Rob 0:01

Hello and welcome to the Van Rien Compliance Podcast where you dive deep in the world of compliance, risk management, and everything in between. I'm your host, Rob.

Dawn 0:09

And I'm Don.

Rob 0:10

Hello, Don. How are you doing?

Dawn 0:12

Hello. I'm good. Good.

Rob 0:14

Awesome. Um, we are excited this week to welcome a special guest with us, David Foreman, our trusted ISO auditor, who's been instrumental in helping companies navigate complexities of ISO compliance. Welcome, David, to the podcast.

Speaker 1 0:29

Thanks, guys, for having me. And uh I think this is a little bit overdue, to be honest. So um let's get that straight.

Rob 0:36

It is. We have a lot of you know conflicting um calendar invites, and um, there was like a trip or something. I don't know. There was things in there, but we're here now. We're here now. Um, and since we're together and and uh you know, just why don't you go ahead and kind of introduce yourself, who you are to our listeners, and um who is David?

Speaker 1 0:56

Sure, thanks. Um so David Foreman, I'm based out of Atlanta uh here in the States, um, and I operate a certification body known as Mastermind Assurance. We go by Mastermind for short, wearing the hat. So if you've ever seen this very unambiguous logo, um we're trying to get some brand goodwill here. So um we'll use that for today. But um as a certification body, we are the third-party accredited assessors to issue ISO management system-related certification. So to get very specific into the standards, ISO 27001 is probably the most popular, that's for information security management. ISO 27701, that is for privacy information management, ISO 42,001, AI management. And there's a few extensions as well, such as ISO 27017, cloud security, 27018, protection PII in the cloud. And then uh you might be familiar with CSA Star as well through the Cloud Security Alliance. Um, this is actually my third certification body. Um, first one that um I have co-founded here. But um prior to uh Mastermind, I worked at um another certification body um known as Coalfire, and then uh prior to that I was at the Big Four, Ernst and Young, and uh been doing ISO audits, certifications, internal audits, gap assessments, um, even trainings um over the last uh 11, 12 years now. So uh excited to uh be captain of the ship now.

Rob 2:19

Your own ship. Isn't that fun? Have your own ship very much and your own responsibilities. That's the scary part, but that's the fun part.

Speaker 1 2:26

Yeah, Rob, I don't think I would do it justice here if I didn't you know tell everyone I was watching this. You know, I think we have two hosts here with AirPods in it, and then mine with these giant bows like QC like 35s here. But um, I thought this is like quintessential that like Mac versus PC like commercials back in the day. Like, you guys are a Mac, I'm a PC.

Speaker 4 2:47

There you go, folks.

Rob 2:48

You're looking for that. You're looking for that uh you're looking for that PC auditor that is David, exactly. Yeah, oh my god. You even have the whiteboard in expensive.

Dawn 2:58

Yeah, yeah, yeah.

Speaker 1 2:58

Yeah, there's no confidential information right there, it's just white, unless you can read like behind the arrays.

Dawn 3:03

And I do love, David, I do love that your logo has my favorite color, which is purple.

Speaker 1 3:09

Oh, not not the one I'm wearing right now, but yes, that was part of our color palette. Is there's a lavender, I believe, Don, to be more precise on there. Yeah.

Dawn 3:17

Well, any, hey, any shade of purple is my favorite.

Speaker 1 3:21

So awesome. Well, good. Follow us on LinkedIn and you'll uh be able to see the purple.

Dawn 3:26

There you go.

Rob 3:26

Yes, you'll definitely see the purple, yes, and we'll we'll talk about how we can connect and stuff. You know, we um we get a we're we've I've seen a huge uh increase in in questions about ISO and SOC2 examinations and high trusts and all that. Um but ISO is very unique, you know, and and that's one thing that that you know you've shown us as our auditor um is how how unique ISO is. So talk to us kind of about what is the role of the ISO auditor and kind of what does it set us apart from a SOC2 examination or even a high trust.

