VanRein Compliance Podcast
Learn how you can secure the future of your business with a clear plan to reduce your risk. We discuss all compliance and data security matters of SOC2, ISO27001, HIPAA, GDPR, CPRA, NYShield, Texas HB300, ISO27001, HiTRUST and include life stories as well. It's NOT just a boring BizCast. We also talk about our Family Business and how you can start your own Family Business that will reshape your future.
VanRein Compliance Podcast
Unlocking ISO Compliance with David Forman Founder of Mastermind Assurance
Unlock the secrets of ISO compliance with us as we sit down with David Forman, a seasoned ISO auditor and the co-founder of Mastermind Assurance. David pulls back the curtain on the unique role of ISO auditors and how their work stands apart from other assurance programs like SOC 2 and HITRUST. With his vast experience, David provides a clear breakdown of ISO standards, particularly focusing on governance requirements and control sections within management systems like ISO 27001. This episode is essential for anyone looking to understand the ISO certification process and its global impact.
Explore how data breaches, from the early 2010s to the pandemic era, have fundamentally altered consumer awareness and corporate security practices. David and our hosts delve into major incidents like the Equifax breach, discussing their profound influence on security compliance. We dive deep into the intricacies of SOC 2 and ISO 27001 certifications, highlighting the paths from SOC 2 Type 1 to Type 2 and ISO's Stage 1 to Stage 2 certifications. If you’re curious about how companies can transition between these frameworks to enhance their security credentials, this segment is a must-listen.
Navigating multiple compliance frameworks can be a challenging task, but David shares invaluable strategies for making this transition smoother, from HIPAA to ISO 27001 and beyond. The importance of a flexible governance program, stakeholder buy-in, and addressing pain points like GDPR and AI-related risks are all covered in detail. We also touch on emerging standards such as ISO 27701 for privacy management and ISO 42001 for AI management. Don't miss this treasure trove of insights and practical advice for anyone involved in the world of compliance.
Thank You for Listening to the VRC Podcast!
Visit us at VanRein Compliance
You can Book a 15min Call with a Guide
Follow us on LinkedIn
Follow us on Twitter
Follow us on Facebook
Hello and welcome to the Van Ry Compliance Podcast, where we dive deep in the world of compliance, risk management, everything in between. I'm your host, Rob.
Dawn:And I'm Dawn.
Rob:Hello Dawn.
Dawn:How are you doing? Hello, I'm good, good.
Rob:Awesome. We are excited this week to welcome a special guest with us, david Forman, our trusted ISO auditor, who's been instrumental in helping companies navigate complexities of ISO compliance. Welcome, david, to the podcast.
David:Thanks guys for having me, and I think this is a little bit overdue, to be honest. So let's get that straight.
Rob:It is. We have a lot of conflicting calendar invites and there was like a trip or something, I don't know. There was things in there, but we're here now.
David:We're here now.
Rob:And since we're together and you know just why, don't you go ahead and kind of introduce yourself who you are to our listeners and who is David?
David:Sure, thanks. So, David Forman, I'm based out of Atlanta here in the States and I operate a certification body known as Mastermind Assurance. We go by Mastermind for short, wearing the hat. So if you've ever seen this very unambiguous logo, I'm trying to get some brand goodwill here, so we'll use that for today. But as a certification body, we are the third party accredited assessors to issue ISO management system related certification.
David:So to get very specific into the standards, iso 27001 is probably the most popular, that's for information security management. Iso 27701, that is for privacy information management. Iso 42001, ai management, and there's a few extensions as well, such as ISO 27017, cloud security, 27018, protection of PII in the cloud, and then you might be familiar with CSA star as well through the cloud security 27,018 protection of PII in the cloud, and then you might be familiar with CSA star as well through the cloud security Alliance. This is actually my third certification body, first one that I have co-founded here. But prior to a mastermind, I worked at another certification body known as coal fire, and then, prior to that, I was at the big four, arnston young, and I've been doing iso audits, certifications, internal audits, gap assessments, um, even trainings, um, over the last 11, 12 years now, so uh excited to uh be captain of the ship now your own ship isn't that fun of your own very much and your own responsibilities?
David:that's the scary part, but that's the fun part so, yeah, rob, I don't think I would do it justice here if I didn't, you know, tell everyone's watching this. You know, I think we have two hosts here with airpods and and then mine with these giant bows like qc, like 35s here. But um, I thought this is like quintessential of that, like mac versus pc, like commercials back in the day.
Rob:Like you guys are a mac, I'm a pc there you go, folks, you're looking for that, you're looking for that. Uh, you're looking for that. Pc auditor. That is david, exactly. Yeah, oh my gosh, you even have the whiteboard in it there's no confidential information right there.
David:It's just like, unless you can read, like behind the areas and I do love, david.
