

27:41

around about three and a half four grand

27:42

something like that

27:45

if i go into the world of sock

27:48

depending on what i'm doing my sock one

27:51

order it can start at 18 grand just to

27:53

take the test

27:55

right

27:56

and that's for a type one

27:58

so again i'm like client right you want

28:00

to go for stock two it's complicated

28:02

there's no controls we're gonna have to

28:03

define them all and it's gonna cost you

28:06

probably three times as much as the

28:07

twenty seven thousand and one

28:09

should we walk before we run run

28:11

right let's go down this row and then

28:13

and then we'll get to the sock

28:16

okay to do a type 2 order bit

28:19

you can be in tens of thousands of

28:21

pounds

28:23

so i've got a uk-based financial company

28:25

that's forced to do a top 2 type 2 at

28:27

the moment and for them just to take the

28:29

test it's 42 000 pounds a year just to

28:32

take the test

28:33

and they pay me less than that to do the

28:35

work

28:37

but that's fine

28:39

so you you know your your type 2 audits

28:42

arranging you know probably late 20s

28:45

early 30s all the way up to

28:47

40s mid you know mid 40s now there are

28:50

influences and factors on that and again

28:52

we can discuss those i can guide you

28:54

through it but i'm just giving you

28:55

orders of magnitude okay when you're

28:58

getting a pci dss clearly they'll charge

29:00

what they want right 10 again 30 40

29:02

ranges to take just to take place

29:07

so for me my framework is 27001 build

29:09

upon and build upon top of that

29:13

let's look at how the

29:14

27001

29:16

process

29:18

works

29:19

okay

29:21

so what we're going to need to do is

29:22

we're going to need to

29:24

be

29:25

getting our client an accredited

29:27

certification many people people out

29:29

there that do certifications what you're

29:31

looking for is an accredited body

29:34

certification

29:35

i'm not going to call out the ones that

29:36

pretend that they are on or not but

29:38

you've got to do your due diligence and

29:40

find out

29:41

who are the ones that can

29:43

so if you look at it from the uk

29:45

to get an accredited certification

29:47

you're looking at

29:49

british standards institute you've got

29:51

sgs

29:52

um bsi

29:55

sgs cfa center for assessment

29:58

uh bad british assessment bureau

30:00

um

30:01

the one that i use a lot and i can make

30:04

you an introduction to is approachable

30:06

right so the approachable guys

30:09

um are absolutely spot on but i i use

30:12

approachable

30:13

you can google it there are other ones

30:15

out lrqa etc but they tend to be they

30:18

tend to be the big ones

30:21

if you were going to engage with client

30:23

i always recommend to client even though

30:25

i know they're going to go with

30:26

approachable is get three quotes yeah

30:28

make make them do the work so you go

30:30

there's got the bsi probably got a cfa

30:33

and then go approachable and get three

30:34

quotes back i can show you

30:37

at some point the level of difference

30:39

that comes back is it's not that

30:40

standard either right

30:42

so they're going to send back their fees

30:44

and there's some confusion with you that

30:45

you've got to work through that once

30:47

you've seen a few of them you know what

30:49

to look for like

30:50

you can see what they're missing right

30:52

and you know what's going to hit your

30:53

client further down the line because it

30:55

isn't straightforward as this is the

30:56

price

30:57

the way they cut it it can be confusing

31:00

so we're going to go we're going to go

31:02

to the certification body um

31:04

and we're gonna make sure that they're

31:05

accredited the accreditation body in the

31:07

uk is ucas so it's a ucas accredited

31:11

certification body

31:14

and you can look on the

31:16

ucas website and it will tell you which

31:18

ones are underneath that

31:20

some of the some of those bodies can

31:22

issue certificates elsewhere so i use

31:25

approachable they're doing my buenos

31:27

air's client they do my america's client

31:29

and they do their australia client okay

31:32

so at the end of the day as long as it's

31:33

an accredited certificate

31:35

it kind of doesn't matter

31:38

to help your client if you end up with

31:40

an international client by using the uk

31:42

as a rule and especially using

31:44

approachable it will be cheaper

31:46

okay

31:47

so american auditors for twenty seven

31:49

thousand and one can be up to three

31:51

times the price of the uk like their day

31:54

rates are huge they over egg it it's

31:56

just like it yeah it's crazy it's crazy

