S2 E22: Where are all the ISO 42001 Certificates? Part 2

Where are all the ISO 42001 Certificates Part 2

Listen to Where are all the ISO 42001 Certificates Part 1


Jordan Eisner: So all right, here we go. We’re back. Welcome back.

David, when we started this, we didn’t necessarily know that we were going to split it into two parts, but I think it makes sense for our audience. We’ll give them a little break, right?

So we just wrapped up part one. Here we go. And we will get into part two of where are all the ISO 42001 certifications.

David Forman: Yeah I’m happy we kind of split this up too a little bit. I used to get migraine headaches as a child. And I feel like sometimes when you start talking about these standards, like I start getting weird flashbacks to that kind of inundation of information, so to speak. So hopefully this is more digestible now too. But yeah, let’s get back and do it.

Jordan Eisner: So this might be an obvious answer to this question, but those organizations that are going to shortly follow, not the ones doing the certification, but that would become certified, they’re already working on this, right? They are working on the clauses, the controls, all of this, right? Because otherwise they wouldn’t so shortly thereafter become certified.

David Forman: Right. And if you remember their accreditation process too, there has to be this what’s called a witness audit of the stage one, stage two. So there’s some sort of, I call it like the guinea pig customer, some guinea pig customers going through the process with their certification body vendor. And when that certification body vendor finally achieves their accreditation, as of that date, they’re allowed to basically flip that certificate issuance from non-accredited to accredited. So you’ll see it same week for those certification bodies that are early accredited for 42001, some organizations start getting certified too.

But let’s talk to the 99% though. That’s the 1% that are serving as that guinea pig for some of their certification body partners. For the 99%, you can be working on it right now essentially, and you can even be scheduling right now with your certification body to say, hey, I want a stage one and a stage two sometime in the July, August timeframe. And so long as that certificate decision is not issued prior to the accreditation date, then your certificate will be issued under accreditation. So you can still get the jump on it theoretically without having to wait for these announcements to start flooding.

Jordan Eisner: So shifting gears a little bit. But on the same note, so companies are starting to work towards it, right? They’re going to be ready. They’re going to go through their audits pretty quickly. There’s the guinea pig audits, but there’s work being done on this, right? You know, people aren’t waiting on the official announcements, right? They’re starting to ready.

What sort of tools are being leveraged, right? Because this is the first of its kind. Maybe it’s not, but this is the first of its kind from an AI system standpoint. So what sort of tools are out there?

Everybody’s interested in automation. How do you make my life easier, right? How can I do this stuff? Where is AI being used to get AI management certified?

David Forman: That’s a loaded question. So yeah, there are compliance automation tools that exist. We’re all familiar with billboards and I5. So we can see Vanta, Drata, SecureFrame, Thoropass, TrustCloud, OneTrust, and Tugboat Logic, all those exist. And they’re good. They serve a purpose.

I’m pretty honestly agnostic with most of my thoughts on this. But I’ll tell you, I think compliance automation tools can get a bad rep with auditors for whatever reason, namely these auditors that hate change and see the industry innovating. But I think they’re actually good in the sense that they brought a lot of awareness to the space ultimately.

Go back five years, like SOC 2 reports weren’t a household name. I’m not sure they are today, but they definitely have improved in awareness. There have been more examination reports issued comparatively. I think that growth rates accelerated due to some of that marketing from these VC backed SaaS companies.

But to your question specifically, there’s no requirement in the standard that you have to have an automation tool. And there never has been. I don’t think there ever will be. As much as those tools and those companies might want to lobby for that. But you can still do it manually. You can still do it as they would say, like in Excel spreadsheets and workbooks.

But in all reality, I think the early certification or certified organizations for 42001 are going to be doing exactly what we talked about at the beginning of the call. They’re going to be augmenting or expanding the scope of their existing management systems. So you’re probably going to see a lot that are already certified as 27001, then adding on 42001, for example.