Dawn:I do love that your logo has my favorite color, which is purple oh, not not the one I'm wearing right now, but yes that is part of our color palette is there is a lavender, I believe, dawn to be more precise on there. Yeah, well, any, hey, any shade of purple is my favorite, so awesome.
David:well good, follow us on linkedin and you'll'll be able to see the purple. There you go.
Rob:Yes, you definitely see the purple yes, and we'll, we'll talk about how we can connect and stuff.
Rob:You know we um we get a. We've I've seen a huge increase in in questions about ISO and SOC two examinations and high trust and all that. Um, but ISO is very unique, you know, and that's one thing that you know, you've shown us as our auditor, is how unique ISO is. So talk to us kind of about what is the role of the ISO auditor and kind of what does it set us apart from a SOC 2 examination or even a high trust.
David:Yeah, and I think that is probably more or less the discrepancy we run into, especially in the US market. Everyone's very familiar with these other third-party commercial assurance programs like SOC 2 examinations, like high-trust certifications, hipaa tests and opinions, and if you try to just compare it one-to-one you'll fail. There's far more nuances in a management system standard like ISO 27001. So let me back up. First of all, iso. Just defining the acronym, it's actually out of order because I think it's like a French origins to it because it's based off Switzerland. But International Organization for Standardization is the name of the acronym and ISO itself is a consortium of member bodies throughout the world that basically volunteer their time and all these expert groups and advisory panels to write and author these standards.
David:So you always hear about like a very slow grind process in developing ISO standards is because there are so many opinions involved and they go through a very staged approval process. Today there's over 25,000 ISO standards. The ones we're talking about make up a very small group called management system standards and that's where we get like an ISMS information security management system from, and these are ones that you can certify to as an organization, kind of a B2B trust mechanism. And I'll say, where I think the role of ISO auditor kind of fits in is, we are determining what's known as conformity to these standards. So to put that in very layman terms, these standards the ones that we're talking about today have basically two sections to them. They have governance requirements, known as clauses, and they follow this structure called annex SL, and then they have a control section and an annex or an appendix to the standard, and those vary in terms of, I'll say, applicability as well that you would apply as an organization, based on your underlying risk landscape.
David:So I always view ISO certification as not one size fits all, but you can almost think of it similar to SOC 2, where there's criteria involved and you take that criteria, even though technically it's controls, but you apply it and the degree that you apply it is based on who you are as an organization. What type of data do I run into? Who are my customers? What type of regulators do I need to have responses to that kind of thing? So I try to separate what is a conformity audit and a determination of conformity as the role as the auditor from just pure black and white compliance with a framework.
David:Iso is not a framework. It's a scheme that has governance plus a framework of controls that you can use, but without getting into too much detail. There could be even an outside framework you use instead to map them to the criteria that iso is calling out. So, um, basically, it's a very flexible standard that is meant to meet, whether you are a two-person organization or you're a two million person organization, and all the above will actually certify to it yep, yep, no, that's, that's great, and thank you for going diving deeper into that now.
Rob:Now, don is our. She is our certified lead auditor because she can take a test, and you know, I don't do tests, but I do have to take my CISA exam this year. So, yes, I'm taking, I'm going back to school too. So, dawn, as the role of the lead auditor for Van Ryn, let's tell the listeners what about? What is your role, what is our role and how does that work with David, let's tell the listeners what about?
Dawn:what is your role, what is our role, and how does that work with David? Sure, so we work with David. David is the external auditor. So when it comes to ISO 27001, you have to, you can't do, you can't have the same internal and external auditor. You have to have a separation of that checks and balances, that type of thing. Plus, we're not a certified body, so David is part of the certification body. Um, so I, I, what we do here at Van Ryn is we get the customers ready. So ready is what does that mean? So there are things and steps to ISO. Um, I won't go into too much detail, but there are definitely um steps.
Rob:We can have a three hour podcast much detail, but there are definitely steps.
Dawn:We could have a three hour podcast. We'll sort of love that. Yeah, there are. There are steps to do with the customer as far as collecting evidence and, you know, understanding the risk and and that type of thing, up to the internal audit, which is what we do. And then what then? What happens is then we meet with David and then we start with the stages of his external audit. So there is a lot of prep work up front with what we do with our customers.
Dawn:A lot of people come to us with well, should I do ISO or SOC? Well, a lot of what we're seeing is people are getting whichever based on what their customers are asking them to get. So a lot of these companies are being forced if you will, if you want to keep these large accounts, you need to be SOC 2 or ISO 27001. So we've got both going on right now. I would say I've got equally, I think, the same amount going on and it's different. It's a different mindset and, david, I'm always, as I go through the ISO and then now I'm diving deep into SOC 2 as well, I've got three of those, I think, right now.
