David Mitchell [00:00:08]:
Good morning and welcome everyone. I am David from Grassroots it. We are here to help your teams thrive through proven technology. And today we’re here to simplify the certification journey to ISO 27001. So I’d like to introduce you to our subject matter expert for the day, Jason from ISO 365. Jason, would you like to introduce yourself?

Jason Mariciolo [00:00:35]:
Yeah, absolutely, David, thanks for having me. And welcome everyone. So, yeah, my name is Jason Mariciolo. I run a governance, risk and compliance consulting company called ISO365. And I’ve spent my whole career basically in information security management. So I work with a lot of companies across Australia and New Zealand helping them to protect their information, but more importantly, building these information security management systems, also known as ISO 27001. And my credentials, just for everyone’s benefit, just at the bottom there. I am also a lead auditor for 27001 as well as a lead implementer, which means I can audit and implement, but I just can’t do them both at the same time.

David Mitchell [00:01:21]:
And one of the reasons we got Jason on board for our journey to ISO 27001 is that Jason has also worked and been in the leadership of technology service providers like Grassroots. IT so very much understood our market and specifically the technology that goes into small and medium enterprise. So, Jason, without further ado, we’re going to move over to the broader picture of ISO.

Jason Mariciolo [00:01:50]:
Yeah, it’s a great question and I love starting here because a lot of people that come to these conversations or these webinars, Dave, they don’t necessarily even know what ISO is or what it stands for. So I really like to take it all the way back a little bit, just do a bit of an intro for you all. So what is the ISO? So it actually stands for the International Organization for Standardization. That’s where that acronym ISO comes from. And they write and publish these things called standards. And there’s actually over 24,000 standards that have been written by the ISO in their, in their history. And that is just continue continuing to build. And so a lot of, you know, the next follow on question that I always get is, okay, that’s great, but what is a standard? And so a standard is basically a formula that describes the best way to do something.

Jason Mariciolo [00:02:42]:
And so we’ve probably heard a lot about quality standards before. That’s one of the most popular and probably one of the oldest ISO standards that are out there. But there’s also other ones, including environmental. What we’re here to talk about today, information security and even in the new world, AI management and things like that, David, are starting to become into fruition.

David Mitchell [00:03:07]:
One of the questions that I do have that we’ll cover later on is which one should you do first and what is it like to do multiple? And while I think of that, if anyone has any questions, please put it in the chat now. Jason loves questions. And we will unpack information where you all would like to.

Jason Mariciolo [00:03:26]:
Absolutely. Yeah, definitely.

David Mitchell [00:03:28]:
Okay. Now drilling down a little further for why we are here. ISO 27000 and 1.

Jason Mariciolo [00:03:34]:
Yeah, great. So effectively what we’re trying to do at any one time when it comes to information in our business is we’re trying to protect one or all of these three things. Right. And so these are three terms. If everyone can take something away today, it would be to see these three terms and maybe understand what these three terms are. So we have confidentiality, integrity and availability of information. So I’ll give you some examples of what it looks like to protect information in these three categories. So I’ve got a big blue login button there under confidentiality.

Jason Mariciolo [00:04:11]:
That’s to kind of illustrate that the reason why we log into things is to protect the information inside that system. And so it’s ensuring that information can only be seen or accessible to those who are authorized to view it. So if you were to take a financial system, let’s say, like Xero, your admins will obviously have all of the information that they can see, but other people may have limited information. And so that’s about protecting confidentiality of information and restricting it to those who should actually see it.

David Mitchell [00:04:45]:
Yep.

Jason Mariciolo [00:04:46]:
The second part that we’re protecting at all times is what we call the integrity of information. So this is actually just the mechanism to guarantee that the information that we’re seeing is accurate and complete and it can only be modified by authorized personnel. I want to give a real world example of what that could look like outside of it, actually. And that is imagine if someone was able to amend the contract terms on a signed contract, whether it’s an employment contract of yours or whether it’s, I don’t know, a house contract. You might have just purchased the house and someone is going to go and change the Section 32, let’s say, or the contract of sale. That is an integrity issue. So we need to make sure that what we’re seeing is trustworthy and complete and can’t be modified by just anybody.

David Mitchell [00:05:37]:
And the appropriate version.

