Transitioning to ISO 27001: 2022

Transcript

Brandon Breslin: Good afternoon, everybody, or good morning, depending on where you are. Thank you for joining our CompliancePoint webinar here. We’re going to be talking about ISO, specifically bridging the gap transitioning between the ISO 2013 framework to the 2022 framework.

This is going to be relevant for organizations that have either gone through ISO before and want to learn more about building out the roadmap to the 2022 framework or have never done ISO before and you’re curious what it is and why it’s beneficial or if it’s even relevant to your organization.

Just to introduce ourselves really quick, my name is Brandon Breslin. I oversee our team at Security Assurance. We do PCI, SOC, and ISO services. I’m also an ISO 27001 lead implementer, and I’ll let Jim introduce himself as well.

Jim Tierney: Yeah, I’m Jim Tierney, Senior Manager in the Assurance Practice. I work mainly with ISO 27,001, SOC 2, and PCI engagements. I’m also an ISO 27001 lead implementer, and it’s a pleasure being here today.

Brandon Breslin: For our agenda today, I’m not going to read through all these, but really the purpose of this, like I mentioned in the beginning, is to understand the new changes of the 2022 release as well as the timeline. Then we’ll talk about some challenges and solutions and where we can help you guys. If you guys want to ask any questions throughout, please feel free to put some questions in the chat for us. We’ll answer them either at the end or throughout as we see those come in. We encourage this to be collaborative. We want you guys to participate in the conversation with us.

A little bit of background about who we are. We are a security and consulting company, and we provide a few different services. I know we’re talking about ISO right now, but we also provide a few other service lines and offerings as well. Our bread and butter is we do professional and consultative services. We focus on privacy, security, and compliance. We’re certified regulatory. We have technical expertise, and we’ve been out there in the industry since 2004. We are client service based as well.

We can go to the next slide here and show a few of our areas of expertise that I quickly mentioned.

We’re talking about ISO today, but we also do PCI is a large part of our business, FISMA, NIST, TCPA, mobile, cyber, pen testing, vulnerability scanning, SOC readiness, ISO readiness as well, privacy compliance, marketing compliance. We’re out there in the industry of different areas.

Specifically about ISO here, for those organizations that have never done ISO before, I think it’s relevant for us to talk about the history of the standard. It is a global recognized standard outlining requirements for establishing, implementing, and continuously improving an ISMS.

What is an ISMS? Information Security Management System.

The big element for ISO is it’s a framework. It’s not a checklist. A lot of people think it’s just a quick checklist or it’s a quick assessment process. It’s an extensive process, but it is a framework. So it’s security first. It’s a risk-based approach. It’s a systematic framework for managing confidentiality, integrity, availability.

Everybody’s probably heard of the CIA triad. A lot of those fundamental principles come into play for ISO. It’s really geared towards protecting data, protecting sensitive data, customer data.

It was originally published in 1995 and there’s been multiple iterations now. We’re talking about the 2022 standard today, but it has evolved over the years. Like I mentioned, it’s a risk-based approach. It emphasizes through risk assessments to identify potential threats to assets and to implement appropriate controls to mitigate those risks. So it’s really relevant to organizations of all different industries and different sizes and complexities as well.

The key components of ISO, a few different areas that they focus on, context of the organization, understanding the organization’s internal and external environment, the leadership, the commitment and support from top management. That’s critical right out of the gate.

Planning, setting objectives, outlining processes, performing risk assessments, support, addressing resources, awareness, competence and communication, operational controls, implementing the ISMS processes, risk treatment, security controls, performance evaluation, continuous improvement.

So we’ll get into all of these elements here shortly, but it is a very wide standard. It’s a breadth, a huge breadth of knowledge that you would have to comply with that we’ll get into in a bit.

Jim Tierney: Yeah, I think it’s important to note that it’s an information security management. So it starts with leadership, documentation, everything needs to be put in place to make sure you have the right resources, the right structure and that all of it feeds itself to continue to improve the whole management system.