Speaker 1 4:00

Yeah, and I I think that is probably more or less um the discrepancy we run into, especially in the US market. Um everyone's very familiar with these other third-party commercial assurance programs like SOC2 examinations, like high trust certifications, HIPAA ad tests, and opinions. Um and if you try to just compare it one-to-one, you'll you'll fail. There's far more nuances in um a management system standard like ISO 27001. So um, let me back up. First of all, ISO, just defining the acronym, it's actually out of order because uh I think it's like a French origins to it, um, because it's based off Switzerland. But International Organization for Standardization is the name of the acronym. And ISO itself is a consortium of member bodies throughout the world that basically volunteer their time and it's all these expert groups and advisory panels to write and author these standards. So um, you always hear about like a very uh slow grind process in developing ISO standards, is because there are so many opinions involved and they go through a very staged approval process. Today there's over 25,000 ISO standards. Um, the ones we're talking about make up a very small group called management system standards, and that's where we get like an ISMS information security management system from. And these are ones that you can certify to um as an organization, kind of a B2B uh trust mechanism. And um I'll say where I think the role the ISO auditor kind of fits in is we are determining what's known as conformity to these standards. So to put that in very layman terms, these standards, the ones that we're talking about today, have basically two sections to them. They have governance requirements known as clauses, um, and they follow this structure called annex SL. And then they have a control section and an annex or an appendix to the standard. Um, and those vary um in terms of I'll say applicability as well, um, that you would apply as an organization based on your underlying risk landscape. So um I always view ISO um certification as not one size fits all, but you can almost think of it similar to SOC2, where there's criteria involved, and you take that criteria, even though technically it's controls, but you apply it, and the degree that you apply it is based on who you are as an organization. What type of data do I run into? Who are my customers? What type of regulators do I need to have responses to, that kind of thing. So I try to separate what is a conformity audit and a determination of conformity as the role as the auditor, um, from just pure black and white compliance with a framework. ISO is not a framework, it's a scheme that has governance plus a framework of controls that you can use, but without getting into too much detail. There could be even an outside framework you use instead to map then to the criteria that ISO is calling out. So um basically it's a very flexible standard that is meant to meet whether you are a two-person organization or you're a two million person organization. Um, and all the above will actually certify to it.

Rob 7:00

Yep. Yep. No, that's that's great. And thank you for going diving deeper into that. Now, now Dawn is our she is our certified lead auditor because she can take a test, and you know I don't do tests. Um, but I do have to take my CISA exam this year. So yes, I'm taking I'm going back to school too. So, Dawn, as the role of the lead auditor in for Van Ryan, let's tell the listeners what about what is your role, what is our role, and how does that work with David?

Dawn 7:25

Sure. So we work with David. David is the external auditor. So when it comes to ISO 27,000 one, um, you have to, you can't do, you can't have the same internal and external auditor. You have to have a uh separation of that, checks and balances, that type of thing. Plus, we're not a certified body. So um David is part of the certif certification body. Um, so I I what we do here at Van Ryan is we get the customers ready. So ready is what does that mean? So there are things and steps to ISO. Um, I won't go into too much detail, but there are definitely um steps to do that.

Rob 8:03

We can have a three-hour podcast.

Dawn 8:05

We'll sort of love that. Yeah. There are there are steps to do with the customer as far as collecting evidence and um, you know, understanding the risk and and that type of thing up to the internal audit, which is what we do. And then what then what happens is then we meet with David and then we start with the stages of his external audit. So um there is there is a lot of prep work up front um with what we do with our customers. Um a lot of people come to us with, well, should I do ISO or SOC? Well, a lot of what we're seeing is people are getting whichever based on what their customers are asking them to get. So a lot of these companies are being forced, if you will, if you want to keep these large accounts, you need to be SOC 2 or ISO 27,001. So we've got both going on right now. I would say I've got equally, I think, the same amount going on. And and it's and it's different. It's a different mindset. Um, and David, I, you know, I'm always as I go through, you know, the ISO, and then I now I'm I'm diving deep into SOC 2 as well. I've got three of those, I think, right now. And it it your brain, you have to, you have to really adjust your brain, even though it's a similar, but they're very different. And and ISO is more robust. And I I um and I say that uh because it it it just it's just more detailed. I mean, I it and I know that's kind of a just a general term, but it is. I mean, and and you can't really can't really compare them. They're just two different two different um types of compliance programs. Um so you know, we like I said, we do the readiness. Um, and then obviously for SOC 2, SOC 2 is is very different in that we have to use a certified CPA. Um to examiner. In a traditional sense. Again. Yeah. Again, it's uh yeah, but it is um it is something that that we are seeing explosion of of of getting either ISO or SOC2. But um, but yes, we're talking about ISO today. So it's it's uh it's it's very it's very fun, it's very interesting. Um we, you know, 95% of our customers are HIPAA. Um and and getting getting the HIPAA um, you know, standards and stuff and and and adopting those controls, it is very helpful when you're going into an to an ISO audit because there are some things in place, um, some things that are mapped over. So um but yeah, that's what we do. We we get the customers all ready. Um, and because there are certain things to do to package it up and hand it over to David.