Jason Mariciolo [00:05:39]:
And the appropriate version, of course. Yeah, version controlling is very much an integrity thing as well. And the Final piece to this puzzle is the availability piece. And so this is actually about ensuring that information is accessible to the people who need it, whenever it is. And so some examples of this could be, even in healthcare, if a doctor can’t bring up patient records on the spot, that’s an availability issue. So we’re responsible for making sure that the information that we have is available to those that need it, when they need it. And so ISO 27001 is kind of this, this overarching piece around confidentiality, integrity and availability. You’ll see that there’s a picture there on the ATM for availability.

Jason Mariciolo [00:06:23]:
Actually, the, the example I was going to give was we’ve all been there. I guar, you walk up to an atm, you go to get your cash out and it’s offline. Okay, that is, that is also an availability issue. Someone somewhere along the way is responsible for making sure that machine is up and running. And if it doesn’t have the adequate resources and it shuts down or there’s an issue there, well, then that’s an availability problem.

Jon Hollenberg [00:06:48]:
Where does the cybersecurity come into all of that is that, you know, so, for example, some nefarious actor coming in and logging into your system?

Jason Mariciolo [00:06:58]:
Yeah, absolutely. So if you were to take that exact scenario or that exact risk of a hacker coming in into your system, they could affect one or all of those three things. So let’s tackle confidentiality for a moment. They come in, they get access to information that they shouldn’t see, but not only that, they extract it and then they publish it online. That is your typical confidentiality breach, which gets you in obviously all sorts of issues with, you know, under the Privacy act and things like that. An integrity one is an interesting one. That would be where, let’s say a hacker was inside an environment and they had the ability to change certain information. The possibilities are endless here.

Jason Mariciolo [00:07:42]:
They could change contract terms, they could change bank account details on invoices, and then all of a sudden invoices are being paid into their bank account details. So going back to that integrity piece and then availability, like I said with the ATM before, if you’re in the business of serving information or serving resources out to your clients, if they were to pull that down or manage to bring that down, then it could shut your whole business down for hours, days, weeks, you know, you name could be as long as anything. So realistically, any risk always comes down to one of these three things, or at any one time, one, two or three of these things.

Jon Hollenberg [00:08:29]:
So information security management As a broader thing, anything underneath information security management you can comes under ISO 27001.

Jason Mariciolo [00:08:40]:
Yeah, absolutely, yes.

David Mitchell [00:08:42]:
So nothing falls outside of that. If you get ISO 27001 right, you’ve set yourself up as best you can for information security management.

Jason Mariciolo [00:08:52]:
Yes. 27001 is considered the gold standard across the globe. It’s the one that’s internationally recognized. So it doesn’t matter where you’ business, it is recognized in all of those different jurisdictions. It’s about building an information security management system and that management system is the key piece. So when we’re talking about all of these risks that we’re trying to uncover in any organization, we raise those risks on a risk register and then we actually assess and we treat those risks with either third party apps or consultants or contractors or partners or whatever it is in order to build that coherent protection around the business.

David Mitchell [00:09:32]:
One of the things I did notice when we implemented this with you is that it was a system and it wasn’t reliant on an individual person. So I think that’s one of the big changes for SMEs or small businesses is that when you implement a system and run it properly, if someone’s away or if someone changes roles or you lose an employee, it doesn’t mean that the security guy’s gone. Therefore your security has holes in it. You have a system.

Jason Mariciolo [00:10:01]:
Correct. And every organization has many different roles and responsibilities when it comes to protecting information. So like there’s a whole piece in the standard around, you know, HR security. So there’s, there’s HR managers that get on calls with us as well and we’re training them on certain aspects of what they should be doing in the hiring process, but also in the termination process. You know, reminding outgoing staff of their confidentiality obligations in their existing contracts is actually a control in ISO 2700. So they’re not all about putting in very expensive systems and everything’s quite digital and things like that. There are other controls inside the standard that is around things like HR or organizational security or even physical security. How accessible is your front door, for instance, to your building?

David Mitchell [00:10:52]:
Yep. We had to change our locks and put cameras in to achieve certification. A quick question is there are other frameworks other than 27001 that we’ve all heard of. Essential 8 being one Australian Signals Directorate has. That’s their framework. There’s a newer One called SMB1001 landed NIST. Could you just give us an overview of where they fit in to 27001 should you use one rather than other one first then 27,001.