And with that, ISO is actually very familiar to that type of concept. And it’s just called an integrated management system, an IMS. Just another acronym for you. But essentially being that they’re all focusing on the same high-level structure called Annex SL, then you’re augmenting your scope statement. You’re augmenting your current risk assessment. You’re augmenting your current internal audit and management review.

Yes, there are a few new requirements, such as that AI system impact assessment that we talked about already. There are obviously 38 new controls that you need to justify for inclusion or exclusion to your statement of applicability. But once again, you’re augmenting the same statement of applicability you already have. So compliance automation tools, they can definitely help you with self-service gap assessments, for example.

And then I’ll say where there are areas that are complete blind spots, like the system impact assessment, which might be new for a lot of our audience, then there’s outside consultancies that can help with that type of topic as well.

Jordan, I will say there’s one more kind of element here that’s kind of interesting, though. But depending on kind of your role within 42001, as they would call it. So in 27701, we have two roles. We have PII controller, PII processor of information. Makes sense.

But for AI and for 42001, there’s kind of four distinct roles. And I say kind of because if you go look at that draft text, 42006, it kind of gets muddy in terms of what are the four roles. They kind of interchangeably use some terms that aren’t consistent.

But the ones that we’re most familiar with right now are AI user, which 90% of people are going to fall into or organizations are going to fall into. There’s AI developer. And then there’s AI producer.

And so if you think about a producer is obviously the most risky in this case, where we’re thinking about you’re creating your own machine learning model and how are you training that machine learning model? That’s obviously where you see the most risk.

Whereas a developer would be inheriting a code base, for example, and then just creating an app on top of that. And then AI users just, we use ChatGPT for X. That could be the use case if they needed to.

Jordan Eisner: That’s everybody.

David Forman: Yeah, that’s everybody else. And probably it’s still the producers too.

But you can actually go test your AI machine-learning models as well. And there are tools out there. One that’s become very popular is called Babl, B-A-B-L. And I think there was that’s like babl.ai. I’m not affiliated with them at all. I’ve actually never used them either. I’ve just kind of done some research on them and done some demo on it.

But there is a lot of talk within like 42006 for a certification body and how we audit AI systems and being able to do actually test the underlying algorithms like more systematically. And that’s where you might need a tool like a babel, for example, to actually test your algorithm to make sure there’s not certain bias in it.

It’s not like taking a PII and then spitting it back out as a response, that kind of stuff.

So I do think you’re going to see more technical testing to prepare for a 42001 audit, depending on your role within 42001.

Jordan Eisner: So I had a couple of questions pop into my head. One is can you do an ISO 27001, 27701, and 42001 audit simultaneously?

David Forman: You can. So that is set up pretty well. And so if you were to do initial certification for all this, you could do a combined stage one, a combined stage two. No problem.

Now where it gets a little bit more messy, but the answer still remains, you can is if you have an existing like 27001 or and or 27701 certification, maybe it’s in a surveillance audit and then you’re trying to bolt on the 42001 component. Well, the 42001 component is still going to require a stage one and then it’s stage two will be known as the conformity audit stage that could then be merged with your surveillance for the other management system.

So you don’t need to know that information. That’s more for your certification body. But yeah, they can facilitate that as well.

Jordan Eisner: And then the other is, all right, there are companies are moving towards it. They’re going to be certifications as early as a week after certification body can start granting them.

So that’s going to play out in the early adopters and the ones that are already ISO, you know, 27001 of those are going to start adding into them.

Where do you see, you know, a lot of times when we’re talking to an organization, they’re going from zero to one. They’re looking at ISO 27001 for the first time or 27701 for the first time, usually because they’re looking at 27001. Where do you see the pressure coming to become ISO 42001 independent?

David Forman: I’ll say it’s interesting. So I think you’re going to have a very high overlap between 27001 and 42001 certified organizations, not as high with 27701. My prior experiences with certification bodies, about 30% of our 27001 certified organizations were also 27701. So add privacy to their InfoSec management system.