Dawn:And your brain you have to really adjust your brain even though it's similar but they're very different and and ISO is more robust, and I, I, um, and I say that because it it just it just more detailed. I mean I and I know that's kind of a just a general term, but it is, I mean, and you can't really can't really compare them. They're just two different, two different um types of compliance programs, um, so you know, we, like I said, we do the readiness Um and then obviously for SOC two. Soc two is is very different in that we have to use a certified CPA um to that examiner.
Rob:So in the traditional sense again yeah, again, it's uh yeah.
Dawn:Um so it is um, it is something that that we are seeing explosion of of of getting either ISO or SOC two but, um, but yes, we're talking about ISO today, so it's, it's uh, it's, it's very, it's very fun, it's very interesting. Um, we, you know, 95% of our customers are HIPAA um, and, and getting getting the HIPAA um, you know 95% of our customers are HIPAA and getting the HIPAA you know, standards and stuff and adopting those controls. It is very helpful when you're going into an ISO audit, because there are some things in place, some things that are mapped over. So, but, yeah, that's what we do we get the get the customers already, um, and because there are certain things to do to package it up and hand it over to David.
Rob:So, and your point about HIPAA is about 90, 95, maybe 90%. Now I've seen a huge shift since the change healthcare breach, the AT&T breach was tied to snowflake, um and then uh, all the other breaches that have happened recently, especially since about April May, I've seen our requests for HIPAA assessments pretty much be steady or flatline. I've tripled the amount of requests for ISO, soc and now I'm in high trust because their customers, like Dawn had said, their customers' customers are requiring certifications to even be involved with an organization, large organizations. You have no certification, no certifications or examinations, you're not going to be doing business, and I'll actually I'll speak on that a little bit, Cause that's an interesting point you bring up from like the breach side, um data breaches, especially in our space.
David:Um, it's, it's a form of awareness. Um call what it is and like I'm not going to speak to it more. From like ambulance chasing where you know every security vendor wants to. You know, go help change health care when they come david at, you can email them but they do have some good behind it too.
David:Like you know, it's kind of a wake-up call, um, if you think about some of like the major data breaches I'll say over the last 20 years or so, this is the reason why we see more and more third-party assurance programs and this idea of like transparency and trust and self-servicing, that trust or a trust center, that kind of stuff. That all came as a result, in my opinion, of these kind of root causes behind data breaches. Um, one that I remember very keenly was, um, the target hack, if you want to call it that, and that, if you knew the details behind that one, it was POS systems and target retail stores and it was actually a supply chain risk. I think it was like an HVAC vendor or something like that randomly had like credentials into the POS system and it created this entire idea around third-party risk management, which it was there. But it really was a laggard compared to this move to the cloud which had come in the early 2000s thanks to companies like Salesforce, and so people had adopted all these cloud apps and cloud providers, but they hadn't necessarily addressed those new kind of I'll say movements or motions with appropriate controls.
David:Fast forward now to early 2010s and we start seeing other types of breaches in here, mainly hitting consumers, and then finally, the big one for consumers hit in, I think, 2016, 2017, that was Equifax and that came on the heels of the Office of Personal Management as well. So you have this kind of idea that the government can't house its own data securely. Now you have an idea of a major credit bureau can't house its data securely and everyone started freezing their credit. All of a sudden, people started becoming more aware of that. You then get into the pandemic and now you have these Vantadrata-type companies popping up and they're putting out billboards on i5 saying does compliance suck? Too much Stuff like that.
David:And it's becoming more consumer awareness. It's getting into the household, which was a really good thing for our industry because eventually, when consumers become aware of it, it finally finds its way into the boardroom. Because I'll be the first advocate of this I think CISOs are undervalued and, generally speaking, fortune 500 companies they often report to like a VP or maybe a CTO, but they don't have a seat actually at the ELT table, definitely not seeing the CISO types in the boardroom. But what it was doing was it was taking, you know, like an Equifax competitor, like an Experian, and they were saying like, hey, how do we make sure we're not in the news? And so, even if they didn't have a security background, they're like a CFO type. All of a sudden we're asking those questions and we're trying to be proactive in that, and that's where they start saying I don't want your opinion, I want some third party to come here independently assess us and give us some sort of report that we can basically say, hey, look, we're trying to do the right thing. It's not gonna be perfect, but these are at least actions to be preemptive to possibly an event. And um, I think that's where you see both SOC 2 and ISO 27000 getting popularity and particularly and you probably think I have bias here, but in all reality, I think both are good.