Jason Mariciolo [00:11:27]:
It’s a great point. I wish I had a perfect silver bullet answer. I would say the best answer for this is probably a horses for courses kind of answer for you here, David. So where I’ll always recommend 27001 as the information Security Management System, I think regardless of any of those frameworks that you listed before, essential 8, NIST, SMB1001, et cetera, they are going to be a list of controls rather than a management system. They are intertwined. You can implement NIST or the CIS controls or even the Essential Aid as your chosen framework and then you can layer A27001 Information security management system over the top. And I think that is a very complimentary system. It doesn’t need to be an or conversation this or 27001.

Jason Mariciolo [00:12:21]:
For me it’s always a this and 27001.

David Mitchell [00:12:25]:
Yeah. The way I understand it now is that grassroots, it has followed the Essential eight framework and we were compliant with various levels, but that is just a static list. Then at that point in time we were compliant. If we hire someone new, if there’s not a management system to make sure that that person is trained or to make sure that person is a part of a certain group, then it falls down. So to me the difference, as you said, is that you go from a static list to a management system that is live and ongoing and not just at a point in time.

Jason Mariciolo [00:13:07]:
Exactly. We call it dynamic risk management, let’s say. And so if that Essential eight document or framework was to get updated, and it does each quarter, there’s a few little bits and pieces that move around in the ism and that’s the information security manual that they publish. Then you can use your information Security management system to raise a task or raise a risk to say, hey, the ISM has been updated. We need to now go and execute these 10 controls. So they work together. They are not designed to be opposing.

Jon Hollenberg [00:13:42]:
Great. Okay, so let’s narrow down a little bit further in what it takes to achieve certification.

Jason Mariciolo [00:13:50]:
Yeah, so this one here is always the how long is a piece of string debate. So it depends on your organization size, your organization’s scope, and when we’re talking about scope, are you looking to certify the entire organization or a department inside an organization? So we generally put a six to 12 months plus timeline on achieving certification. This all depends on whether or not you’ve got internal teams, whether or not you’re bringing in a consultant on the 27,001 side, which can help you fast track understanding the standard and the requirements and things like that. A typical self implementation can be likely 18 months plus. That’s what we’ve seen in the past. But effectively what you need to do in order to get the ball rolling here is you need to implement something. You need to implement an information security management system. So you need to understand the requirements of that standard I was talking about before.

Jason Mariciolo [00:14:52]:
And they are, you know, they do read like legal documents. So you know you’ve got to be that way inclined if you’re going to go out there and buy the standard and read it because you need to interpret it and then you need to obviously implement from there. But what is happening is it’s basically giving you a list of instructions or guidelines in order for you to implement all the requirements of the standard. So we’re talking about things like an information security policy, a mobile device policy, having a full risk assessment and risk treatment management methodology, which is what I was talking about before when we talk about raising risks. So effectively what you’re doing is you’re going through that document either by yourself or with some help through a partner and you are satisfying all of the relevant controls to you within that organization and that forms part of your implementation.

David Mitchell [00:15:46]:
So just to give everyone an idea, when you’re talking about 27001, it’s a document and how long is this document? How, how big are we talking and what, what is in it?

Jason Mariciolo [00:15:58]:
Yeah, so the document itself, 27001 is a, it’s quite a short document. I think it’s only around 40 pages. But what you need to understand in the ISO world is that you, the, the, the documents are like treated as a family of documents. So the 20, many more than one document that all lead back to the overarching 27001 document, which is the, call it a summary of what you need to do in order to achieve certification. So there’s another document out there called 27,002 that a lot of people on the call may have heard of before and they kind of go, well, do we need to get certified to both? The answer is no. You, you 27002 is actually a guidelines document, David, that is, that is a lot thicker than the, from the 27001 document. But that is more just a, just a guideline document that goes a little bit further into each of the controls and what you can do within your organization in order to satisfy those controls. So 27001 itself is quite a short document, but that’s the one that the auditors will audit against.

David Mitchell [00:17:10]:
And what is in that document? Is it different sections treating different parts of risk?

Jason Mariciolo [00:17:18]:
Yeah, so the documents actually split up into two. So we have what we call the ISO management clauses. That’s where we have things that are very ISO related. So things like leadership, commitment, support for building the isms, things like, yes, your risk methodology and all the risk side, the operations of your business all come in under that management clause side. And then it kind of finishes with this concept of continuous improvement, which a lot of people would have heard before. But it’s about that constantly becoming better. And if there are any issues within the organization raising root causes and things like that. And then there’s the internal audit piece.