Brandon Breslin: Yeah, great point on that, Jim. And I would also say with that InfoSec focus, that’s where the baseline comes into play of how do we evaluate these risks? How do we determine how to mitigate the risks? Is if you’re looking at it from a security lens instead of a just compliance lens, it totally changes the landscape of how you look at those risks.

So for those organizations here that have never gone through a compliance program for ISO, right? I’m sure you’re sitting here thinking, is it relevant for my organization? Do I even need to do this? Is it, you know, I’m a small company or maybe I’m not really in the information security business, is it even worth it for me?

The short answer is yes. And you know, having just a couple bullets out here, I’m not going to read through it all, but you know, it is relevant for every industry, right? Of different sizes and complexities. Again, if you have a security focus and if you’re serious about protecting data security and protecting sensitive data securely, ISO is for you, right?

It’s also from a marketing standpoint, it’s a strong certification to be able to put on your website or put on documentation to other third parties that you are ISO certified.

It also creates an avenue for continuous compliance. I think this is a huge added benefit for ISO because it changes the mindset of personnel in the organization, right? To not just focus on, oh, it’s another audit, oh, it’s another compliance framework, but it’s more of a year-round process of, you know, how do we put security first? How do we put compliance right underneath that or right with it in parallel? So it changes the mindset of how you approach security and how you approach compliance and how you approach improvements within the organization.

It also can align with other frameworks as well. So we’ve talked about PCI, SOC, you know, HITRUST, some of these other frameworks. ISO has built off a lot of those NIST security frameworks as well.

Jim Tierney: Yeah, and I’ll just, you know, back up that statement. I think it’s a terrific place to start a program because it gives you the breadth, it gives you the components that you’ll look to manage your operation from. And it’s a good baseline. It covers a great deal of what you would really want as you mature, but it gives you a head start because it shows you where to kind of focus your resources.

And you can, if you know, if this was your first compliance program, you know, your policy and your procedures could all kind of be ISO based, but they can stretch into other areas. So if you start getting, you know, requests for SOC 2 or you want to meet the AICPA’s services criteria and get an attestation, your security policy will be aligned with ISO. So that’s, that’s already checked off.

And then you’ll, you know, you’ll just have to map the criteria across things and you’ll be surprised at how much you already have in place.

Brandon Breslin: Yeah, that’s a great point. And I will also say, you know, not only is it a good baseline standard that Jim’s referring to, it’s also very well known across different industries.

So if you’re coming to the table with, you want to work with a third party, they may ask you, Hey, are you ISO certified? Or they may start the conversation with, have you gone through an ISO assessment, an ISO framework assessment or a compliance assessment? And if you say no in that conversation, how does that make your organization look right? But if you say yes, in that conversation, that totally changes the game with if you’re in, you know, trying to get working with a certain third party, really gives you that leg up in the market.

Jim Tierney: If you started with ISO and let’s say you got more pressure for some other kind of attest or, you know, like say they wanted a SOC 2, having the baseline of your program set up on ISO gives you a great head start in that area as well. And they can, they can see from, you know, anything that you showed them as they’re trying to see if they want to do business with you, that that’s where your alignment is. And that certification would be a natural step to follow. And but you could have an intelligent conversation about, you know, when that might occur, how that could shift into SOC 2, but they would at least have the confidence that the breadth of your program is aligning with a great standard.

Brandon Breslin: One even additional item that we haven’t even talked about is it gives you a great baseline for your security posture, right? I mean, as there’s other risk maturity models out there, there’s other cybersecurity maturity models out there. This one is a great baseline for understanding what your, what your risk tolerance is, what your risk appetite is and where your, where your environment is from a security standpoint of a maturity model in an indirect way.

So yeah, moving on to the benefits. I mean, I won’t run through all of these here, but you can see there’s tons of benefits right? I mean, a lot of these we’ve, we’ve touched on already. It enhances your reputation and trust. It gives you that great baseline security posture. It’s obviously a compliance framework. So it gives you that peace of mind for compliance purposes. It is security focused. So it gives you that security piece of mind as well.

It’s a competitive advantage. If you’re ISO certified in the marketplace, that’s a competitive advantage.