I think you’re going to see a much higher overlap between the ISO 42001 and 27001. Call it market awareness around the risk related to AI right now. But at the beginning with any new thing, it’s a differentiator when you get certified to it. But ultimately, I think it will become less of a unique differentiator, more of a comparative differentiator and maybe at some point more table stakes how we see 27001 certification to that.

One thing I follow and it’s a public resource and it’ll be coming out again here in about three months is what’s known as the ISO survey. So you can go online, just Google it, ISO survey. I think it’s like https://www.iso.org/the-iso-survey.html.

And basically, it’s an opt-in exercise for certification bodies. And ISO conducts a global survey every year. And it’s typically in the first quarter of the calendar year. And it’s for all certificates you’ve issued as of December 31 of the prior year.

If you go look at the ISO survey results right now you’ll all the data as of December 31, 2022. And you’ll now see the results as of December 31, 2023 coming up in September when it releases again for the next calendar year. And what you’ll find in there is they have it segmented a couple of different ways.

One is by sector. So like one of the sectors is what’s called EA33 information technology. That’s kind of where all of our types of customers fit into, service providers sitting on the cloud.

And then you also see it divided based on central offices, they call it. So pretty much HQ. And so you can see by standard, like how many certificates have been issued, again, opt-in survey for certification bodies with most participate for the US. And the most recent results has about 1,700, 1,750 ISO 27001 certificates that are based in the US that were issued through December 31, 2022.

There’s no data yet for 27701. It didn’t start actually having a correlation until 2020. So maybe it comes up this year. And then 42001, though, when that comes out, I think you’ll probably see of the 1,700 or so certificates that issue right now. My guess is you’ll have probably 500 in the first two years. I think it’s got that much buzz around it.

And again, I’ve weathered the storm of 27701 when it first got released. And I’ll tell you, this has more hype behind it. So I think whenever there’s hype and awareness, people start requesting it.

Jordan Eisner: And that leads me to a follow-on question of that. And that is the organizations that are going to mandate this, you talk about table stakes, and maybe that’s a little bit delayed. But they’re tracking it. They’re ready to start doing that.

Because again, going back to when we talk with organizations that come to us and they’ll say, well, we’ve got to do this ISO 27001 or NIST or HITRUST or CMMC or a comparable, right? And they get those vendor security-type requests. Those companies that do that, which is a lot of companies, force that down on their vendors, are they ready to go?

You believe that the drop of a hat and start implementing this into their vendor security process and asking for it there or demonstrating compliance with or certification with these type standards?

David Forman: I always say there are two or three drivers that really create adoption of these new frameworks when they’re published.

The first one is the easier example. Think like HITRUST Alliance or think like the automobile manufacturers like VW and Porsche. And they have their own information security scheme.

So in Germany, you have TSACS, TISACS, TIS, AX. And then in the States, we have all the health care providers pushing HITRUST down everyone’s throats. And no one wants to do HITRUST. No one likes to pay HITRUST Alliance, haven’t met that person yet.

But regardless, we do it because it’s the largest suppliers in the space are requiring it in order to do business with them.

That leads to the kind of the second reason people do these frameworks, which is more from contractual requirements in terms of due diligence. They might be able to get by with due diligence by answering a 300-item questionnaire or they can make that 300-item questionnaire, 20-item questionnaire, if they just have certification or an attestation or opinion report related to the same kind of scheme of taxonomy.

And then the third, which I think is going to be most pertinent here is law. And the GDPR when that came out, there was a certification mechanism in Article 43. We do have GDPR certification today, but it’s really like very narrow key processing activities, essentially like event management sign up on a webinar form. That’s a processing activity via age verification service. And you can get certified for that very narrow scope. And people typically want governance to apply at an organizational level. So like those GDPR certifications should really take off, even though we started seeing big fines around it. But again, it was big fines to the big companies like the SMB market really was untouched by that.

