S3 E30: ISO as a Catalyst, Not a Checkbox

Audio version

ISO as a Catalyst, Not a Checkbox

Transcript

Voiceover (00:00)

Welcome to Compliance Pointers, where we take an in-depth look into the latest news, trends, and challenges surrounding information security, privacy, and marketing compliance. Let’s dive in with your host, Jordan Eisner.

Jordan Eisner (00:15)

Welcome to another episode of Compliance Pointers. I’m Jordan Eisner, VP of Growth at Compliance Point, and today I’m joined in person.

David Forman (00:23)

In person, that’s a big deal.

Jordan Eisner (00:25)

By David Forman, it is a big deal and we’re hoping it’s a big deal to them watching and listening to this.

David Forman (00:31)

Watching the live feed right now, viewer, viewership, is like just going through the- Oh wow, new record. Keep going.

Jordan Eisner (00:35)

That’s right, look at those likes.

For those of you that have watched or listened to podcasts in the past, you know who David Forman is. And those of you who haven’t, you might know who David Forman is, right? You’re making ⁓ yourself known out there. David’s the CEO of Mastermind Certification Body, accredited to assess and certify governance programs against standards by the International Organization for Standardization, ISO.

They’re the first company in the US to focus exclusively on ISO certifications and that is one of most trusted forms of third-party assurance used by technology service providers.

David Forman (01:17)

You should sell ISO certs. You’re pretty good.

Jordan Eisner (01:19)

In a way I do. That includes 27001 ISO 9000 well not Mastermind but your experience. 9000 but with Mastermind, 27001, 27701, 42001. Of course. Anything I left out?

David Forman (01:37)

Those are the management system standards. So we do extensions as well. So 2017, 2018, then CSA star level two certification as well.

Jordan Eisner (01:45)

That’s right. And you’ve been in business for a little over a year now.

16 months and David you just got back from what two three weeks you’re in Japan you were in London for a little while you’re

David Forman (01:59)

Morocco. Yeah, how much more do you follow me? There’s one more country. Germany as well. I do enjoy travel, but I also enjoy being at home and I’m happy I’m back home in Atlanta right now.

Jordan Eisner (02:02)

I’ve got you

David Forman (02:13)

It is grueling, especially the times and differences. think that’s the hardest part.

Jordan Eisner (02:17)

That’s because being a founder, you’re out of an emerging provider, although you could argue that you’re the leading ISO 42001 I would say we’re a $40,000 price. But the life you lived, I was just talking to you about it. you were still working. 5 a.m., 10 a.m., wherever you were, local time, were working, afternoons, were sightseeing and eating the good food, and you said you don’t sleep.

David Forman (02:25)

Enterprise at this point.

Yeah, I struggle with lack of sleep to be honest, but more importantly, I think the Asia part of the travel that was more difficult because just like more opposite time zones from the US market. But yeah, there’s a lot of five to like 10 a.m. type co-working spaces in Tokyo, Osaka. But still, we had a really good time earlier and ate amazing food. If you’re a fan of sushi, I’m a fan of you.

Jordan Eisner (03:02)

So this is we’ve done podcasts in this room before this is the compliance point offices but this is the first one we’re doing on camera inside this room so hopefully.

David Forman (03:12)

I think we should request Jordan to this more often. This is nicer than his home office.

Jordan Eisner (03:17)

Right. So reason to keep doing it. And we’ve invited David in for two podcasts today. The one we’re going to be speaking about is what we’ve titled ISO as a catalyst, not a checkbox. And so that’s what we’re going to get into in this first episode. So it’s really about ISO being viewed as a launching point for improving security, ops, trust, and not just a compliance checkbox. So many times when, at least in my experience, somebody’s pursuing ISO it’s because they have to somebody’s requiring them to do so and that’s probably gonna continue to be the case for a long time.

David Forman (03:54)

When it sales like you. Right. They’re pushing the company.

Jordan Eisner (03:58)

Hey, we need this cert to get this business, right? Pay to play type thing. But the more I’ve learned about ISO, and I know you’re very passionate about it, obviously with your business understatement, it really is an incredible framework. And you’re going to speak to that for security allows you to bring your own controls and there’s some really management as part of the process. that’s what we’re going to get into. So let’s start there.