Rob 10:48

So and your point about HIPAA is about 90 95, means for 90% now. I've seen a huge shift since the change healthcare breach, the ATT breach was tied to Snowflake, um, and then uh all the other breaches that have happened recently, especially since about April, May, I've seen our our request for HIPAA um assessments pretty much be steady or flatline. I've I've tripled the amount of requests for ISOSOC and now even high trust because their customers, like Don had said, are customers, their customers' customers are requiring certifications to eat to even be involved with an organization. Large organizations, you have no certification, no certifications or examinations, you're not gonna be doing business.

Speaker 1 11:32

That's and I'll actually I'll speak on that a little bit because that's an interesting point you bring up from like the breach side. Um data breaches, uh especially in our space, um, it's it's a form of awareness, um, call what it is. And like I'm not gonna speak to it more from like ambulance chasing where you know every security vendor wants to you know go help change healthcare when they come up with that.

Rob 11:51

You can email them.

Comparing SOC 2 and ISO 27001

Speaker 1 11:53

But they they do have some good behind it too. Like, you know, it's kind of a wake-up call. Um if you think about some of like the major data breaches, I'll say over the last uh 20 years or so, this is the reason why we see more and more third-party assurance programs and this idea of like transparency and trust and self-servicing that trust or a trust center, that kind of stuff. That all came as a result, in my opinion, of these kind of root causes behind data breaches. Um one that I remember very keenly was um the target hack, if you want to call it that. And that if you knew the details behind that one, it was POS systems and target retail stores. And it was actually a supply chain risk. Um, I think it was like an HVAC vendor or something like that, randomly had like credentials into the POS system. And it created this entire idea around third-party risk management, which it was there, but it really was a laggard compared to this move to the cloud, which had come in the early 2000s, thanks to like companies like Salesforce. Um, and so people had adopted all these cloud apps and cloud providers, but they hadn't necessarily addressed those new kind of, I'll say, movements or motions with appropriate controls. Fast forward now to early 2010s, and we start seeing other types of breaches in here, um, mainly hitting consumers. And then finally, the big one for consumers hit in, I think, 2016, 2017. That was Equifax. And um that came on the heels of the Office of Personal Management as well. So you have this kind of um idea that the government can't house its own data securely. Now you have an idea of a major credit bureau can't house its data securely, and everyone started freezing their credit all of a sudden, and people started becoming more aware of that. You then get into the pandemic, and now you have these vantagirada type companies popping up and they're putting out billboards and I5 saying, does compliance sock too much? Like stuff like that. And it's like it's becoming more of like consumer awareness, it's getting into the household, which was a really good thing for our industry because eventually when consumers become aware of it, it finally finds its way into the boardroom. Because um, I'll be the first advocate of this. I think CISOs are undervalued. Um, and generally speaking, Fortune 500 companies, they often report to like a VP or maybe a CTO, but they don't have a seat actually at the ELT table. Um, definitely not seeing the CISO types in the boardroom. But what it was doing was it was taking, you know, like an Equifax competitor, like an Experian, and they were saying, like, hey, how do we make sure we're not in the news? And so even if they didn't have a security background, they're like a CFO type, they all of a sudden we're asking those questions and we're trying to be proactive in that. And that's where they start saying, I don't want your opinion. I want some third party to come here independently assess us and give us some sort of rapport that we can basically say, hey, look, we're trying to do the right thing. It's not gonna be perfect, but these are at least actions to be per uh preemptive to possibly an event. And um, I think that's where you see both SOC2 and ISA 27,000 getting popularity. And particularly, and you probably think I have bias here, but in all reality, I think both are good. Um, they serve different purposes, though. Um, and if you look at SOC 2, um, I think it's excellent if you have North American-based customers. That's where its popularity is rooted. It is authored and owned, that scheme, by the AI CPA, which is Canada and US. So that's where kind of its audience is. Whereas ISO is more international in nature. And you say, okay, that includes the US. Well, it really didn't even come state side of the US until like 2010. And that's when AWS got it. That was like the first major player to get it. So ISO is like way behind the ball in terms of popularity in the US market. But where it is popular is basically every other country in the world. So if you are a multinational company, HQ'd possibly in the US, it might be good for you to consider 27,000 certification, probably in addition to SOC 2 examinations, um, because you're in-customer reading that report, reading that certificate might not be familiar with what a SOC 2 is.