David:They serve different purposes, though, and if you look at SOC 2, I think it's excellent if you have North American-based customers. That's where its popularity is rooted. It is authored and owned that scheme by the AICPA, which is Canada and US, so that's where kind of its audience is, whereas ISO is more international in nature and you'd say, okay, that includes the US. Well, it really didn't even come to stateside of the US until like 2010. And that's when AWS got it. That was like the first major player to get it. So ISO is like way behind the ball in terms of popularity in the U S market, but where it is popular is basically every other country in the world. So if you are a multinational company, hq possibly in the U S, it might be good for you to consider 27,000 certification, probably in addition to SOC two examinations. Um, because you're in customer, reading that report, reading that certificate, might not be familiar with what a SOC 2 is.
Rob:Yeah, and we have clients. Actually we have two clients now, I think Dawn, that have had a SOC 2 examination and now moving forward with an ISO, I think one or two. So let's kind of talk about the differences and then for for folks that have like a one or the other, a soccer and iso, how easy it, how we, if you have a sock to exact if you have a sock to how easy is it to move forward and take the controls and what you've learned and evidence to move into iso. What does that lift look like?
Dawn:don you're me who you want to oh no, I was, that's what I was going to ask. I was going to ask you really to well it, I mean I, I've done both, but it's like I think that from your perspective, I mean, obviously we know that that ISO is a is international standard, soc 2 is more of North American. Um, obviously, but just the differences, yes, the the differences, and when it comes down to you know sorry, my dog is barking.
Rob:Everyone hears that.
Dawn:You know the differences in the audits. No-transcript, because it's kind of hard to compare that. You can't really compare them, but just you have like a little bit of a this is this, this is this. Can you do kind of a general comparison from your perspective? Yeah, yeah.
David:And so I'll say, when you go down the SOC 2 path to start, 99% of companies are going to start with what's known as a type 1 audit. That is a point in time audit and that means you could put the controls in place yesterday from at least a design perspective, and you could go then have a third-party examiner, typically a CPA firm, come in here and provide an opinion on the design of those controls in the form of a SOC 2 type 1 report. However, type 1 is not the finish line. You have to get to type 2 in order to meet any sort of real benchmark that is expected of readers of these reports in the US and those type 2 periods, the shortest you can do is three months, but most commonly your first type 2 is going to be probably a six-month period. You can do three, six, nine and 12 months and then you want to obviously fast-track to a 12-month type 2 period thereafter.
David:So, in terms of comparing it to ISO 27001, if we just use that as an example, or any of these management system standards your initial certification audit is divided into two phases or stages, known as stage one, stage two.
David:A stage one is a test of design similar to kind of a type one report and a stage two is a test of operating effectiveness. So, more keen to a type two. However, iso does not have any sort of rules around aging of controls, so you can have the entire management system in place yesterday and we can audit it today. It's a point in time assessment and if you are to be certified, you get an actual certificate and that certificate has an as of date on it, or an issuance date, so it says hey, as of this date, you were conforming to iso 27001 per your statement of applicability, etc. So, um, it's always a kind of a type one report in terms of point in time, um, but it does do a test of both design and operating effectiveness to determine conformity for iso. So there's definitely similarities there, but a little bit different.
Rob:um, I'll say path to success but but now, david, remember it and Don as well. Um, all these GRC ads that you've seen, up by five and everything.
David:you can get soccer ISO compliant within three months for a couple of grand, I mean yeah, so we can talk about that if you want to go down that route, um, it's I'm not saying it's um, even misleading's, just very I'll say use case, um, yeah, so one thing that's um, if you're familiar stock to, you can apply this to iso 27001 as well. You can define your own scope. So, um, iso 27001 or any of these isos standards and certifications, they don't require the entire organization to be in scope to that audit or to that management system as we would more formally say. So, for an example, if you're that 2 million person organization you might have, you know, you might be a conglomerate parent holdings company you might only have one of your portcos go through that audit, or maybe even one product for one portco. It's also possible you have multiple iso 27001 certificates throughout your entire enterprise. Just all different scopes.
David:And really how you need to think about a management system is think of it more from like a policy set. Formally we would call it a governance program, but if you have a different, I'll say workflow for approving policies related to information security for business unit a versus business unit b, that's probably two management systems there, even if they're both iso 27001 conforming. So, um, when you talk about these, um, uh, compliance, sas, automation tools, um, that promise, you know, three months, you know, start to finish. I will say it's possible and I've actually witnessed it being possible as well. However, it is more, I'll say, aligned with what we call a reduced complexity scope, probably low headcount under 50 people, something where it's very easy to kind of micromanage the total conformity to all the controls, where you say, all right, 100 percent of people have now acknowledged security policies, a hundred percent of people have gone through employee onboarding, training, that kind of stuff. It gets more difficult with, obviously, volume of personnel and volume of processes.
Dawn:Yeah, and I think I think the key and, David, you probably may or may not agree with this, but there is a lot of platforms. The platforms are helpful to gather evidence, to help just the flow, the workflow right of the internal audit and the external audit, but the reality to it is is the customer has to be held accountable and they have to actually do something. So I think the facade is that these automated platforms do it for you and they don't. They're they're putting the controls out, they're telling you what evidence you need. They're doing great at you know, saying you need to do this, this, but you have to do it so that's one thing.