Why, you know, when we say ISO can be viewed as a catalyst versus just a checkbox for a security program or for a privacy program or for an AI governance program.

David Forman (04:35)

Yeah, I think let’s break down the title a little bit more too. Like you think about catalyst. Really what I was kind of seeking out here with this episode too is talking about you don’t have to certify necessarily to an ISO standard in order for you to benefit from an ISO standard. If you’re unfamiliar with ISO standards, there’s way more than just ISO 27001. One that we’re talking about, there’s over 25,000 now. And they cover every part of our life, including this coffee that was not meant to be kind of a prop in this episode, but here it is. But like when we think about like, you know, how to roast coffee, you think about a cocoa bean and like when it’s considered right for harvesting, all that is based on some sort of calibration or standardization somewhere and that’s found in an ISO standard. And why I think it has such great adoption and enforcement in some cases across the world too, is ISO has always been set up as kind of this neutral body for standards and it creates this kind of alignment worldwide regardless of geography, nationality, country pride, anything like that. It’s just like viewed as like kind of a trade mechanism. Well, it’s a Switzerland. It is not Switzerland. It’s neutral country in the world, right? Originally in the UK though, so we’ve to be careful. Going back to your original question too, you build a program based on 27001for example. It’s called an information security management system.

When you build 9000, when you mentioned that earlier, quality management system, ISO 42001 is an artificial intelligence management system. We have to get down to what is a management system. And that’s a fancy term for a governance program. It’s basically some way we manage, I’ll say the risk, we manage the uncertainty, we manage the evolution, the emerging parts of our business, et cetera. All of that plays into how you would build such a management system based on this kind of risk taxonomy that might be information security, might be AI, might be quality. It could be a bunch of other different taxonomies as well. So getting back to kind of the root of your question here, and I’ve explained the title of the episode. When I think about kind of like how it can be a catalyst for business, I use kind of my, I’ll say response here on how I built Mastermind too. Like we built it thinking about like how can it be set up for basically a stable foundation, that’s the start, but the continuously improving as well as it grows and it has more interested parties or even just more business revenue and business volume.

And I have a couple of examples that are in my head, maybe we’ll talk about a little bit later too, of some of our end customers that have actually built management systems kind of in a similar business focus versus thinking about just like how do I secure our cybersecurity? All in all, basically what I’d want to like, I’ll say, evangelize the most here is these standards are meant to fit every type of organization from mastermind on day one as a startup to whether you’re an enterprise and you’re an Amazon Web Services and Google Cloud that is implementing ISO 27001. Basically the standard is really one size fits all. It’s just how do you interpret the requirements based on your risk landscape. That’s what I like about the flexibility.

Jordan Eisner (07:40)

To your organization and what’s the risk treatment around it does that qualify?

David Forman (07:46)

Totally. And if I was to give a contrast real quick to other popular schemes out there that we all work with and encounter on a daily basis, especially in the U.S. PCI DSS, HITRUST with its CSF, the FedRAMP, CMMC, a lot of buzz around those items lately and during the current administration as well. All those are basically frameworks that have controls addressing risk. When you look at a management system standard like these ISO standards, they are governance-first based on your scope a risk assessment based on your threats and vulnerabilities unique to your business, your business sector, your current customers, your current objectives as well. And then you implement those controls. Because of those kind of first two steps I just articulated as part of the governance program, y our controls will look very different from organization to organization, even if you’re 50 people and you look at the next 50 person company, no two are the same. So from a career perspective, I really like ISO standards because everyone of my clients looks a little bit different. A, I’ll say implementation perspective, if you’re a company implementing an ISO standard, it’s gonna be very much tailor-made.

Jordan Eisner (08:55)

Yeah. What about, you just got the wheels turning a little bit. All those ones you mentioned, totally agree. Prescriptive controls, already built in, recommended for how implement them. What SOC 2? Would that maybe be the most similar here? I know this is about ISO, but in terms of… And how you’re applying it. Now there’s controls that you’re gonna…

David Forman (09:11)

Like more wrist space though, to your point. Criteria exactly what you go controls for

Jordan Eisner (09:20)

From and ISO has that a little bit too with some recommended controls.