One that we haven’t touched on is the reduced, reduced need for additional audits. ISO 27001 is so comprehensive that many other frameworks are built upon that. So it’s a good baseline set for compliance.

Attracting new business goes with the marketplace competitive advantage there. And we can jump to the next slide.

As it relates to efficient processes, this is, this is a great one. That’s also another indirect result of ISO certification is you start to look internally of, you know, where are the things that can be improved? You do kind of a mini post-mortem even throughout the, you know, assessment framework, right? Hey, we can probably do this a little bit better or these areas could be strengthened.

There are these policies or procedures for operational controls or technical controls can be beefed up a little bit more.

And then, you know, the last two are probably the big hitters. QA and trust, you know, falls in line with the process improvement. But the number one element that we really want to hammer home today is the continuous improvement. This is the total mindset shift, like I mentioned earlier, it’s not just another audit. It’s a, it’s a true change with understanding your internal processes, how we can continuously improve, continuously orchestrate new efficiencies, new security focuses, new priorities, right? From a, from a methodology perspective. So all of those help to addressing risks, threats and vulnerabilities that are out there.

Jim Tierney: Yeah, and I’ll say, you know, personally, you know, it’s a sensible approach because, you know, one of the early steps we recommend to clients is to, you know, do a risk assessment. So it makes a lot more sense to organizational management, to, you know, various stakeholders and control owners. If they understand that the controls that they’re going to be operating or put in place are specifically set to reduce a certain risk.

So that kind of creates the, I would say the impetus for people to execute on the controls because they’re like, Hey, you know what? This reduces the risk of our organization. This helps us be a more secure organization.

Brandon Breslin: Excellent point. Absolutely.

As it relates to, you know, the new changes to kind of shifting gears, right? We’ve been talking about why you should do ISO or why you should undergo an ISO compliance assessment, why it’s beneficial, who it’s, who it’s relevant for, what organization should go down this path.

Let’s shift gears, which is more relevant to those organizations here that are on the webinar of, you know, Hey, I’ve done ISO before. I’ve done it on the 2013 standard and I want to learn more about the 2022 standard or I want to build out a roadmap for the 2022 standard, right? We want to put you in that position to feel comfortable with the new standards.

So the biggest, the biggest key change, if you will, is, is more encompassing for newer technologies, newer processes, the cybersecurity landscape evolving, the reduction in the number of overall controls. That’s always a great thing, right? To see a reduction of the overall controls. There are 11 new ones, but the overall number has been reduced.

And then just a reorganization, I think a restructuring of the way that they’ve laid out the framework makes a lot more sense for organizations nowadays in this modern security world.

So I think just the biggest change again is the mindset shift, similar to other frameworks that are out there that have evolved. I mean, PCI 3.2.1 to PCI 4.0 is a perfect example of this new mindset shift of encompassing more technology, encompassing modern cybersecurity practices into the framework, switching to more of a risk-based approach. ISO 2022 did the same thing. BY switching to more of this or emphasizing more of this risk-based approach, being more encompassing of new technologies.

To get more in the tactical or more in the weeds. Some of the biggest changes, I mean, there were changes all throughout the standard between clauses four through 10.

Just to highlight a few of them, 4.2, there’s now a sub-clause requiring organizations to analyze which interested party requirements will be addressed throughout the ISMS. So huge change in vendor management.

Planning of changes. So for change management, there’s a new section that stresses the importance of planned managed change processes that aligns to other frameworks that are out there.

The reconfigured structure is now organizational people, physical and technological, which is a completely different setup than what it was before. Again, I think, like I said earlier, I think that makes sense for more of the modern technology.

Some of the other, there’s new areas overall of threat intelligence, cloud security, InfoSec event monitoring, web filtering and others. So that’s also to align with other frameworks that are out there like NIST and some of the other frameworks that have been around for a while.

I think the key takeaways right of the new controls is that they’re not radical changes, but they focus on streamlining and solidifying the existing framework and really encompassing some of those new technologies. I don’t think there’s, when you see the new controls, there’s nothing that’s jumping off the page, if you will, that is a showstopper in my opinion, or in our opinion here. It’s more of just a shift in the evolving landscape for cybersecurity, encompassing more of the new technologies that are out there, really focusing on continuous improvement. Again, we want to drive that home. That is a pretty large amount of the controls are related to continuous improvement and managing those processes within the ISMS.