Dawn:Is that, um, you know, we find that some customers just kind of get oh, I just I hooked everything up, I you know, and it's just going and it's like well, but you haven't uploaded evidence, you haven't uploaded your policy. So it really is, it's a great tool A spreadsheet's a great tool too, but it's you have to actually be, have that accountability and just do it.
Dawn:And I think, a lot of people. I think what we're seeing is people are rushing into these certifications and they don't understand what it takes. And sure, you can get ready three to six months, you can do it, fast track it, sure, but you have to be, you have to have someone in the organization or a group of people that are going to be doing it. So I think that's what we see too. Is we, you have that where we need to do it, we need to do it, but I don't have time. So we run into that and that and that's frustrating for them. And then we do as much as we can, but as a internal or external auditors, we can only do so much, right.
David:Yeah, I also think it's the classic like, just like short-term vision as well, where people just want to have some sort of milestone that they can point to. Like, hey, we procured the platform. Like, we're on our way now. Um, and you're totally right, like with any of these, like um, larger cloud apps, um, and this is not just true for the compliant sass tools like you have to take time adopting and implementing it initially as well. Um, and I agree with you, they have a ton of value in terms of walkthroughs.
Rob:Tutorial how to get to the finish line.
David:But if you're not dedicating FTE staff to that and making that like the pinnacle priority, like you will struggle initially with some of these tools. Now, these tools, I've seen variations of like customer success up front, where they'll give you like 10 hours of like free work or something like that to help you set it up.
David:But, to your point, it's more than just setting up all the integrations so that you can, like you know, have these feeds come into these compliance automation tools. You actually have to go fill out their policy libraries. You have to then actually perform the test against these design to make sure you're conforming to them, and then not to mention broken connections, which I saw. One of these tools now is advertising 300 plus integrations. Like, I guarantee you that that is not, that is not perfect. It's 24, seven.
Dawn:Nothing's going to have to break fix that Right.
Rob:And then we find that people, that we find that it becomes another tool to manage. You almost need a team to manage a tool, like there's a team to manage the computers or the servers or the cloud right, you still have a team to manage that.
David:Well, ironically, I think these tools actually recognize this like issue that you guys are talking about too, because they have entire partner directories now on some of these tools where they talk about a managed service provider that will help you set up this as well, because they understand that that creates stickiness for them as well and reduces customer churn and and honestly, some, some folks are and I say folks um, because this could be, you know whoever in the organization is in charge of this, of this um compliance program?
Dawn:it could be the compliance officer, the dpo, I mean, you know, it could be the csa, you know who, it could be the cfo. I mean, whoever's in charge, they're either techie or they're not. So, we find that sometimes, because they're not technical, they're like they look at us, they look at the software and they're like oh, I thought this would do it itself. So I think there's. I think there's a false sense of it's going to do it for me and there isn't a quick fix.
Dawn:So we have to be very diligent in helping them, and that's what we do is we walk alongside them and help them, and we have gotten customers from some of these tools to help assist them over that line, and so we're happy to do that and, like I said, these tools are great for collecting and giving you that vision, but you have to pour into it, so it doesn't do it for you. I wanted to move on to some of the challenges you see in in in the audits that you're doing, david and this is not just our customers, but just overall with with masterminds customers what are you seeing? Is there like an overarching um, uh, you know challenge that you're seeing, or is there a kind of a handful of challenges and just kind of discuss that and maybe how people can alleviate those challenges?
David:Yeah, I'll say probably the biggest challenge. This is slightly broad but it's I'm going to be careful, my word choice here. But I'll say regressing into ISO certification. And what I mean by that is there is an existing security or governance program already in an organization and they decide to adopt, like, iso 27001 after that program has been established. And so ISO 27001, just use it as an example it covers every major function or activity you would have in a company. And again, going from two person organization to 2 million person organization, using that analogy again so procurement, legal HR, like engineering facilities, facilities, like it will cover all those areas and apply controls based on the risk there.
David:Um, so if you have an organization and van ryan, you guys work with a lot of hippa customers and they've already created an initial policy set and it's all hippa based, it's probably great for hippa. It's a very, you know, like scheme specific, it is purpose built. But then someone decides later they say okay, we, okay, we need ISO 27,000 as well, or we need SOC 2. Like it applies to any of these programs that were not authored by the same scheme owner and all of a sudden they got to take that policy that overlaps with those two schemes. So in this case HIPAA and ISO 27,000. I'm assuming there's probably an acceptable use policy of sorts for HIPAA and they say we have to now augment this to meet ISO 27001 without breaking the original HIPAA that we initially needed this for.