David Forman (09:24)

I would say we can create some parallels there. So in SOC 2, there are the trust services criteria. So security, availability, confidentiality, processing integrity, and privacy criteria. So you can kind of build these into what is your SOC 2 examination can speak. Security, TSC, trust services criteria is always required in order for you to go through a SOC 2 type 1 or SOC 2 type 2. With that being said, yes. SOC 2, you look at that criteria and then based on your organization, you’ll build controls around that criteria. It’s similar to thinking in terms of risk-based approach, whereas with ISO, you have control descriptions or depending on the standard, could be a control objective and you build basically or implement those controls to meet those objectives or descriptions. Now, I’ll say the difference here.

While SOC 2 has criteria and you build controls, that criteria is typically a little bit more rigid, a little bit more prescriptive than what you’re going to find in ISO. So if I use ISO 27001 as an example on one of its 93 NXA controls.

Both ISO 27001 and SOC 2 have a control around secure authentication or passwords, okay? If you go look at SOC 2 and its criteria, it’s going to prescribe certain strength of passwords. That might be character length limits, that might be rotation requirements. Can’t use any of the passwords you used in the last three tries of that user credential or that kind of thing. Whereas with ISO, it just says strong quality password. You decide what is strong, what is quality, and it’s meant to be more, I’ll say, purpose-built based on what is the system or environment it’s trying to protect. Maybe a password for a R &D type environment that has no production data, no customer information, no PII of any sort in there, maybe that has less strength of a password credential required on it than one that is covering customer prod. And that’s how you’re designed to think about these controls. Unique based on environment, based on risk when you are applying ISO.

Jordan Eisner (11:24)

And that, I think that speaks back to the title too, and I know you talked about the term catalyst, not checkbox, but ISO is an opportunity if it is something that you need to go through for certification for some third party or a client to demonstrate good data stewardship, you still have the opportunity to design those controls based on your business, how impactful you want it to be.

You know, how you want to manage it moving forward and how it wants to grow, right? You don’t have to operate on the exact same playbook as every single other company and that could be advantageous.

David Forman (12:00)

I like to always kind of like tell people when they are trying to basically uncover the bare minimum. I’m not saying you’re trying to do that, but sometimes it leads to that type of conversation. Technically speaking, you could have a four-character password, protect a system, and depending on your perspective, POV, on ISO 27001, that could be conforming. That could meet that control. yes, there. Now, taking a step back, like, you know, what is, you know, minimum benchmark practice? Now you’re talking about best practice at all. Like, yeah, you need better than a four character password. It’s essentially a PIN. Okay. And there’s only so many permutations of the four numbers or four letters that could exist and you can easily crack that password. That being said, I will say there is definitely kind of two sides to the market here. You have the market where it’s like I have my salesperson, every time think about sales I just point to you. VP growth, not sales. Different. Every time I think about like a customer going in first time through ISO 27001 since we’re on that topic. Typically, it’s coming from kind of a buy side ⁓ thought process where it’s like, we want to make it easier to purchase from us.

Our sales team might be saying like, hey, we have a prospect ready to sign on the dotted line. It’s worth six figures in annual value to us in terms of revenue. We just have to have this one thing. How do we go get this one thing? And because of that urgency and that $100,000 project sitting out there in the ether, they say, what do I have to do bare minimum to get that thing so we can move forward? Okay. If you approach it more proactively where you’re not in that type of time bound urgency situation, you can do way more things with the standard. And, you know, from my perspective as an auditor certification body, we want to see customers really adopt the standard. That doesn’t mean go get certified. That means actually implement it how it was meant to be implemented. That means not just a super narrow scope. That means applying it to the organization and applying it to the organization based on its current practices. So one of examples I like to use.

Jordan Eisner (14:08)

I was about to say before we go into that, because that’s a good segue to the next question, I think you were almost about to answer before I even asked. What are some examples, right, of organizations where you’ve seen their security, their privacy posture improve because of implementation of my standards? I would say conceptually, but then also I think you were about to talk about real world examples.