Transitional timeline. So we did want to hit on this specifically. So as we’re doing this webinar, we are in April of 2024. So we’re on the 2022 standard now, so you can see we are past that second milestone of October 31, 2023, which means that now we are approaching the third milestone, which is October 31, 2025, which is a key date to remember. That is when you have to be on the 2022 standard. So we are in the transitionary period right now for evaluating the new control, making sure that you have technical and operational procedures and controls in place to be compliant with the new requirements by October 31, 2025. So make sure that you have a plan.

We’ll get into this here shortly of what are the challenges and what are the ways that we can build out a roadmap to get ahead of this date. But really the big piece here with the timeline is don’t wait until 10-31-2025 to start implementing a lot of new control procedures. It’s building out a roadmap now. We’re in April 2024, so you’ve got a year and a half basically to start to put some of these practices into play and have that mindset shift to continuous improvement going forward.

Jim Tierney: All right. So some common challenges that we’d like to talk about on this webinar and see what questions you might have at the end.

But some challenges we run into from a consulting perspective is the desire to pursue ISO 27001, but then you really need to take a look at the kind of resources you have in place as an organization. Do you have people in place who know the ISO standard and clauses? Do you have the ability to train other governance risk and compliance personnel so that they can get some specific knowledge for operating the ISMS?

There may be some controls where you actually need some budget to add on to your environment. Is there, for instance, an internal audit function that you have in place that you can leverage into ISO, or are you going to have to build some internal audit capacity or have someone external come in and conduct an internal audit on your ISMS?

Time constraints, that’s a question as old as time. You have various controls in place. You have people who are in those areas actually operating the controls. There may be a, well, there will be additional burdens in place depending on how much you have documented to get those processes written down and compliant with the ISO 27001 standard.

There’s time that engineers are also going to have to either delegate or write down what’s going on in their spaces. They have to understand the importance of what you’re doing so that they’ll be willing to write those things down.

And then internally, the governance risk and compliance group, however that’s divided in any individual organization, they’ll be doing some writing as well to support the ISMS as a whole. And that’s a pretty common challenge.

Another one is taking a hard look at what you already have in place and seeing what of those can be modified to support the ISO 27001-2022 standard and where you might have a gap and need to have a new kind of policy in place to support it.

So I’d say the first hurdle from the Common Challenges perspective is management buy-in. Are they going to get the support of the various stakeholders across the organization for whom you will rely on helping generate the procedural documentation to help manage their set of controls and ultimately to execute and continually improve in their particular spaces? So management buy-in tends to reduce all of these other challenges as long as they understand what’s missing, what they need to have in place, and getting those things aligned early means that you can move more expeditiously through the process and get a really good program going.

Brandon Breslin: I also want to emphasize the process of being over-communicative and getting executive management buy-in as well, like Jim was mentioning, as it relates to them buying into the process. I think there’s always concerns that are upfront and having a plan and a roadmap for addressing those concerns in those initial conversations will help getting their buy-in and then communicating throughout the process to ensure that you’re strategically aligning with goals for the organization and not just a security focus, but having a security and a business alignment or alignment with business and IT for the framework is huge.

Jim Tierney: Okay, so it makes sense that our recommendation and best practice would start around communicating with stakeholders. I would say don’t get too far in the weeds of planning and writing things up without kind of engaging the stakeholders because you want their input on what controls they feel like they can already meet, which ones they’re doing, but maybe the documentation isn’t quite there. But having everyone working together and again, this is a message best sent from senior management empowering whatever subgroup. I’m going to assume it’s a governance risk and compliance group is going to sort of field marshal the rest of the process actually going, but you want to get the stakeholders involved, let them know why this is important for the organization, why management is behind it, and really letting them know that their execution and their role as a control owner and stakeholder is vital to the success of the overall project, not just that, but also the security of the organization.