David:And so where I see, I'll say, the biggest pitfalls, both in time and efficiency and a budget, is just being very short-term focused, like if you are going from HIPAA to ISO 27001, I guarantee you, probably sometime in your life cycle either a customer is going to request in a different compliance framework.
David:You're going to decide you want to mature into something else in addition to this, and building for I'll say the least common denominator early is going to be very advantageous for you as an organization so that you kind of build this kind of integrated governance program we would call it a management system and iso terms, um so that it can flex based on the new requirements, new risks, new customer requests that you're going to hopefully anticipate um here in the mid and long term.
David:And so where I see the biggest issues with customers, um, and the most common pitfall is the customers starting from scratch actually have an advantage over the customers who might have a more mature program or a longer standing program, because they try to backtrack into iso and when I mean backtracking into it don was talking about earlier, about it's like it is more specific. But more specific it's not necessarily more rigid, it sometimes is very broad, and so they end up like dumbing down certain requirements, like maybe a password policy, like it used to say 12 characters of length, and now they say, oh, we just need to be a strong quality password because it's all ISO requires. Like now they're out of compliance with scheme one that they originally built this for. So I find customers trying to mash schemes that were never meant to be coexistent together, like there's a few that are like common controls, framework based um. That's where they create errors for themselves and they honestly sometimes create um I'll say more or less shortcuts from it as well that end up creating, not conformities, that's yeah, just the
Rob:complexities of that and I I think that's a very valid point you make is is mature organizations when they've set things in motion you have to kind of break it apart and then do it again Right, um, and fix that.
Rob:Have you? Have you worked? You know, um, I think a lot of our clients and inquiries lately into certification are more mature. You know they're 10, 20, 30-year-old companies. Where have you? You know, besides the change in how the process and policies and procedures work, what about the challenges with leadership and stakeholders? Because what I'm noticing too is you'll get a good CISO or you'll get, you know, the it manager, or you'll get someone illegal go. We got to do this, but then the stakeholders don't get bought in. So what are kind of some of the point? What are the pointers you have to, uh, to get stakeholders bought into a ISO certification?
David:Yeah, it's just like um, honestly, a version of sales, one-on-one as well, but like attaching yourself to a pain point, right, it's like a perceived outcome you want. So I'll switch gears here from. We've been talking about ISO 27001, but let's talk about two other management system standards 27701 and 42001. So privacy, information management, artificial intelligence management. So privacy, information management.
David:I would say it had its heyday probably in May 2018 when the GDPR went live and at that time 27701 didn't come out until 2019. But when it did come out it was still riding the coattails of GDPR and we had a lot of state-specific regulations coming out as well. So CCPA was obviously the first and that was the most dominant and remains the most dominant. Obviously, it's being revised right now not revised, but new enforcement actions going in place with the CPRA. And people were saying how am I supposed to keep up with all these random state level and other jurisdiction, specific consumer privacy laws? And honestly, the answer is a management system.
David:And so 27701 got a lot of, I'll say, momentum from that type of pain point and that helped a CISO type who may not be really in a privacy function at the time kind of go sell it to general counsel, sell it to executive team members as well. They were all familiar with what the GDPR was. They were familiar with what CCPA was. They saw Facebook get fined, to kingdom come with Cambridge Analytica and they were like, all right, I don't want to be in the news, like, let's do it, let's throw some money at it. Now the same thing's happening here with AI related risk and responsible use, and we had the EU AI act that was initially drafted and that draft got leaked in December of 2023.
David:The same month I said, 40, 2001 came out and so as a result yeah, I mean this- one was probably a little bit more calculated than the 27.01 timing, but now the EAI Act is in force and we're starting to see the most sensitive of systems start falling under that regulation. Other organizations are saying, well, we use AI and it might just be like an AI feature, it might be like a chat bot on your website, but guess what? There are certain risks associated with the data collection that's happening there, with how you train models, with which LLMs are you allowing into your environment as well, especially if you don't control those LLMs, if you're not an AI producer of sorts and I think a lot of organizations, just like we are, as audit professionals and implementation professionals, is. We're trying to wrap our hands around. What are the true risks of this technology? Cause it's developing so quickly and, um, I'll be the first to admit, like your security auditor is not a privacy expert overnight, your privacy expert and security auditors and an AI expert overnight. Um, and it's like I was liking it to, like the, the crypto, and like blockchain enthusiasts, enthusiasts they're all throwing it on their LinkedIn headlines.
David:The second it all came out, I was like I'm a blockchain expert? Probably not, because it hasn't been around super long, unless you're in a PhD program and I think this is one of those areas where it's kind of FUD there's fear, there's uncertainty, there's doubt from the executive teams for some of these companies saying, well, we know we're using versions of AI in certain systems and we have AI features that are go to market or in development. How do we maintain our risk posture around this and how do we reasonably control releases? And that's where I think the popularity of 42001 is coming right now across kind of our kind of core segments of customers as well. So, kind of going back to your original question, I think you attach yourself to current events and other pain points yeah, and.