David Forman (14:30)

Yeah, and I can touch on a few of these are public information and some of them are actually even open source. One of the examples I like, I was actually talked about them on LinkedIn this earlier this week and depending on when this gets released, so maybe earlier this month. A company called Dedupely. Dedupely is a CRM tool. If you want to think of it that way. And as it sounds like they de-duplify or de-duplicate whatever the right word is.

But any sort of like Salesforce or HubSpot type entry, at an account level or contact level opportunity level when you might be merging databases. You can’t be in this industry and not know sales and Salesforce or any source CRM, but it helps you basically keep integrity of your data, keep it clean, good hygiene. And if you have a sales team, I know you don’t have a sales team, you have a growth team, but for your growth team, if they are having async access into a CRM.

They need to de-duplicate like whatever parts of an account or an account merges with another account, that kind of thing. It allows for you to do that more efficiently with like fuzzy matches. And then you can see it all in one pane. Very company, but there are less than 15 people or fewer than 15 people. Adopted, I said 27001 and actually 27,017 and 27,018 as well. So cloud security and cloud privacy extensions. As of last year, 2024, there were an early customer mastermind as well.

And they basically used ISO 27001 specifically around like their management review process that’s prescribed in 27001 clause 9.3 to basically build out like what is top management gonna review when we periodically meet? So almost like a version of a steering committee. And I think it’s really interesting when companies do that very early because they didn’t have a meeting mechanism like this previously. They started looking at 27001, they were seeing it come out as nice to have.

Initially it was sales driven. It was nice to have, so was nothing that was like saying hey, sign on the dotted line once you have this. But it was a little bit more proactive because they were hearing noise about it in the space through some of their deals. They went ahead and started implementing and said, all right, we do a lot of these control stuff already. We built a secure platform. But from a governance standpoint, they had not done much of it yet. To be frank, they were probably a little bit early of doing any of that governance stuff because of size of the company at that point, but they used it as an opportunity, especially on that management review, to start having periodic steering committee meetings where top management, like the CTO and CEO, like original founders, were meeting with the rest of the org and they had a specific agenda that was based on the management review inputs found in 27001. It served kind of as a guideline for how they were gonna run those steering committees on a go-forward basis. So now, year two comes around. This was earlier this summer here in 2025. Come back in. doing the surveillance audit now for Duply, and I’m seeing kind of the evolution of how the steering committee has worked now over a full 12-month term at this point. And every quarter, like these topics have now expanded from what was the original, say, five or seven inputs required by the standard have now all blown up into each individual like section of the slide deck where everyone’s reporting out KPIs based on how the business is doing.

And so, not every company is going to get the opportunity to like literally charter their steering committee of top management using 27001 at the time 27001is needed. It shows how 27001can like morph into these regular business functions, whether it be just a KPI review, it be a meeting of the minds at top management, like executive level, or it’s possibly used as an intake mechanism for they say, Hey, we have this business opportunity, maybe expand product catalog, like how does security play into that?

Jordan Eisner (18:21)

ISO 27001 you talked about earlier, that certification of an information security management system, ISMS. To me, what I just heard there is they’re really focusing on the mechanism of the management system and how it allows them to manage for information security. So maybe you can’t speak to this. It’s confidential. But so what I just gathered from that is they use it for that, but then they started to use that mechanism for other KPIs and things. See, they like the structure and the model and the consistency.

David Forman (18:50)

I mean, not to make fun of you, they use it for growth. They do. I mean, it’s for a business enablement. It’s understanding like, we have an opportunity to, you know, service a new CRM platform. It’s not Salesforce or HubSpot, for example. And like, know, does that make sense for us as well? So they’re viewing it not just in a security lens, it’s blown into like just total business growth and, how we think about the vision for the company as well. That’s great. Yeah, that’s great. I’ll give a second example too here briefly.

Another public client of Mastermind as well, and they’re a really cool company, is called Sourcegraph. Sourcegraph is very unique in the fact that they open source all of their security documentation. So it’s all hosted on a Notion page, Notion dashboard. And you can, I don’t have the hyperlink off the top of my mind right now, I’ll put it in the comments of this, but you can go review all of Sourcegraph’s policies. They are all online for anybody with a hyperlink to go access. It’s a different kind of level of transparency if you want to think of it that way. So, you we have trust centers out there and you can go review our security documentation and compliance. Love the trust centers. Yeah. I why are we hiding it? Thank you.