But sometimes people will ask a busy engineer to document something and without that context, you don’t tend to get the quality of results that if they understood the importance of what you’re doing, if they understood how their pieces fit in the larger mix and then tend to get better results.

Brandon Breslin: And even tailoring your approach to the individuals of executive management and even if there’s department heads that you need separate buy-in to, right? Because there’s so many different elements of the framework that are targeted to specific areas, not just IT or not just executive management. I think that’s important also to recognize that you may have to take an agile or an individualistic approach with each of those department heads that you need buy-in from.

Jim Tierney: So typically, compliance, we would look at kind of where you are and that’s exactly what you should do. Get the standard, I think it’s copyrighted so you have to buy it, but buy the standard, analyze it, get together with the people who are going to be really project managing this and look at where the longest range things that you would need to start earliest are and prioritize those because you want to give people time to work through those processes and systems and if there’s budget shortfalls because of some of what ISO 27001 requires versus what you’re doing, management is going to need to identify what that is and how much it is and how long it will take.

So that’s typically our recommendation is to get those kind of longer range things going, get the risk assessment early so that you can see exactly where these stakeholders are as far as identifying, get the risks in front of them so that they can see down the road where the controls are going to help mitigate those risks. It’s a good starting point as well as making sure everyone’s familiar with the areas of concern in the ISO 27001standard.

Brandon Tierney: So I can jump in here. The next best practice or recommendation we would give on this roadmap right from 2013 to 2022 or if you have not done ISO before is leveraging existing controls. If you’ve done a 2013 ISO assessment or if you have done another compliance assessment or another framework that’s a security focus, leverage those controls, look at what you have internally as an organization and then look at the new controls for 2022 and ISO.

What we do for our current customers, our bridge or gap assessments, if you’re transitioning between 2013 to 2022, we can look at the new requirements and see what you have already and see where we can leverage right from other teams or other departments where you may already be compliant with a lot of these new requirements based on other frameworks and then we can do our validation procedures from there to make sure it’s compliant for ISO.

But a lot of the times we see with our current clients that you may already have those controls in place, whether it’s operationally or technically. So don’t just try to reinvent the wheel or start from scratch or it’s easy to get overwhelmed or see all the new requirements and say, oh man, this is a lot that we’re going to have to undergo. And yes, there are a good amount of new requirements, but also there’s still other controls that you may have already been compliant with. So just thinking outside of the box in that, don’t reinvent the wheel, build off of what you’ve accomplished already.

And then seek professional guidance. Here at CompliancePoint, we work with current clients on ISO readiness assessments to get them to where they need to be from a compliance standpoint. Whether you work with us or another compliance assessor, there are so many opportunities for you to get professional help in this area. And it’s understanding, it’s not just looking at the framework, it’s not just looking at the requirements, it’s looking at your individual scope, your individual ISMS, how we can critique that or modify it to get it to be compliant with the new standard. We can help you provide that guidance and that support for establishing a baseline and getting you to the new standard, not just evaluating the new requirements, but looking at the whole framework holistically with a security focus in mind first.

So specifically how we can help, both Jim and I have mentioned a few different ways, but for current clients, we can do the bridge assessments. If we’ve done a 2013 assessment for you already, we can help you get to that compliance with the 2022 framework and evaluating those new controls, or if you have not worked with us, we’d love the opportunity to work with you and we can evaluate, come in, determine your scope, look at the requirements that are out there, which ones are relevant, right, from NXA. We’ll go through all of the clauses within the framework and understand what’s relevant to you guys.

And then also we’ll give our own spin on it from recommendations, security-focused recommendations of how you may be compliant right now, but thinking about the evolving landscape, what’s going to come down the pipeline? How do you need to shift your priorities? How do you need to shift your internal methodologies to ensure that you’re staying ahead of the curve on the framework changes?

And then we also have a remediation team internally that if you identify or we collectively identify that there are challenges or maybe there are some hurdles or some compliance issues, we have a team that can help you to implement some of those policies, procedures, organizational controls to be ready for that ISO certification or to be ready for the next years, as well as managing.