David:I think that's how you get the buy-in, not only from a resource standpoint, but probably budget as well so yeah, this is a good conversation by AI, because we hear about AI all the time, ai is taking over AI, this AI, that.
Dawn:So the AI, the ISO, is it like an addendum to 27001?
David:or is it a standalone? Yeah, good question, because that's actually different from 27001, how it was set up?
Dawn:Yeah, because we're going to get that question and I know that a customer of ours had performed a couple other ISO audits with you and I think one of them was cloud and one of them was PII, I think so, oh, the extension standards, yep yeah. So kind of explain the AI and what that means. If someone's like, hey, I need that or I want that, what does that look like?
David:Yeah, no problem. So these ISO standards and I guess the more perfect term is ISO documents, now that we're getting into this topic they vary in terms of kind of, I'll say, the weight of the document. So there's international standards, like international management system standards like 27001, 27701, and 42001. And some of them have dependencies, or what they call co-requisites. There's no prereq but there is a co-rec. So 27701, um, I'll tell you the difference between a co-rec there's a difference, I'll explain.
David:So the privacy one we're talking about 27701. It is its own management system standard. However, it does have a co-requisite requirement with 27,001 for information security. So truly, you can't have security without privacy or can't have privacy without security. Right that kind of that tagline into a stage one, stage two, without having 27001. But you could do it in parallel with your initial audit for 27701, whereas a prereq kind of in these terms would be you already have 27001 before you start uh, stage one for uh, 27701, privacy. So the question on ai 42001 there is no dependency, there's no co-rec, prereq, nothing. So you can have a standalone 42001 certificate without any other iso certifications.
Dawn:Yep so there's no prerequisite with that no.
David:And then you mentioned extension standards as well um 27 017, which is more security in public cloud environments, and then um 27 018, protection of pii and cloud or cloud privacy, as we kind of talk about short name. Um, those do have a co-requisite with 27 000 one for information security management Got it.
Dawn:Yep, perfect Okay. So AI is okay, ai is standalone. Yeah, I think we're going to get that question. Ai will always stand alone because.
Rob:SkyNet has to be built.
David:Yes, wow, terminator dies Good reference, dude so yeah, Schwarzenegger dies folks.
Rob:I don't know what's going to happen.
Dawn:He's got the plan, we got the movies. Should we put the Terminator thumbnail as the podcast picture? I'm just kidding, that could work.
David:He's going to get an email from his attorneys right.
Dawn:Well, I have to give a kudos to David because saying all those numbers super fast, because you are a super fast talker- I am and you said them very clear. I'm actually very impressed by that. Just that alone.
David:So probably a good segue to that's all Mastermind does, so you had to be very versed in it. I don't have to know all the other acronyms.
Dawn:So tell our listeners. I mean, we obviously know, you know, we know the three of us know what industries are customers that you've helped through the ISO 27001 certification. But what other industries do you work with across the board at Mastermind?
David:Yeah, so we kind of work with three kind of primary what we call technical areas, and so the one that you guys are obviously most familiar with is cloud applications, cloud service providers, and that's going to have a ton of overlap with a traditional SOC 2 examination, kind of applicant and kind of candidate.
David:The other two, that you won't be surprised by, but obviously highly regulated as well, is financial services and then the second one being healthcare. So those kind of three are kind of our bread and butter and we also view those as being the ones that we have, um, good knowledge of, like, the traditional risks that plague a company that is a service provider within those specific technical areas. Um, there are others that we've run into, um, and I'll say, um, I don't want to say that it's a core focus area by any means, but ones that are starting to pop up more is higher education and then, um, ironically actually, law firms, which I say ironically because, like, why now? Like Panama Papers was like 10 years ago now, but they do have interest for similar reasons as well, where they just have end customers asking how are you maintaining trust and security in my data?
Dawn:Yeah, yeah, that's great Wow. Yeah, yeah, I wouldn't have thought Well, yeah, you're right, it's kind of like you should have done it a while ago. Yeah thought well, yeah, you're right, it's kind of like you should have done it a while ago. Yeah, we have some customers that are attorneys. We haven't been asked that question yet from them, but maybe it's coming.
David:It's typically driven from their end customers, not some nice-to-have internally.
Rob:It's kind of like doctors and HIPAA. I mean honestly, we have three medical practices and they're either DPCs, direct primary care or the concierge, and they get it Traditional physicians that are in the system they don't care.
Dawn:Until they have to care right.
Rob:Until the change helps the world happen and go oh like you mentioned, or the Equifax. Oh, we got to do something.