If you want to dig a little bit deeper than a traditional trust center, like let’s actually go read that incident response policy. Let’s see like what mechanisms they put in place and how they respond. Should there be a breach of their in customer data? If I’m to be a customer of them as well. I think that’s, I’ll say extreme, but I don’t mean that in a negative commentation. I think it’s more of like, you just don’t see it yet in our industry. And I say yet because we’re talking about trust centers. I think there’s a growing economy of trust centers as a service.

There’s one side of the house that will say trust centers are just gonna become like this, you know, no fee feature on top of all these popular GRC platforms and to an extent we’ve seen that. I think that’s trust centers 1.0. I think there’s a trust centers 2.0 emerging here in the next three to five years, will allow for a user like me and you doing due diligence on a service provider to double click into some of these areas. They say, hey, we have multi-factor authentication across all our systems. We’re like, okay, prove it. Click on it.

I can see they’re using Okta. Great. Click on Okta. I can see currently it is monitoring these assets within their infrastructure. Okay. And it is green light right now. And then I can also verify that red light, green light is not being manipulated by the company as well who’s hosting that trust center. Unfortunately, right now, ⁓ I have yet to see a red light on a trust center ever. Meaning there’s probably some levels of stage gating prior to a red light hitting a trust center.

Jordan Eisner (21:35)

Okay, those are great examples. Not just for, I think, information security, but just the management system, right?

David Forman (21:44)

It’s transparency and frankly speaking, if you have a management system that is built into, I’ll say the fibers of the business, how it operates, then you have nothing to hide. I think we got to get away and it’s tough. I understand different pressures here. I think we have to get away from these companies constantly seeking out what we say is like clean or no findings audit reports.

It is okay, exceptions, issues, non-conformities. That is healthy in a way. And I’ll tell you from an auditor perspective, it’s healthy when I see it in an audit report because it tells me that, we actually had an auditor that was actually hunting for something and doing their job.

Jordan Eisner (22:28)

Yeah, I don’t remember the name of the movie, but I saw a movie a long time ago, and this is probably a terrible analogy, I think maybe it was called Cheaters or something like that, but it was these high schoolers. It’s probably a terrible movie. It’s probably been over 20 years. You’re not a roll here. It was basically a cheating scheme that put together, and one of them got busted, and I remember him saying to the other one, you never get 100.

David Forman (22:48)

You never get a perfect score. that’s good. What’s the movie called the perfect score? I remember like a movie about like SAT like cheating or something.

Jordan Eisner (22:53)

What do call it cheaters? I don’t know. It was back when the TV Guide was, you know, channel 20 and you had to sit and watch to see what everything was. you just had to watch. You don’t remember TV Guide?

David Forman (23:04)

I mean, it’s really true. Like, you know, it almost like doesn’t pass the eye test. You see these like clean auto reports time and time again. And I think had clients, know, information, sorry to cut you off, but say, you know, they use a low budget auditor and they said, oh no, we had a clean report. I don’t know how, it’s what the report said.

It’s also very telling too when like a new GRC director comes in and takes over program and they’re not familiar with the auditor and they start scrutinizing the external audit reports they’ve been getting year after year for that organization and they say, look, I’ve peeked under the hood for 30 minutes and I don’t understand how we’re keep getting passes on X, Y, and Z. So, whole another topic around low budget firms and low budget quality and you get what you

Jordan Eisner (23:57)

Another day another podcast

David Forman (23:59)

Maybe. I hate that topic. But maybe.

Jordan Eisner (24:02)

Yeah, I hear you. Well, let’s switch gears here then as we get into, I’d say, the back half or the final few questions of this podcast, this episode. Where’s 27701, Stan? I like privacy. I like data privacy. We do a lot of data privacy work. That’s a question of mine. And it’s funny, you’re going to have thoughts on this. But I find in my conversations that it seems like the 27701 Certification Privacy Information Management System that the auditors and those helping even implement that system are not super familiar with privacy law. It was built for, right? So we have a whole privacy group and it’s always, well why don’t they do 27701? It’s like, it’s more of an audit function. They’re not auditors, they’re more advisors, but I’m getting off topic. Where’s the updates?