Rob 15:47

Yeah. And and we we have clients, actually have two clients now, I'd think, Dawn, that have had a SOC 2 examination and now look, you know, moving forward with an ISO. Um, I think one or two. So, you know let's let's kind of talk about the differences and then for for folks that have like a one or the other, a soccer and ISO, how easy it how easy if you have a SOC 2 exam uh if you have a SOC 2, how easy is it to move forward and take the controls and what you've learned and evidence to move into ISO? What does that lift look like?

Speaker 1 16:18

Don, you or me.

Dawn 16:21

Oh no, I I I was that's what I was gonna ask you. I was gonna ask you really to well it I mean I I've done both, but it's like I I think that from your perspective, I mean obviously we know that that ISO is a is international standard. SOG2 is more of North American, um, obviously, but just the differences, yes, the the differences and when it comes down to um you know sorry, my dog is barking. Uh everyone hears that. Um, you know, the the differences in in the um you know in the in the the audits. I I mean can I kind of just uh and I guess I guess for for our listeners is kind of do you have like kind of a because it's kind of hard to compare them, you can't really compare them, but just do you have like a little bit of a this is this, this is this. Can you do kind of a general comparison from your perspective? Yeah, yeah.

Speaker 1 17:12

And so I'll say when you go down the SOC 2 path to start, um, 99% of companies are gonna start with what's known as a type one audit, that is a point-in-time audit. Um, and that means you could put the controls in place yesterday from at least a design perspective, and you could go then have a third-party examiner, typically a CPA firm, come in here and provide an opinion on the design of those controls in the form of a SOC2 type one report. Um, however, type one is not the finish line. You have to get to type two in order to meet any sort of real benchmark that is expected of readers of these reports in the US. Um, in those type two periods, the shortest you can do is three months. But most commonly, your first type two is going to be probably a six-month period. You can do three, six, nine, and twelve months. Um, and then you want to obviously fast track to a 12-month type two period thereafter. So, in terms of comparing it to ISO 27001, if we just use that as an example or any of these management system standards, your initial certification audit is divided into two phases or stages, known as stage one, stage two. A stage one is a test of design, similar to kind of a type one report. Um, and a stage two is a test of operating effectiveness, so more keen to a type two. However, ISO does not have any sort of rules around aging of controls. So you can have the entire management system in place yesterday and we can audit it today. Um, it's a point-in-time assessment. And if you are to be certified, you get an actual certificate, and that certificate has an as of date on it or an issuance date. So it says, hey, as of this date, you were conforming to ISO 27001 per your statement of playability, et cetera. So um it's always a kind of a type one report in terms of point in time. Um, but it does do a test of both design and operating effectiveness to determine conformity uh for ISO. So there's definitely similarities there, but a little bit different. Um, I'll say path to success.

Rob 19:08

But but now David remember it and Dawn as well. Um, all these GRC ads that you've seen up i5 and everything, you can get yeah, soccer ISO compliant within three months for a couple grand.

Speaker 1 19:18

I mean, yeah, so we can talk about that if you want to go down that route. Um, it's I'm not saying it's um even misleading, it's it's just very, I'll say use case. Um so one thing that's um if you're familiar with SOC2, you you can apply this to ISO 27001 as well. You can define your own scope. So um ISO 27001 or any of these ISO um standards and certifications, they don't require the entire organization to be in scope to that audit or to that management system, as we would more formally say. So um, for an example, if you're that two million person organization, you might have, you know, you might be a conglomerate parent holdings company, you might only have one of your portcos go through that audit, or maybe even one product for one portco. It's also possible you have multiple ISO 27,000 certificates throughout your entire enterprise, um, just all different scopes. Um, and really how you need to think about a management system is think of it more from like a policy set. Um, formally we would call it a governance program, but if you have a different, I'll say, workflow for approving policies related to information security for business unit A versus business unit B, that's probably two management systems there, even if they're both ISO 27001 conforming. So um when you talk about these um uh compliance SaaS automation tools um that promise, you know, three months, you know, start to finish, I will say it's possible. And I've actually witnessed it being possible as well. However, it is more um, I'll say aligned with uh what we call a reduced complexity scope, um probably low head count, under 50 people, something where it's very easy to kind of micromanage the the total uh conformity to all the controls, where you say, like, all right, 100% of people have now acknowledged security policies, 100% of people have gone through employee onboarding training, that kind of stuff. Um it gets more um difficult with obviously volume of personnel and volume of processes.

unknown 21:16

Yeah.