Jason Mariciolo [00:18:00]:
And so that’s all in the front half of the standard. That’s what we call the management clauses. Then we have the back half of the standard, which is what they call the annex. And the Annex is the 93 controls. For anyone on the call that’s heard of the Annex A, that’s what we’re talking about. And so that’s split up into four different areas. We have the organizational controls, we have the people controls, we have the physical controls of your building, and then finally the technological controls, which is where a lot of the MSPS come into play with their security stack.

David Mitchell [00:18:36]:
Great. Jason, you’ve used the term ISMS quite a few times. Can you just enlighten us as to what that actually is?

Jason Mariciolo [00:18:47]:
Yes. So the, the acronym isms, which I always tend to fall into, it does stand for that original Information Security Management system that we were talking about before. So again, it is the overarching system that holds all your policies, all of your registers, your risk registers, your, your list of legal registers, things like that, also your corrective action register and things like that. So this system that we’re talking about is, it’s that single point of contact, let’s say Dave, that an organization can go into and say, okay, these are all of my policies, these are all of the things that I need to be adhering to. This is how I raise risk as a staff member, et cetera, et cetera. So that’s the ISMS.

David Mitchell [00:19:30]:
And practically speaking for grassroots, it, that is a SharePoint site. So it’s like a little mini internal website that has a landing page which, which contains the higher level policies and then links to our lists. So you know, we have lists of approved programs or apps that we can use. We have lists of approved people and suppliers and things like that. So when Jason’s talking about the isms, it is the location where all the information resides, where you go to. It’s a living. It’s a living site.

Jason Mariciolo [00:20:07]:
Yep, exactly. Right from there, the way that the certification process works. So once you’ve implemented a system and it’s working, you then go through an auditing process. And that auditing process is split up into two. You have a stage one audit, which is your first audit with an external auditing accreditation body, and they’re going to come into your organization and make sure that you have built a system that complies with the standards. So you’ve got the right amount of policies that you should have. You’ve got a risk management mechanism in order to raise and assess and treat risk. And so that’s what they’re looking for.

Jason Mariciolo [00:20:50]:
It’s more of a readiness to go into what we then call the certification audit, which is the Stage two. And so in Stage two, this is where the rubber hits the road. You can say whatever you want to say in a policy, but unless you’re following that policy and being able to provide evidence of what that policy is saying that you need to do, that’s what the auditors will be checking upon that stage, too. So they will be going through your records with you, of course, looking for certain things. So an example, Dave, could be under ISO 27001, we want to have a really rigorous onboarding process when it comes to tracking what kind of access we’re providing to new users that are starting at any given organ. So what an auditor will generally ask for is, can you show us a record of myself, Jason, starting at Grassroots? It, let’s say, and you’ll be able to pull up a record that says, yep, this was his onboarding date. This was the access he was provided in all of these systems. And so you actually show evidence of that record in that stage two audit.

Jason Mariciolo [00:21:57]:
If you pass all of the requirements over that, over that audit. And that could go for three days, it could go for five days. It depends on how big your organization is. It all scales by staff. That’s when the auditor will inevitably, hopefully, recommend you for certification if you don’t have any issues within that audit.

David Mitchell [00:22:18]:
And from our experience, the closer you get to a complete system for Stage one, if you can get there in Stage one, it means that stage two is a lot easier. Whereas if you get to Stage two and you’ve. If you don’t get close in stage one, you’ve got a higher risk of failing in stage two. And then that can become an expensive exercise because then you’ve got to get everyone, including auditors, back again for another fee to try again. So that’s just my experience there.

Jason Mariciolo [00:22:52]:
Yeah, absolutely. I mean, in that stage two audit, inevitably auditors are going to be looking for three things. They’re going to be called major nonconformities. That’s where there’s a massive breakdown or a complete lack of a control or a requirement from the standard. They’ll give you a major non conformity and that’s 100% what you said was right. You need to go away and fix that. Then they could issue with a minor non conformity, which is not necessarily as bad. But an example of that could be that you’re.

Jason Mariciolo [00:23:24]:
Your onboarding policy says that you’re going to do all these beautiful things relating to tracking your onboardings. But then when the time came to show evidence, you couldn’t show evidence because you onboarded three people without following your own process. That’s what we would call a minor nonconformity. And then auditors will inevitably give also what they call opportunities for improvement where they will always look at something and see how they think it can be done better and then potentially suggest that. But you don’t need to implement those.