David:There's got to be an event of some sort that creates awareness or urgency. Oh my gosh.
Rob:Now where you know, david, you know just so much information. So how can people find you? If they want to know more about Mastermind, they can obviously reach out to Don and I, and we can connect you, but how can we learn more about you and mastermind?
David:Of course. So mastermind is uh on the internet.
Rob:Mastermindassurancecom the dark web?
David:No, it's not the dark one, but mastermindassurancecom. That's assurance, so not insurance. Um, and uh, you can also uh find our business page on LinkedIn. Um, it's like linkedincom slash I N slash, mastermind assurance. You can follow myself as well, david Foreman um, on LinkedIn. Um, it's like linkedincom slash I N slash, mastermind assurance. You can follow myself as well, david Foreman um, on LinkedIn. Um, if you follow me, you I won't get off your feed. Um, so, uh, you'll see a lot of announcements and notifications. But also, you're welcome to just email us too, so you can ping us at hello at mastermindassurancecom, and we'll reply probably within 15 minutes. So time it Awesome.
Dawn:So I have to ask, hang on, I have to ask, cause, I cause your, your logo is obviously mastermind the mind. I see a lot of you know your, your posts have the brain, obviously, but tell me about the logo and what, what went into developing that.
David:Yeah, so the logo, uh, it was purchased. I did not develop it, but I did do, um, uh, quite the research into it, to be honest.
David:Um especially as I was first um founding the company and establishing it, um, but I do have all the paperwork on it. It is mine now, so I'm happy about that. But, um, I actually had a customer tell me this uh, another day there is a um like, I guess, semi villain and one of the I think it's the incredibles movies that this kind of like mirrors a little bit. Um, it kind of looks like it. But I was looking for basically that traditional kind of like hacker like look, where you have like the hacker with a hoodie on and it's like, you know, kind of has the anon kind of view to it. Yeah, um, and but I didn't want it to be like that dark either.
David:So, but, um, I'm big, um, I'll say monochromatic, um kind of color schemes as well. So black white's the hat right now. Um, we do have a primary color palette. But basically, one thing I was doing when I was just building the company was I wanted to make sure that everything from um the brand to formatting, to any text you would read or copy that you would read, related to the brand. It was all very crisp, it followed the same voice, because I believe when you're building a brand and building a company, that what you see in, let's say, pre-sales is, as a customer, what you will get as part of the actual delivery and execution of the project.
David:And so maybe that's a little deep for this webinar here, but it's been something that I've been very focused on as well, and how we've been building this company is just make sure there's quality in every interaction with the brand, whether it be you as a customer, you as a partner or you as an employee. I just want to make sure that this is coming out as a very high touch program here.
Rob:Yeah yeah that. That's a great question on it. And that that you know it's a great way to kind of kind of wrap up, as well as being strategic partners. You know we are strategic partners with David there at mastermind and we do the readiness, we do the lift and then we package it up and give it to. David and he goes yay, you're great, or oh, you got to go fix that, and he is, he's able to apply that, that true certification.
Rob:And so that's what we're so excited about our partnership with you and be able to build both businesses, because small business is the backbone of the U S economy.
David:A hundred percent Heck.
Rob:Yes, rob, we know that We've worked in the big machines You've mentioned Cool. Fire. I was at IBM and Don you've done, golly you've done.
Dawn:American.
Rob:Family, big insurance companies and you don't want to be the cog. It's better to be the linchpin and do your own thing.
Rob:And we just thank you so much for joining us this week and just talking about ISO and how amazing ISO is and it's the only certification and you don't need anything else. That's what you told me in the green room. Um, everything else is junk. Uh, iso is the best. I don't, I don't know, did I get that? Did I go off cue? Oh, sorry, yeah, um, but we're going to go to put all the links how to connect, and uh, and we. Thank you, man, no, thanks for being here.
David:Uh, thank you both as well. Um, and I appreciate you guys giving me the time, um, but I'll I'm even go a step farther here on this idea of a strategic partnership. Um, for anyone listening and this is why I was cracking up when he was talking about it as well Um, the van that it was the first referral to Mastermind and it was also the first customer executed by Mastermind. So thank you guys very much for the opportunities, the sponsorship you guys have created for the company as well, and we hope that not only can we reciprocate, but that this is a longstanding relationship. That's just starting, yep, definitely is.
Rob:We loved it. We've had people help us. We were up to almost eight years in this whole thing, dawn. We've had people reach out and help us, and it's now our turn to help others build their own small brand and business.
David:You're on your way.
Dawn:That's what's critical.
Rob:And that's the American dream right there, awesome.
David:Very good guys, all righty David.
Dawn:Appreciate it having us and having you. Thanks for joining man. Yeah, all good, all good, thank you guys. Yep, I enjoyed it. All right bye you.