Dawn 21:17

And I think I think the key, um, and David, you probably uh may or may not agree with this, but there is a lot of platforms. The platforms are helpful to gather evidence to help help uh just the flow, the workflow, right? Of the of the uh internal audit uh and the external audit. But um the reality to it is is the customer has to be has to be held accountable and they have to actually do something. So I think the the facade is that these automated platforms do it for you. And they don't. You know, saying you need to do this and this, but you have to do it. So that's one thing is that um, you know, we find that some customers Just kind of get, oh, I just did I hooked everything up. I, you know, and it's just going and it's like, well, but you haven't uploaded evidence, you haven't uploaded your policy. So so it it really is, it's a great tool. Um a spreadsheet's a great tool too. Um but it's you have to actually be um have that that accountability and just and do it. And I think a lot of people, I think what we're seeing is people are rushing into these certifications and they don't understand what it takes. And sure, you can you can get ready for three to six months, you can you can do it, fast track it, sure. But you have to be you have to have someone in the organization or a group of people that are going to be doing it. So I think that's what we see too is we you have that where we need to do it, we need to do it, but I don't have time. So we we run into that and that and that's frustrating for them, and then we do as much as we can. But as uh internal or external auditors, we can only do so much, right?

Speaker 1 22:59

So I also think it's the classic, like just like short-term vision um as well, where people just want to have some sort of milestone that they can point to and like, hey, we procured the platform, like we're on our way now. Um and you're totally right, like with any of these like um larger cloud apps, um, and this is not just true for the compliance SaaS tools, like you have to take time adopting and implementing it initially as well. Um, and I agree with you, they have a ton of value in terms of walkthroughs, tutorial, how to get to the finish line. But if you're not dedicating FTE staff to that um and making that like the pinnacle priority, like you will struggle um initially um with some of these tools. Now, these tools um I've seen variations of like customer success up front, or they'll give you like 10 hours of like free work or something like that to help you set it up. But to your point, it's it's more than just setting up all the integrations so that you can like you know have these feeds come into these compliance automation tools. You actually have to go fill out their policy libraries. You have to then actually perform the test against these design to make sure you're you're conforming to them. Um, and then um not to mention broken connections, which I saw one of these tools now is advertising 300 plus integrations. Like, I guarantee you that that is not that is not perfect. It's 24-7.

Speaker 4 24:13

Nothing, nothing's like, gonna have to break fix that.

Speaker 1 24:15

Yeah.

Speaker 4 24:16

Right.

Rob 24:16

And then we find that people that well we find that it becomes another tool to manage. And you almost need a team to manage a tool. Like there's a team to manage the computers or the servers or the cloud, right? You still have a team to manage that.

Speaker 1 24:30

Well, ironically, I think these tools actually recognize this like um issue that you guys are talking about too, because they have entire partner directories now on some of these tools where they talk about a managed service provider that will help you set up this as well, because they understand that that creates stickiness for them as well and reduces customer churn.

Dawn 24:46

And and honestly, some some folks are, and I say folks, um, because this could be you know whoever in the organization is in charge of this of this um compliance program. It could be the compliance officer, the DPO. I mean, you know, it could be the CSA, you know, who it could be the CFO, I mean who whoever is in charge. They're either techie or they're not. So we find that sometimes because they're not technical, they're like they look at us, they look at the software and they're like, oh, I thought this would do it itself. So I I think there's I think there's a false sense of it's gonna do it for me. Um and and there isn't a quick fix. So we we have to be very diligent in in helping them. And that's what we do is we walk alongside them and help them. Um, and we have gotten customers from some of these tools to help assist them over that over that line. Um, and so we're happy to do that. And like I said, these tools are great for for collecting and and and giving you that vision, but you have to pour into it. Um, so it it doesn't do it for you. Um I wanted to move on to some of the the challenges you see in in in the audits that you're doing, David. And this is not just our customers, but just overall with with masterminds customers. What what are you seeing? Is there like an overarching um uh you know challenge that you're seeing, or is there a kind of a handful of challenges and just kind of discuss that and maybe how how people can uh alleviate those challenges?