However, with the EU AI Act, it does kind of expand the enforcement a little bit. And I think people are going to be seeking really quickly, whether it be through their customers or like their boards of directors, a way to kind of alleviate the risk that exists with that.

And that’s where certification mechanisms like ISO 42001 are going to become really popular. As popular as NIST and their AI framework is, there’s no certificate element to it. It’s an opinion report. There’s no accreditation behind it. Any fly-by-night auditor can issue an opinion over NIST. And that’s not to take away from this, but it does take away from the deliverable related to saying I’m compliant with NIST versus an ISO certification that has weight.

Jordan Eisner: This has been, as I expected, very informative, very informative to start, I guess, wrapping it up. We’ve talked a lot about the forces behind this becoming a certification, right? The process with certification bodies and then when we get certified, this has been great information, I think background.

What about more tactically, right, for organizations that listen to this, not just necessarily for industry awareness and AI and what’s happening, what could be required of them, but that are looking at doing something like this and coming at it. What should they expect to go through, right?

In year one, I understand you’re an auditor, right, from that standpoint, so your perspective, but I know you know very well on the readiness side and all that too. What should they be looking at preparing for from a business standpoint as somebody that wants to aspire to be ISO 42001 certified?

David Forman: So ISO management system standards, they’re all written very similarly and they’re written intentionally too. I had the privilege a couple years back to sit on what’s called US TAG. It’s the Technical Advisory Group and there’s a specific committee within TAG called JTC1 SC27 and basically it’s the US representative member body that sits on these workshop groups more or less with all the other member bodies across the world to go write these standards. I was able to witness a lot of the, I’ll say revisions and dialogue and discussion around the ISO 27000 series before 27001: 2022 was revised and published.

And it gave me some good insight and I’ll share here because I think there’s one way to approach how to build a management system from scratch and then there’s a way it was intended for at least from the scheme authors behind ISO. And the standard is funny enough written sequentially.

So like if you think about clauses four through 10, which it’s called clause five and 27701, it’s similar across 27001, 42001. Clause four starts with scope and it starts with context of the organization. You need to understand your drivers. They call it issues, external and internal issues as to why you might build this management system and maintain it as well.

And I always tell first-time customers, I said, when I audit this sub clause, I’m looking for continuity. I’m not looking for why did you initially do it? Maybe it was a $50,000 sales contract you’re not going to be able to obtain by having certification, but I look for what is going to create staying power for this management system after I serve certify you, I walk away and I wait 12 months before I see you again. So that’s where the context matters a lot.

But when you’re initially implementing it as well or building the governance system to your question, this also helps understand how you should build it. It is a risk-based framework. It’s governance. The scope, literally the customer can define it as narrow as wide as they want to, as long as it makes sense within the kind of their operational control as the standard will call it.

But by starting with the scope, you can then drive your questions around if I understand my context, I understand who cares about it, the interest of parties, I can then come up with organizational risk assessment and then from the risk assessment. Where are we? Are we within our acceptance criteria right now based on how we score these risks? If not, then we got to treat them. And that’s how we select controls.

And there’s a myth here that you have to use the annex a control or annex B controls and these standards, you can actually apply your own control set. So it doesn’t always have to be starting from scratch with ISO. It’s like, you know, do what the business is already doing, apply it and then augment, as I always say.

Jordan Eisner: BYOC, right? Bring your own controls.

David Forman: Bring your own control set. Yeah, I kind of like that.

But with that being said, though, you go scope to risk assessment, apply the controls, and then there’s actually kind of this idea of a second risk assessment and the standard as well after you’ve now implemented and you go back and now re-score to come up with residual risk ratings as well. And that’s where you start getting is kind of maintain and monitor and improve kind of actions related to kind of PDCA or the improvement cycle.