David Mitchell [00:23:56]:
Just for the record. It. I think we had 58 actions in all right through the whole audit. Up until now, that is. So they are things like risks and corrective actions. Is that correct in our ticket system?

Jason Mariciolo [00:24:13]:
Yeah, correct. You go through. Yeah. You basically monitor and go through your risk risks and also your corrective actions. From memory, there were no, obviously no nonconformities, but there may have been always some opportunities for improvement that get raised. But yeah, out of the 93 controls that you do need to assess and justify whether or not those controls are relevant to your business or not, that’s where we kind of start and then we taper off from there.

David Mitchell [00:24:46]:
Yeah. So just letting everyone know there’s not thousands of actions that you, you will probably have to take. We had 60. We had already complied with essential eight. So we on, on a lot of areas, we were, we were quite good. This just systemized a lot of the things that we were doing in there. So. Yeah.

David Mitchell [00:25:04]:
Okay, continue.

Jason Mariciolo [00:25:07]:
Great.

David Mitchell [00:25:10]:
For the next stage.

Jason Mariciolo [00:25:11]:
So from I get asked this question a lot. What happens once I’m certified? You know, we all celebrate. We’ve got our certificate. We can show our interested parties. So our clients, our partners, our employees, everybody, hey, we know what we’re doing. We’ve been certified but in the ISO world, it doesn’t stop there. So what happens is generally every 12 months, they will come back, the auditors, and they’ll do what they call surveillance audits. So 12 months after your certification audit, they will come back, they’ll do a surveillance.

Jason Mariciolo [00:25:41]:
It won’t be as long as your certification audit. It’ll just be a subset of maybe some of the front half of the system and also some of the back half, the annex, like I said before. But it is a reduced audit just to make sure that, you know, you didn’t get certified and then just kind of leave it all to sit there for 12 months. So they’ll be checking things like making sure that you’re consistently raising risks, that you’re consistently going through any root cause analysis for any corrective actions that have been found. They’ll look at staff to make sure that they are aware that there’s an Information Security management system or an isms. Because the auditors and the ISO, they want this to become a living, breathing thing within your organization. And so once you go through that piece, that first surveillance audit, then the same thing happens again 12 months later. You need to perform things along the way like an internal audit.

Jason Mariciolo [00:26:36]:
So you may have heard that term before, but you need to make sure that you are auditing the system itself and making sure that it complies still with the standard. And so that’s an element there as well. And then we obviously move to what we call recertification. So that recertification process, it’s the whole thing starting again from that first year. So you would sit through a recertification audit and then again it would kick into surveillance one and two. So it’s a bit of a cycle.

David Mitchell [00:27:11]:
So the way we do it is we are continuing to work with ISO365 and ISO runs a monthly meeting for us that we have our key people in. It’s run by one of Jason’s team, one or two of Jason’s team. And they, we find it very valuable because they, they bring us back, bring our focus back to the isms and make us. We’re all busy in our own jobs and, but, and I can imagine that if Jason and his team work there, we possibly wouldn’t, there would be holes. But they keep bringing us back, they make sure that we’re using the registers. There are some really obvious things. For example, when Cyclone Alfred came through, we didn’t think to put that on the, on the register of something that had happened that could potentially cause an information breach. So they guided us to do that.

David Mitchell [00:28:07]:
We discussed it, we worked out what we could do next time, what we should have done, what we shouldn’t have done. But the main point was that it was front and center. So that ongoing cadence is quite important, whether you do it yourself or with someone else.

Jason Mariciolo [00:28:21]:
Yeah, it’s a very good point, David. It, it’s where a lot of what we see in the industry, there’s a lot of compliance officers or information security officers that would sit within an organization. The larger they get, there’s sometimes a dedicated person. We fulfill that role as a fractional role, if you want to call it that, David. But you hit the nail on the head. When the cyclone did come through, that was an availability issue. Right. We were potentially going to lose availability to our systems or platforms.

Jason Mariciolo [00:28:54]:
Now, thankfully, a lot of what a lot of organizations do now is in the cloud. It’s all been set up to work from home already from, from our days in Covid and things like that. And so although the risk itself is, is probably going to be low, we still raise it. It still needs to be there.