Implementing Multiple Compliance Frameworks

Speaker 1 26:08

Yeah, um, I'll say probably the biggest challenge, and this is slightly broad, but it's uh I'm gonna be careful my word choice here, but I'll say regressing into ISO certification. And what I mean by that is there's an existing security or governance program already in an organization, and they decide to adopt like ISO 27001 after that program has been established. And so ISO 27001, just use it as an example, it covers every major function or activity you would have in a company again, going from two-person organization to two million person organization using that analogy again. So procurement, legal, HR, like engineering, uh facilities, like it will cover all those areas and apply controls based on the risk there. Um, so if you have an organization in Van Ryan, you guys work with a lot of HIPAA customers, and they've already created an initial policy set and it's all HIPAA-based, it's probably great for HIPAA. It's very, you know, like scheme specific. It is purpose built. But then someone decides later, they say, okay, we need ISO 27001 as well. Or we need SOC2, like it applies to any of these programs that were not authored by the same scheme owner. And all of a sudden they got to take that policy that overlaps with those two schemes. So in this case, HIPAA and ISO 27001, I'm assuming there's probably an acceptable use policy of sorts for HIPAA, and they say, we have to now augment this to meet ISO 27001 without breaking the original HIPAA that we initially needed this for. And so where I see I'll say the biggest pitfalls, both in time and efficiency in a budget, is just being very um short-term focused. Like if you are going from HIPAA to ISO 27,001, I guarantee you, probably sometime in your life cycle, either a customer is going to request in a different compliance framework. Um, you're gonna decide you want to mature into something else in addition to this. Um, and building for, I'll say, the least common denominator early is gonna be very advantageous for you as an organization so that you kind of build this kind of integrated governance program. We would call it a management system in ISO terms, um, so that it can flex based on the new requirements, new risks, new customer requests that you're gonna hopefully anticipate here in the mid and long term. And so where I see the biggest issues with customers and the most common pitfall is the customers starting from scratch actually have an advantage over the customers who might have a more mature program or a longer standing program because they try to backtrack into ISO. And what I mean backtracking into it, Don was talked about earlier about it's like it is more specific, but more specific is not necessarily more rigid. It sometimes is very broad, and so they end up like dumbing down certain requirements, like maybe a password policy, like it used to say 12 characters of length, and now they say, Oh, we just need to be a strong quality password because it's all ISA requires. Like now they're out of compliance with scheme one that they originally built this for. So I find customers trying to mash schemes that were never meant to be coexistent together, like there's a few that are like common controls framework-based. Um, that's where they create errors for themselves, and they honestly sometimes create um I'll say more or less shortcuts from it as well that end up creating not conformities. That's interesting.

Rob 29:18

Yeah, just the complexities of that. And I I think that's a very valid point you make, is is mature organizations when they they've set things in motion, they have to kind of break it apart and then do it again, right? Um, and and fix that. Have you have you worked, you know, um I think a lot of our clients and and inquiries lately into certification um are more mature, you know, they're 10, 20, 30 year old companies. Um where have you, you know, besides be able besides the um the change in how the process and policies or procedures work, um, what about the challenges with leadership and stakeholders? Because I what I'm noticing too is you'll get a good CISO or you'll get you know the IT manager or you'll get someone in legal go, we got to do this, but then the stakeholders don't get bought in. So what are kind of some of the point what are the pointers you have to uh to get stakeholders bought into a ISO certification?