31:59

so i would always take a client get

32:01

three quotes definitely

32:03

um

32:04

and even if i was going to say if i was

32:05

in america i'd say get to america in one

32:07

one uk and then let's just compare it so

32:10

that they can see it we're not telling

32:12

them we're not in bed with anybody i

32:13

just know what the answer is but i'm

32:14

going to help you

32:16

to come up with that answer yeah

32:19

so i get my i get my credit

32:20

certification buddy they then send out a

32:23

letter to your client

32:24

that says right these are how many staff

32:26

have you got how many offices have you

32:28

got et cetera

32:30

that is the thing that dictates the

32:31

number of days so they're trying to

32:33

scope it so if you have physical offices

32:36

in scope then they will physically visit

32:38

those offices it's going to cost you

32:39

money right

32:41

the more staff you've got again i think

32:43

because these guys have got 200 it's

32:45

like 11 days

32:46

and i'm even me i'm going but it doesn't

32:48

make sense because the process is the

32:50

process right is it relevant of how many

32:52

people

32:53

like we're just going to be sat

32:54

twiddling our phones for 10 days anyway

32:56

that's not the story

32:58

so then they're going to quote it and

32:59

then they're going to come back on you

33:02

things to look out for in quotes

33:04

right there's going to be a

33:07

stage 1 and a stage 2 audit

33:11

that makes up the certification process

33:14

the stage one audit is the one that's

33:18

one or two days it's the smaller of the

33:21

two audits

33:23

the stage one audit looks at do you have

33:25

documentation in place

33:27

primarily

33:29

is the information security management

33:31

system evidenced as being implemented

33:33

operating effectively and does it look

33:36

like you've done some documentation on

33:38

your annex a controls but it's

33:40

predominantly looking at the information

33:42

security management system

33:44

the stage two audit

33:47

is

33:48

pretty much fundamentally a walkthrough

33:50

of the annex a controls with a show me

33:56

the auditor

33:58

can only ever audit

34:00

what we tell them

34:02

right

34:03

so when we're going to go through our

34:04

process over the coming weeks and we say

34:06

about documenting procedures

34:09

we always tell client document what you

34:12

do

34:13

not what you think i want to hear

34:16

right

34:16

document the reality of your world right

34:19

now because what the audit is going to

34:21

do is go show me that piece of paper and

34:22

then they're going to read it and go it

34:24

says here that you get to work at nine

34:27

o'clock and then you go

34:28

yeah i normally get in at 10. you go

34:31

right well you failed

34:33

like why why did you write down you're

34:35

getting at nine when you don't you know

34:36

you don't come in until ten why didn't

34:38

you put that you come in at ten

34:40

so that's what they're gonna do in stage

34:41

two they're gonna go through line by

34:43

line what it is that you say you do so

34:45

that you can evidence and prove

34:47

so they're going to quote you for your

34:49

certificate on your stage one and your

34:51

stage two

34:53

when we do our certificate it goes on

34:55

this three year cycle

34:58

so we have an annual cost now with the

35:01

certification body to do a continuing an

35:04

assessment audit

35:06

a cav

35:08

or a continuing audit

35:11

what that means is that every year

35:13

they're going to come back and do a

35:14

subset of those controls

35:18

for a small organization

35:20

typically a day a day and a half two

35:22

days you know if i had a six day audit

35:25

i'd probably expect my calf to be around

35:26

about two days

35:28

in reality and they're going to choose

35:31

the controls that they order based on

35:33

risk that's what they're going to tell

35:34

you but they haven't they've got a

35:35

standard template and it'll be whatever

35:37

it is that they're going to award it in

35:38

that year

35:39

so they'll just do they'll just do a

35:40

kicking of the tires and making sure

35:42

that things are running but they're

35:43

going to charge you for it right

35:45

so the fees that you're looking out for

35:46

are what are my continuing audit fees

35:50

some certification bodies won't tell you

35:52

that when you sign up to take the

35:54

certificate they'll say oh we'll let you

35:57

know when you've got your certificate

35:58

but not you right because then they've

36:00

got you over about you're in then so you

36:02

want to know transparency is what is my

36:04

annual ongoing audit fee

36:07