But in all reality, like to make things really tactful to answer your question here, I would start by just find the scope and that can be like a scope and boundaries type document. You can put it all in one manual as well if you’re more that type of quality organization, then risk assessment, but do a really like I’ll say harsh job on it. Like be hard on yourself. Like you want to call out like everything and think about it in a control-less environment. That’s the intent behind that risk assessment initially.

And then apply the controls, the good you’re doing around it. Once those controls have been applied, then you’re ready to kind of go re-evaluate to determine residual risk ratings and whether or not they need continued treatment or not. And then you have an internal audit, the second party review over those controls you’ve implemented as well as the governance. And then finally have a management review. So that management review if you don’t know that as much as a steering committee meeting to review those inputs and outputs.

But in totality, I think where a lot of people get sideways when they’re first implementing these standards, especially 27001, 27701, and 42001 that we’ve been talking about today, they start on the controls. And you are here to say it like BYOCS, bring your own control set is actually an option. Meaning the Annex A controls and Annex B controls depending on your role are technically optional as well.

Like that’s going to throw a lot of people in a tizzy when they watch this. But in all reality, like those Annex A controls, like you just have to map to them like from a theme standpoint, from an objective standpoint, you can use your own control set. Meaning if we are placing that I’ll say low level of focus on those controls, then you should really be focusing more on the governance pieces and clauses four through 10. Those are mandatory requirements for certification and then focus on the controls as a flow through.

Jordan Eisner: Do not pass go. Do not collect $200.

David Forman: Start with the governance. It’s all risk based.

Jordan Eisner: you know, my experience stems mostly from 27001 almost extensively. And so many times it’s like, I’ve seen the controls, right? Like we do a lot of that. We’re fine.

It’s like, okay, did you look at the clauses? The what?

David Forman: Yeah, exactly. No one knows what a clause is if you haven’t picked up an ISO standard.

And then I’ll say step zero, go buy a license of the ISO standard from iso.org. Like so many clients have started an initial certification audit and I’m like, all right, we’re going to start on clause four. And they did the exact same deer in the headlines you just described.

I’m like, well, have you bought a copy of the standard? Like, oh no, we looked at a few blog posts. I’m like, don’t look at blog posts. You need to go buy the text that you’re about to get certified to. So that’s a step zero.

Jordan Eisner: Or listen to this podcast.

David Forman: Or listen to this.

Jordan Eisner: All right. I think that’s probably a good stopping point. We’re 50 minutes in and for our listeners that are still on, thank you. Hopefully you’ve found this to be very meaningful. I know I have.

I think if you work in this, if this matters to your roles and responsibilities, this was, I have to imagine, super helpful for people looking at this.

So David, thank you. And for the people listening, how do they get in touch with you? How do I work with Mastermind?

David Forman Of course. We have a website, of course, mastermindassurance.com. You also find us on LinkedIn. We’re pretty pesky on your newsfeed if you want to follow us. Again, company name, Mastermind Assurance. You can find me personally on LinkedIn as well. You can find my user handle, I guess, is what LinkedIn would call it, Mastermind David.

Or you can find myself, David Foreman, which I’m sure will be all over this webinar announcement. But reach out to us at Hello@mastermindassurance.com. We’ll reply within 15 minutes.

Jordan Eisner: There you go. Guaranteed.

David Forman: I can’t say guaranteed.

Jordan Eisner: Thank you, David. And for those that listen to Compliance Pointers podcast regularly, they know that we too can be found on the internet. CompliancePoint.com and I too am on LinkedIn. Happy to reach out.

If you go through that channel and are looking for David, I will make that introduction, obviously.

And, you know, if you are interested in learning more about this or other services, please reach out to either of us.

And we’ll call it. We’ll call it a day.

Thank you, David.

Let us help you identify any information security risks or compliance gaps that may be threatening your business or its valued data assets. Businesses in every industry face scrutiny for how they handle sensitive data including customer and prospect information.