David Mitchell [00:29:13]:
And that’s the. It’s got to be live, you know, whether it’s. It’s not the big obvious typhoon type things that are. That are important, it’s all the ongoing issues that need to be raised. If there are not risks going onto the registers, we’re just not looking at it. So that’s important. Jason, Ian’s asked a question or made a statement, actually. He finds that SMB1001 good for phased increases for business, especially when you’re starting from scratch.

David Mitchell [00:29:47]:
Do you have any experience with that particular framework?

Jason Mariciolo [00:29:50]:
Yes, I do. It is a new standard that has kind of come through the ranks and is quite good for anyone looking to start somewhere within their cybersecurity posture. Remediation, if you want to call it that. So, yeah, the statement is sound, Ian. It is a good starting process. If the way that I always attack. Well, the way that I always approach this is probably the better word, is if there’s a requirement for your business to be 27,001 certified because you have obligations to other interested parties, what we call them. So you could be on a tender panel or you could be.

Jason Mariciolo [00:30:34]:
You could have signed a contract within your business that requires you to be 27,001 as the minimum to be on that panel, let’s say then you do need to undergo a process like this. But if you’re just looking at getting started, then any of those standards are quite good. You could start with the essential eight, you could start with SMB101. Any of these areas are quite good.

David Mitchell [00:30:56]:
And it’s my understanding that it is not a waste to start with a framework like SMB1001, because many of the controls or what you’re working on will be quite relevant to 27,001.

Jason Mariciolo [00:31:10]:
Absolutely. It’s a great starting point. They have their levels and you do build on those levels to ultimately increase your posture across your organization. So absolutely would not be a waste, would be an addition to any business and then you can keep building from there.

David Mitchell [00:31:30]:
Yep. And we did the same with Essential8 as opposed to SMB1001, because Essential8 was there when we did it. Rowan has asked, would you recommend a gap analysis be performed by a qualified third party prior to starting the journey?

Jason Mariciolo [00:31:45]:
Yeah, I think it’s a great question from Rohan and something that I actually missed in that implementation phase, to be honest. So well done on raising that, Rowan. It’s one of the most critical points of an implementation. In order for you to create these policies and also to work out what these risks are within your organization, you need to basically lift the rug completely. And you need to figure out all of your information assets. And an information asset is a fancy term for any kind of system or even person or company that has information about your business or stores any critical information about your business. So going back to the Xero example, that’s an information asset, but also your accounting firm is an information asset as well. To answer Rohan’s question, you absolutely need to do a gap analysis with either a qualified third party or an experienced third party.

Jason Mariciolo [00:32:46]:
I think that will help you gather some real risks within your business. If you do it internally, you may not know exactly what you should be looking for unless you’ve got the right qualified people internally to perform that task, then absolutely you can do that. But yes, a gap analysis is critical to the whole process.

David Mitchell [00:33:07]:
Great. And how else do we maintain. Oops, that’s not what I meant to do anymore. Is there any more information, Jason, that you’d like to convey in the recertification?

Jason Mariciolo [00:33:23]:
No, not from a research perspective. Like I said, it’s an ongoing cycle. It’s a continuously improving cycle. So I would. I would say that anyone looking to go down this route, or if you have to go down this route, because again, your interested parties are asking you to just know that it is okay for you to implement the system and then also learn as the months tick on how to use this system. No one’s asking you to go in and and get certified, and you’re going to be the best of the best. That’s why there’s a continuous improvement module as part of building an isms. And so all I would say is that don’t be afraid or don’t be daunted by starting.

Jason Mariciolo [00:34:07]:
Speak to someone that can actually talk specifics about your organization and then just figure out what that real timeline is going to look like for you.

David Mitchell [00:34:18]:
So in line with the intent for today, which was to simplify this process, I suppose if I could convey, if we could just discuss our journey on that. To my mind, what it was was a series of meetings and we had an initial meeting and you probably gave us, I think, a document to complete, to list out our assets to start with.

Jason Mariciolo [00:34:49]:
Yeah. So it would have been a bit of a mix. Your process would have been a gap analysis workshop upfront, which I gu. Is super critical. But we also would have sent you a bit of a questionnaire just to gather some information about your business. And then from there what happens is that we turn effectively all that information in that gap analysis workshop. We turn that either into relevant information for policies or if there’s risks that have been raised, we pop those straight on your risk register. And that is a way or a list list for you to now go.