so once you know that you've got a good

36:09

grasp then pretty much of where you're

36:11

going to be landing for your client some

36:13

of them will include that some of them

36:15

will exclude that

36:17

some of them will add services that you

36:18

don't need the bsi horrendous for it oh

36:21

we're going to give you access to this

36:22

portal and this system and we're going

36:24

to do this management and we're going to

36:26

charge you a 10 project fee and we're

36:28

going and you're like whoa

36:29

by the time you you know every time

36:32

you've gone through it again you're in

36:33

that 15 grand mark for what i can get

36:36

through approachable for probably six

36:38

seven eight i mean it's layering on

36:41

what you need though you need the stage

36:43

one stage two certification audit

36:45

and you need the cav

36:47

and then you're asking them and you're

36:48

looking out for hidden fees

36:51

when we engage with a third party to do

36:52

the 27001 order it can take up to 12

36:55

weeks

36:56

but really you're just at the mercy of

36:58

their availability

37:00

so they've got auditors

37:02

their availability is going to dictate

37:04

it

37:05

if like me you can end up in a good

37:07

relationship with the certification body

37:09

of your choice then you're going to be

37:11

in a position then where eventually that

37:13

things will be a little bit easier so

37:15

you get if you get cancellation can i go

37:16

to the top of the list you know work

37:18

well with these people then they'll work

37:20

well back with you it isn't about like

37:23

getting any special favors but it's just

37:25

about smoothing the wheels a little bit

37:27

so sometimes you can fast track your

37:28

client a little bit through if you're a

37:29

bit more flexible uh flexible with it

37:32

but if set the expectation client is

37:34

always like how long is it going to get

37:35

how long is it going to take me

37:37

i'm going to say again it's going to

37:39

depend on the certification body

37:41

then it's going to depend on your

37:43

ability to implement an evidence the

37:44

annex a controls

37:46

let's say three months let's set three

37:49

months is a realistic timeline to do

37:50

that

37:52

his client then comes back and says can

37:53

we do it in 10 days can we do it a month

37:55

ago yes we can

37:57

but once we start to look at what is

38:00

involved in it it's dependent on them to

38:02

write all these procedures down and

38:04

evidence that they're doing what they're

38:05

doing so i can do my bit no problem but

38:07

you've got to be able to keep up with me

38:10

so we've got that certification process

38:12

the certificate won't again it depends

38:14

on how lazy they are you know you might

38:16

not get the certificate back for maybe

38:17

four or six weeks after you've taken the

38:20

last audit

38:21

so again clients expectation in january

38:23

i'm going to have a bit of paper by the

38:25

end of january not going to happen even

38:27

if it's march before we do the

38:28

certificate to do this two stages of

38:30

order could be april before you even get

38:32

the piece of paper

38:35

so that's worth knowing

38:38

what i do with a client is

38:40

say normally if you have a conversation

38:42

so client says we need it go back to the

38:44

person that's requesting it and say if i

38:47

get an engagement letter from the

38:48

certification body

38:50

that shows that i've paid my

38:52

upfront bill

38:54

and i show you my commitment dates

38:57

and i

38:58

explain to you that i brought in high

39:00

table or whoever

39:02

and show you i'm on the journey will

39:03

that be enough

39:05

and

39:06

nine times out of ten it will right most

39:09

if a customer is engaging with your

39:10

client normally it's because they want

39:12

their services so if they can show that

39:15

they're going in the right direction

39:16

they can show they've got the dates

39:18

they've got a letter-headed letter from

39:19

the certification body everything's

39:21

booked in they can see yep you spent

39:23

money on consultants we can see you

39:25

doing the right thing then they might

39:27

let it slide and say okay we can wait

39:28

till april for a bit of paper because we

39:30

can see that you're on that journey yeah

39:33

so again that's

39:35

just

39:36

based on experience really

39:38

you can feed back to people uh

39:41

and let them know

39:43

yeah i mean i've done like i do a lot of

39:46

work with the hsc here which is the

39:48

equivalent of the nhs

39:51

part of my job is is

39:53

reviewing it security questionnaires

39:56

yeah we always get you know yeah we are

39:58

on the road to iso certification