So we’ve hit on a few times now the continuous compliance program or continuous orchestration that we can provide. That is definitely a huge focus in the ISO 2022 standard or the 2022 version of the 27001 standard. And that aligns perfectly with our methodology of working with you guys on a year-over basis. It’s not just a, hey, it’s the audit crunch. We don’t really operate in that capacity. We like to work in that year-round. We’re communicating with you guys continuously to make sure that you’re ahead of the ball, ahead of the game in the new framework standards.

Jim Tierney: Yeah, just to piggyback off that, sometimes we operate as a trusted advisor. People who have been through ISO engagements and helped different organizations, so have just helped an organization understand big picture what’s going on.

Sometimes we can serve as the internal audit. If you didn’t have an internal audit, we can come in and audit it because we are external. We don’t have reporting relationships within the organization. We could do the first one and then you see how it goes and see where you want to take it on down the road.

Brandon Breslin: We have contact information out here that you guys can reach out to us. You could reach out to us on connect at compliancepoint.com or you can reach out to Jim or I directly. We’ll make sure you all have our contact information and we’ll roll right into questions here. If you guys have any questions, go ahead and put them in the Q&A box.

Question and Answer

We’re deciding on realigning our organization with the security standard. Should we organize around SOC 2, ISO 27001, or NIST? What makes the most sense?

Jim Tierney: You know, like any governance answer, you could just say it depends on, you know, what you’re trying to do. But without context on this question, I like the idea of organizing around ISO 27001 for the following reasons. One is, you know, you’re building, you’re organizing your program around an internationally recognized standard.

So there’s an annex of controls, there’s clauses. It’s a full-on information security management system. So there’s not a lot of places you can’t go from there. And aligning with the standard or, you know, actually meeting the standard allows you to become ISO 27001 certified. But the nuts and bolts of what you put together from an alignment standard, you know, the SOC 2 is, you know, really meeting the trust services criteria, which you can map out towards your ISO controls. You can use your ISO-based security policy, there’s a lot of components, including, you know, setting up your internal audit, that is really more of a mapping exercise to get you in the field of play with, you know, getting an AICPA attestation.

And then NIST unless your primary goal is to work on some kind of federal program where you need to meet NIST standards, if it’s not delineated, you can also fill with some NIST standards, you can assess, use the NIST publications to, again, map back to your ISO, and then whatever gaps are left, you can just meet those NIST requirements in those specific areas.

I like ISO 27001 as the basis, because I think you can move more places including the certification for ISO.

Brandon Breslin: Yeah, I can also add on to that, Jim, as well. I would say it’s important for each organization specifically that’s here on the webcast of talk internally, talk with your third parties, talk with who you’re reporting compliance to, right, figure out what’s actually relevant to your organization. Sure, we’re talking about ISO here, but I know a few others were mentioned in the question, NIST, PCI, others, SOC 2, but it’s really what’s relevant to your organization, right? You don’t want to just go through a program, a compliance program, because that’s a buzzword. You want to actually go through the program that’s relevant for your organization, relevant to the risks that you’re working with or that you’re having to deal with, what your reporting instructions have been given down to you from other third parties.

Will an ISO 27001 certification make my organization more secure?

Brandon Breslin: You know, I think that term secure is a very loose term, right? It’s hard to say that something is more secure. I think how I would answer this would be it changes the mindset similar to what I mentioned earlier, changes the mindset of the personnel in the organization, right, to focus on security more. It’s having the awareness level. It’s looking at it through a security lens. It’s not just another compliance assessment. It’s actually taking security as an important element in the organization and looking at it through how can we address some of these risks based on security controls that we can implement.

So in turn or indirectly, yes, it can result in your organization becoming more secure if you’re looking at protecting sensitive data, but it’s not an end all be all, right? It’s just one compliance program. So just being compliant with one framework is not necessarily going to be all-encompassing of all the security risks that are out there.

Can you talk about why an organization would choose to pursue a PIMS as well as versus an ISMS only?

Jim Tierney: I mean, if you’re getting a lot of privacy-related inquiries, then, you know, building a framework around privacy makes sense. So it gets you more focused on an area of concern from your customers.