Jason Mariciolo [00:35:23]:
Okay, this is what’s standing between me and certification.

David Mitchell [00:35:28]:
And from my recollection, we had a meeting every two weeks. And initially. Yep, each two weeks. Initially, each two weeks, we would start with an assessment of what you. You had found or we had found together. We would then go out and work out what we needed to do to plug those holes. Yeah, if there were any holes there. At the same time, you built the ISMS, which was our SharePoint site, and you started populating the ISMS with the policies.

David Mitchell [00:36:03]:
And so, for example, each couple of weeks, we would have to assess a number of the policies. We’d have to make sure from our management perspective that your generic policies were grassroots ized, for want of a better word.

Jason Mariciolo [00:36:18]:
Of course, you absolutely need to customize everything that goes into an isms. And that’s where, you know, you get your starting point. And there’s many different starting points out there. But it’s critical that you, that you also. Well, you need to be a part of that process to create those policies and make sure that they are relevant to your business. Absolutely. And then we have our monthly risk meetings where we, we get on our calls and we make sure that those risks and corrective actions are getting ticked off. That’s all part of the process.

Jason Mariciolo [00:36:47]:
Yes.

David Mitchell [00:36:48]:
So it was a series of short sprints for us, really. We had two weeks worth of work to do, not full time, of course, so each of our team, and we probably had three or four people on our team doing various things. We had someone from admin, someone from our IT security area, myself, and we just reviewed things, we made a new list, reviewed things and we just started filling in the system. And then towards the end of. I think for us it took six months to do that. Towards the end of the six months it started to fill out into a workable system. And then your role then was nearly to take on the role of what’s the auditor going to look like? And make sure we’re starting to use the system. So, for example, if we did an onboarding checklist in one of the two weeks sprints, next you would be asking, well, can you show me where you use the onboarding?

Jason Mariciolo [00:37:42]:
Correct. Exactly right. It’s all about that audit preparation and making sure that there’s no surprises in an audit. We don’t want any audit to be a stressful experience. We want it to be as streamlined as possible. And so that’s where working with a partner can, can often lead to a quicker implementation, less stress through the process. It’s like having a. Having a guided tour, I suppose, all the way through.

David Mitchell [00:38:08]:
I think we would have found it extremely difficult to do without a third party helping simply because of the manpower it takes to do something in a reasonable time frame. And I thought six months was reasonable. And at the end of it we had a product that we were happy with. We also complicated things because at the same time as 27,001, we did 9,001 and 14,001, which is quality and environment. We decided to do that because you still only have one management system. So we now call it the integrated management system instead of the information security management system. And we have everything through the one pane of glass.

Jason Mariciolo [00:38:49]:
Correct. It’s a relevant point because a lot of organizations tend to do both 27001 and quality 9001. And so we do build integrated management systems. The front half of that standard that I was talking about before, from a quality perspective, there’s another standard called 9001, which a lot of people have likely heard of, that has the. It shares the same front half as the 27001. So that’s where we’re able to integrate these systems. So we have one internal audit, we have a blended external audit. And there’s a question here around the difference between Internal and external.

Jason Mariciolo [00:39:27]:
I’ll get to that in a second. But it’s an efficient way for you to tick multiple boxes when it comes to standards. And we’re now even integrating the new AI management system, which is around governing AI use within organizations, which is fast becoming a problem in itself. So we could have a whole separate webinar on that. They’re starting to come through. But AI and how that’s impacting businesses is quite important as well.

David Mitchell [00:39:59]:
Yeah. And when we, when we go through that process, which we will be doing with you, we will be using our own with the same IMs, so there’s no new things there. It literally will be bolting on to our methodology, that we’re our management methodology. Yeah, yeah. Now, Jenny has asked, are you seeing any cyber insurance providers asking for businesses to have ISO 27001 certification?

Jason Mariciolo [00:40:25]:
This is a really good question. I have some really close contacts in the insurance game and I will always preface this with there are plenty of smarter people to talk about insurance than myself. But I’ll answer the exact question. From what I’ve seen from insurance companies, they look to see overall risk within a business, so they’re looking for your posture in total. So what I would say is they’re going to build a risk risk profile on you one way or another. So if you go to get cyber insurance and you have nothing, well, your risk profile is going to be, you know, quite high because you have nothing that you can align to. It will then cascade and scale from there. So if you’ve got certain systems or certain frameworks that you can attest to that you are aligned to, again, whether that’s SMB or whether that’s NIST or CIS control or even 27,001, they are going to build a risk profile on you and then they are ultimately going to give you what, you know, what your insurance premiums and things like that are going to be.