40:01

it's like okay show me

40:03

yeah because i can have fun oh i've got

40:06

long blonde uh

40:07

yeah yeah ferrari but

40:10

no you do you do you do the right thing

40:12

and again we can

40:13

stuff that you already know but again

40:15

it's worth chewing the

40:16

like indicators at this at this point

40:18

i'm looking at it as being an advocate

40:20

of my client i can flip it to the other

40:22

side because again i externally audit

40:24

people and then you can go these are the

40:25

key red flags and then as we go through

40:28

the process you can see

40:29

how to counter the key red flags to be

40:32

the advocate of your customer

40:35

it is you know it is what it is right

40:36

that's how it depends what it depends

40:38

where you want to fit

40:40

so in terms of today i want to overload

40:42

with knowledge right so what we've gone

40:44

through we've gone through this is again

40:45

just some base principles this is how a

40:48

governance risk and compliance framework

40:50

looks like some of the reasoning about

40:53

why we need the management buy-in the

40:55

structure that would sit under it and

40:56

then that role of continual improvement

40:59

we've touched on the types of different

41:01

standards that are out there and the

41:03

different approaches that they take

41:05

point in time audit continual audit risk

41:07

based audit versus rule-based

41:09

audit and we've touched on the process

41:12

and the engagement of how we will

41:13

deliver 27001 certification for client

41:16

and from the certification point of view

41:19

we had a look at the difference between

41:21

uk and non-uk costs

41:24

um and timelines

41:26

three quotes as an approach and now

41:29

you've got the if you haven't spoke to

41:30

them before approachable or my go-to

41:33

and you've got that as well in terms of

41:35

some practical things that you could do

41:37

if you ever got to the point where you

41:38

were going to certify

41:42

out of everything we've covered today is

41:44

there anything else is there anything

41:45

that's come up as question or no it all

41:48

makes sense you know the government's

41:50

framework it makes sense

41:52

um

41:54

it's really handy to know in term the

41:56

timeline stuff is really handy to know

41:58

the costs stuff is really handy to know

42:01

um

42:03

you know i haven't come across

42:04

approachable but you know

42:07

i've come across

42:08

bsi in terms of them

42:11

some of their quotations for data

42:12

protection stuff here

42:18

it's over the top right yeah it's over

42:20

the top so what yeah i mean it's up at

42:22

the top and to be fair when you're

42:23

getting a sock too i have i have some

42:25

conversation with the sort of audio it's

42:27

supply and demand and i'm like what is

42:29

it that you're going to do they come to

42:30

me

42:31

right so my client every year 10 days of

42:33

order 10 days of audit that's i've audit

42:36

audit and then it's pre-audit that

42:37

happens before that and i'm like okay so

42:39

what you're going to do can you upload

42:40

all this document into a portal i'm like

42:43

okay but what are you gonna do like i

42:45

know what you're gonna do why are you

42:46

charging my client 40 000 pounds

42:49

right for what is that best five days

42:51

worth at best yeah

42:53

and the answer is because we can and you

42:55

go well that's fine too

42:57

so if you look at the stretcher i mean

42:58

we're going off on a little bit of a

42:59

deviate deviation i think i've probably

43:01

spent a little bit of time with it on

43:02

your neck on the next chord really which

43:05

is what is your role right so what is

43:07

what are the roles that are at play

43:10

in fact let's pick that up next time

43:12

what are the roles that are at play in

43:14

terms of an engagement and an audit

43:17

and then what is everybody's perspective

43:19

and then what is the reality of what is

43:21

going on and then how do you manage that

43:22

so let's have a look at we'll have a

43:23

look at that next time i'll give you

43:25

because you know anyway but it'll give

43:26

you some insights into that

43:29

super

Browse More Related Video

How to implement ISO 27001 Walkthrough - Part 1

Alignment of Security Function MindMap (1 of 3) | CISSP Domain 1

[BO] Khóa đào tạo An ninh thông tin ISMS

GRC Certification Roadmap v1.0: Recommended Training and Certs #cybersecurity #grc

Gap Analysis - CompTIA Security+ SY0-701 - 1.2

Implementing a Risk Management Framework

Rate This

★

★

★

★

★

5.0 / 5 (0 votes)

Related Tags

GovernanceRisk ManagementComplianceISO 27001Management ReviewPoliciesProceduresAuditingCertificationContinuous Improvement