Sure. Stan, and then maybe you can address that question too.

David Forman (25:00)

Yeah, happy to. And I’ll say your question around like competency essentially extends to AI and 42,000 as well. Same issue. So to answer that, whenever you want Jordan. With that being said, ISO 27001 versus ISO 27701 for people who may not be familiar, it’s one digit different, one’s an extra seven in there. For 27701, it is building a privacy information management system.

Currently, the revision is 2019, so it was published in August of 2019. ISO 27701 has a co-requisite requirement, almost a pre-rec, where it has to be supported by an underlying ISO 27001 information security management system. So basically, the adage of you can’t have privacy without security holds true currently.  With ISO 27701, is under major revision right now ⁓ by JTC1, which is the Joint Technical Committee that authors that standard.

And as a of the first week of July, it went into kind of the final stage of publication for that new major revision. It goes to a seven week ballot now. So we should be expecting if it meets that timeline sometime here in August. However, just looking at a few other standards that just got recently published, like 40, 2006, they can break that seven weeks if they need to. So I would probably say more conservatively, it’s gonna come out next month in September. And when it comes out, we already have seen the, what’s called the final draft international standard, the FDIF. We know that is decoupling that co-requisite relationship so you could have standalone ISO 27701 certification without the security component here in the future as well. Answer your question here a little bit on the the competency question if I should rephrase that a little bit you’re saying people.

Jordan Eisner (26:50)

Guess it’s part of the theme again of this podcast, using it as a catalyst, using it to improve processes, not just a checkbox. I would challenge that on 27.701 if the organization’s helping you prepare for that and get audited against it are not well versed in data privacy. Are you really building an effective data privacy management?

David Forman (27:10)

I’ll speak to it little bit more objectively at first, and I’ll give you a little bit more of an opinion here. So 27701, it has two annexes full of controls. Annex A is found for the PII controller, and that has 31 controls. Annex B is a PII processor, and that has 18 controls. Current 2019 major revision, that’s currently in force right now. First thing I’ll say is all ISO certifications, and this is current 2019, can be scoped as narrowly or as broadly as the organization wants. Ultimately, as the certification by the auditor, we audit to the scope that the organization dictates. And so when you run into a situation like this, and this is the same thing with the GDPR, every attorney everywhere always wants to limit liability. And so I will tell you, of the 27701 certifications I’ve been involved in, of current company, prior company, very few

adopt the PII controller, the 31 of the total 49 controls in the entire standard. Most of them say, we’re a processor. Most say we’re a processor, and even at that, we’re a limited processor. We don’t have any responsibility. It’s all our customers. That’s what they want their certification to say, and they can dictate that scope. We’re running into something similar for you 2001, which I can articulate here in a future episode.

With 27701, don’t always point fingers back to the auditor for like lack of substance. The organization is dictated by an audit package to audit.

Now, from a competency standpoint, is conformity assessments and ISO certifications the same as compliance to law and regulation? answer to that is no. So when 27701 first came out, had lot of fanfare. There was ⁓ some authors on… ⁓

Jordan Eisner (29:01)

Came out the year after GDPR was

David Forman (29:04)

So GDPR went in force May 2018, August 2019, you 27701. It’s starting to feel like, maybe this is what we call the certification mechanism for the EU GDPR. If you read article 42, 43, it talks about, hey, there is a way to certify to the GDPR.

Jordan Eisner (29:20)

You’re quoting one of the 99 GDPR articles?

David Forman (29:24)

Is there 99 total? Yeah, there was. want to make sure I’m clear on that. know 42 and 43 really well. at you. I have to because I’m confident and the ISO 27001.

Jordan Eisner (29:34)

And you say masterminds about making your clients masterminds.

David Forman (29:37)

Yeah, well, we’re educating right now. I just want to make sure I’m clear on the total number of articles there. I think there’s some that are like kind of prefaces to that.

Jordan Eisner (29:45)

Well, I heard a great talk at a privacy conference one time and the topic was, I got 99 articles, but it’s not one, right? That didn’t suck with me, right? It wasn’t the J.C. Lear.

David Forman (29:55)

And that’s something.