David Mitchell [00:41:29]:
As far as any insurance companies asking for specific requirements or any specific standards, no, I personally haven’t seen that myself. It’s not to say that it’s not out there, but it’s more about an insurance provider building an, an overall risk profile on you. And I would, I’d always encourage, if you’ve got your certificate, to send that along to your insurance broker and say, hey, this is, you know, proof that we know what we’re doing and this is what we’re about and that will ultimately, hopefully lead to a better outcome for you.

David Mitchell [00:42:03]:
Jenny, I can give you a little insight from Grassroots. It for that because, you know, we have cyber insurance, of course, and Jason’s correct. They didn’t ask specifically for our 27001 certificate, but we got cyber a couple of years ago before we achieved certification. And what we were able to do is provide our broker or the insurance company a list of things that we did between then and now because of the certification process that we went through and all the checklists. And that made it a lot easier for us to get insurance. I think what the problem’s going to be is they won’t demand it. They just. You won’t be insurable if you don’t comply with a number of the.

David Mitchell [00:42:49]:
What’s the word, Jason? The practices within the certification.

Jason Mariciolo [00:42:57]:
Yeah, I think that’s a fair way to describe it. Yep.

David Mitchell [00:43:03]:
Now, there’s another question. Is, as you said, the difference between internal and external order?

Jason Mariciolo [00:43:09]:
Yeah, great question. So internal, external audit. What I’ve been talking about, primarily about auditing today is all external audits. So that’s an external party coming in that is completely separate to myself and to yourself as an organization. And they do an independent assessment and they go. They take you through that stage one, stage two auditing process. An internal audit is. It’s a similar function, but it’s performed from within your organization.

Jason Mariciolo [00:43:39]:
It doesn’t have to be performed by someone in your organization, but it’s either internal or you can still get a third party to come and do your internal audit. It’s almost like a safety check. Okay. And so you can, you can create a internal audit plan or an internal audit schedule, and you can, you can dictate how often that’s going to be and what the audit criteria is going to be. And it might be that you’re going to take. Again, let’s lean back on that HR security side because that tends to be something that, that resonates with all businesses. You might go in and go, I’m going to do an internal audit on my HR security policy because I want to see that we are in fact doing police checks and that we are, in fact storing our reference checks, let’s say, in our HR system, and that we are onboarding, and we’ve got records of onboarding saying that we are doing what we say we’re doing in our policy. So ultimately, an internal audit is almost like a protection barrier so that you don’t get to an external audit and then have all these nonconformities because you haven’t been following process and no one’s ever picked it up.

David Mitchell [00:44:46]:
Yes, the external for the external audit is a very formal process and it needs to be because the general public needs to be able to rely on that auditor instead of the general public or the people that we do business with needing to test everything about grassroots. It’s insurance, sorry, information security management. This auditor has done that on their behalf. So very formal. Internal audits are less formal, more from a management perspective, make sure we’re complying. Jason, if there’s nothing else, I’m just going to close here now. Jason is very happy to deep dive a little bit more for anyone that would like to. There’s probably some people here that would like to know more about their own specific case, which of course we can’t deal with in the, in the meeting here.

David Mitchell [00:45:41]:
So if you could please just snap that QR code there. Jason, I’m not sure what happens when you do snap the QR code, but I don’t know whether that’s you or us.

Jason Mariciolo [00:45:53]:
Yeah, the QR code is just to my LinkedIn for anyone that wants to connect with me on LinkedIn. But if you did want to take a, up that special offer there on the screen of just having a, just a, just a general chat, no obligation chat with me just to go through your specific requirements. My email’s there. Just send an email and we’ll find and coordinate a time together. But yeah, effectively, that’s, that’s what that’s about.

David Mitchell [00:46:18]:
Terrific. And of course, if there’s any questions about this particular topic, if there’s, if you have other topics that you’d like me to cover with other subject matter experts or maybe there’s the, the cyber security standards with Jason again, please let us know. Feel free to reach out. Thank you for, thank you everyone for attending today.

Jason Mariciolo [00:46:41]:
Thank you. Thanks.

David Mitchell [00:46:42]:
Bye.