And but it’s not, you know, privacy information management system is not going to cover the broader range of an ISO 27001. So it really depends on the information that you’re protecting and really who you’re trying to demonstrate that you have it covered.

Our personnel are comfortable with ISO 27001, the 13 version. How difficult is the transition to the 2022 version?

Brandon Breslin: You know, I wouldn’t say it’s necessarily groundbreaking. I mean, it’s, again, just understanding the new controls out there and how to have the mindset shift of the personnel to be ready to move forward with a new framework. This is going to be for any compliance framework when there’s a new version, personnel in the organization will get used to doing the audit year over year with that framework.

Then you need to, you know, work with them to say, hey, these are the new controls that are out there. This is the timing for when they need to be implemented. And it’s setting a priority, setting goals and objectives within the organization to say, these are the new controls that we need to prioritize first. These are the new controls that may be a little bit more difficult. These are the ones that may be a little easier and setting that roadmap for compliance.

So difficult is a term that’s going to be different for every organization, but it’s a situation where it’s not necessarily over the moon, you know, difficult, right? When it comes to the actual implementation, it’s more of getting the personnel in your organization on board for complying with the framework.

So what are the most impactful changes in the 2022 version versus 2013?

Jim Tierney: You got rewarded with fewer controls, right? But I think the real impact is the changes in the focus. So more companies, et cetera, are using more cloud resources. This is addressed in ISO 27001: 2022.

There’s more focus on continual improvement. The new controls are really just getting up to speed with the times of how people are actually managing their data. So it’s kind of a, you know, modernization and taking advantage of the trends that we, that the industry is seeing and staying relevant with the new security challenges that have come up.

We’re going to do a second surveillance audit for ISO 27001. Do you recommend going for the 2022 version or staying at 2013 and doing version 2022 next year for the full audit?

Brandon Breslin: So I would say it depends on where your organization is in terms of the gap assessment and compliance with 2022. So based on the wording of this question you’ve already completed a compliance assessmentin the past, or maybe you’ve undergone a partial one and you’re looking to go to 2022. So Iwould say you can go ahead and with the surveillance, with the new version, if you’re ready, essentiallybeing a transition audit. But if the organization is not ready and you’re not confident, right,you’re not confident that you’re ready for the new framework, then I would say take sometime, get ready, establish priorities and personnel goals and objectives internally,evaluate those new requirements, similar to what you would do with any other framework of movingto a new standard to position yourself in the organization or to position the organizationto be ready for that full audit next year.

We are already SOC2 compliant, but we’ve been told to use some more standards for all our policies including ISO, how do we work backward?

Jim Tierney: Working backwards, think of it as just sort of broadening what you have, you’re already meeting the trust services criteria. So you have predictable, repeatable processes in place. You have, you know, an assignment of controls, you have control owners, you have management, you, I think you really have a great deal of the things in place. So what you’d want to do is buy the standard and see where there are gaps in what the ISO 27,001, 2022 requires versus what you’re covering in your policy and procedures.

So there would be areas that you can not really have in SOC 2, but you’ll need in your ISMS. So there would be some, you know, reviewing your documentation, making sure that your ISMS is documented, make sure that you’re covering, do a mapping of all the Annex A controls and make sure you’re covering, you know, those with the standard and incorporating and broadening some of your policies to cover the ISO requirements for an ISMS. So it’s not as, may not be as daunting as you think it is, it just takes some careful review of the standard and then, you know, knowing the environment that you’re already in, what’s being evaluated from a SOC 2 perspective.

Can you share any experience with customers that have added ISO 27701 (privacy) to their ISO 27001 certification?

Brandon Breslin: We actually do have a customer that did this exact situation and the work effort went really well. They actually reduced their compliance or audit overall work effort by 40% for the next year, just due to the streamlined processes of it and same personnel, all of that, you know, overlapping of evidence and things like that, overlapping and walkthroughs. So definitely a benefit there.

Jim Tierney: All right. Yeah, I think that’s all the questions we’ve had. So I’d like to thank everyone for participating. And just on that last question, just to add a little, the privacy-related controls need to be implemented in addition to Annex A of ISO 27001. So just keep that in mind.