Yeah, there you go. Where I’ll go with that though, GDPR certification eventually did get approved by the European Data Protection Board. And there are GDPR certification mechanisms out today that are not ISO 27701. ISO 27701 never became that GDPR certification mechanism. However, people were thinking originally it came out, it might be it, because none had been approved yet. And the KNEEL, which is the Data Protection Authority of France, was actually part of the authorship or group is of that joint technical committee that authored 27701. So everyone’s like, okay, like we have DPA involvement here that are actually authoring the standard. And then if you looked at the standard when it came out, there was an informative reference in one of the annexes that actually mapped it to the European Union GDPR. So you’re saying all signs are pointing to that this could possibly be a certification mechanism. Unfortunately, it never became that certification mechanism.

If you read the GDPR, one of the articles, I think it’s 43 for this one, it talks about another ISO standard 17065. And that is a product and services certification, not a management system certification, which would be under 1702.1. And so technically, 27701 could have never been it. It would have been extended, augmented some way to apply to a specific product or service. Getting back to the competency piece here, and I’ll wrap up. But ultimately speaking, these auditors are not supposed to be super well versed in law. One law changes more frequently than even these ISO standards that a service references in normal criteria. But second, when we have this intake process of certification by them intimately familiar with, customers have to apply for certification. We’ll think of that more like a scoping call almost like with an early prospect. But if we get a customer that works in a specific sector, say something illicit, for example, maybe like something adult. We can reject that applicant or that prospect on the basis that we don’t have sector-specific knowledge to apply that criteria to it. I’m using an extreme example here. But if for some reason there’s some sort of sensitive data there, like we’re supposed to reject it based on our sector-specific competency.

Jordan Eisner (32:12)

If you feel like, okay, you’ll be on your skis on it.

David Forman (32:14)

Well, actually for Mastermind, we’re actually very specific. We can only work with, and you might think this is broad, but these are a little bit more contained than you think, but technology companies, financial services, and healthcare. Now, you can apply that first one. that per? Under our accreditation scope. Are accreditation? Yeah. You don’t find that on the certificate or scope of accreditation. It’s found in our quality system, and that’s audited by that accreditation body when they’re approving our accreditation. It’s more pertinent in quality management, but it comes up in 27.

You can’t support it. like, let me give something. You just say you reject the applicant. You say, okay, we can’t work with you. So I’ll give you an example though, that technology pillar that can be pretty elastic. So you can have a company that works in maybe a sector that you don’t have a ton of knowledge in. If they have an IT platform, then you can accept that applicant. So if that IT platform is what’s under scope for like the 270011audit, if you want to use that as an example. Gotcha. It comes up more often.

Yeah, very much. You must not done this before. But even more interesting is like I said, 9000 one quality management. There’s different like what they call EA or industry codes. And so like we would only operate if we ever did 9100 EA code 33, which is it. There’s EA codes for like nuclear aerospace or manufacturing. And basically, like if you think about 9000, or like I’ll say origins, this was like basically certifying like an assembly line like at a car manufacturing plant.

Like David Forman is not qualified to tell you whether not that, know, like car part coming off the line is conforming to 9001 and whatever other industry savings. I don’t think I’m going to be.

Jordan Eisner (33:56)

Okay, I think that’s probably a wrap for today. That was a lot of good stuff. Well, not for today, for this episode. It’s because we’re gonna take a quick break and you’re gonna come back in… in 42001 and 42006 apparently.

How do people get in touch with Mastermind?

David Forman (34:19)

Yeah, so can find us online. Our website is mastermindassurance.com. You can email us at hello at mastermindassurance.com. You can find us on LinkedIn. Jordan’s already alluded that we are very noisy on LinkedIn. You can follow me specifically. My handle is masterminddavid. Or you can find our company page and you’ll be linked to all the good news. But just continue watching this podcast because we’re frequent guests.

Jordan Eisner (34:44)

Yeah. If you like what you hear on these podcasts and you’re interested in contacting CompliancePoint, you’ve probably heard it by now, but if not, CompliancePoint.com, can email us directly at connect at CompliancePoint.com. I’m also active on LinkedIn. Welcome. Any messages there? David, we’ll take a break and do it again soon. Thanks everybody.