Speaker 1 30:12

Yeah, this is like um honestly a version of sales 101 as well, but like attaching yourself to a pain point, right? It's like in like a perceived outcome you want. So I'll I'll I'll switch gears here from we've been talking about ISO 27,001, but let's talk about two other management system standards, 27701 and 42,001. So privacy information management, artificial intelligence management. So privacy information management, I'd say it had its heyday probably in May 2018 when the GDPR went live. Um, and at that time, um uh 27701 didn't come out until 2019, but um when it did come out, it was still riding the coattails of GDPR. And um, we had a lot of state-specific regulations coming out as well. So CCPA was obviously um the first and that was the most dominant and remains the most dominant. Um obviously it's being revised right now, not revised, but new enforcement actions going into place with the CPRA. Um, and people were saying, how am I supposed to keep up with all these random state level and other jurisdiction-specific consumer privacy laws? And honestly, the answer is a management system. And so 27701 got a lot of um, I'll say, momentum from uh that type of pain point. And that helped a CISO type who may not be really in a privacy function at the time, kind of go sell it to general counsel, sell it to executive team members as well. They were all familiar with what the GDPR was, they were familiar with what the CCPA was. They saw Facebook get you know fine to Kingdom Come with Cambridge Analytica. Um, and uh they were like, all right, I don't want to be in the news. Like, let's do it, let's throw some money at it. Now the same thing's happening here with AI related risk and responsible use. And um, we had the EU AI Act um that was initially drafted, and that draft got leaked in December of 2023, uh, the same month ISO 40 2001 came out. Um and um so as a result, yeah. I mean, this one was probably a little bit more calculated than uh the 27 cent zero on timing. But now the EU AI Act is in force um and we're starting to see the most sensitive of systems um start falling under that regulation. Um, other organizations are saying, well, we use AI, and it might just be like an AI feature, it might be like a chat bot on your website. But guess what? There are certain risks associated with the data collection that's happening there, with how you train models, um, with which LLMs are you allowing into your environment as well, especially if you don't control those LLMs, if you're not an AI producer of sorts. And I think um a lot of organizations, just like we are as audit professionals and implementation professionals, is we're just trying to wrap our hands around what are the true risks of this technology because it's developing so quickly. And um, I'll be the first to admit, like your security auditor is not a privacy expert overnight. Your privacy expert and security auditor is not an AI expert overnight. Um, and it's like I always liken it to like the the crypto and like blockchain enthusiasts, like they're all at throwing it on their LinkedIn headlines the second it all came out. And it's like, I'm a blockchain expert. Like, probably not, because it hasn't been around super long unless you're like in a PhD program. And um I think uh this is one of those areas where it's kind of FUD. It's there's fear, there's uncertainty, there's doubt from the executive teams for some of these companies saying, Well, we know we're using versions of AI in certain systems and we have AI features that are go to market or in development. How do we maintain our risk posture around this? And how do we reasonably control releases? And um, that's where I think the the popularity of Ford 2001 is coming right now across kind of our kind of core segments of customers as well. So um kind of going back to your original question, I I think you attach yourself to current events and other pain points. Yep. And um, I think that's how you get the buy-in, not only from a resource standpoint, but probably budget as well.

Dawn 33:50

So that yeah, this is a good conversation by AI because we hear about AI all the time. AI is taking over, AI this, AI that. So um, for our listeners, um the AI, um, the I the ISO, is it like an addendum to 27001 or is it a standalone?

Speaker 1 34:06

Yeah, good question. Because that's actually different from 27701, how it was set up.

Dawn 34:10

So we're gonna we're gonna get that question. Um, and I know that a couple uh a customer of ours had um had um performed a couple other ISO audits with you, and I think one of them was um cloud and one of them was PII. I think I think I think the extension standards, yep. Yeah, so kind of explain the AI and and and what that what that means. If someone's like, hey, I need I need that or I want that, what what does that look like?

Speaker 1 34:35

Yeah, no problem. So um these ISO standards, um and I guess the more appropriate term is ISO documents, now that we're getting into this topic, um, they vary in terms of kind of I'll say the weight of the document. So there's international standards, like and international management system standards like 27,001, 27701, and 42,001. Um, and some of them have dependencies or what they call co-requisites. There's no prereq, but there is a co-rec. So 27701, um, and I'll tell you the difference between a co-rec here in a second. Yeah, so many numbers. What's there's a there's a difference. I'll explain. So the privacy one we were talking about, 27701, it it is its own management system standard. However, it does have a co-requisite requirement with 27,001 for information security. So truly you can't have security without privacy, or can't have privacy without security, right? That kind of that tagline. But um, the co-requisite, all that means is you could um go into a stage one, stage two without having 27,001, but you could do it in parallel with your initial audit for 27701. Whereas a prereq, kind of in these terms, would be you already have 27,001 before you start uh stage one for uh 27701 privacy. So the question on AI, 42,001, there is no dependency, there's no correct, prereq, nothing. So you can have a standalone 42,001 certificate without any other ISO certifications. Yep.

Dawn 36:00

So there's no prerequisite with that.

Speaker 1 36:01

No. And then you mentioned extension standards as well. Um, 27,017, which is more security in public cloud environments, and then um 27,018 protection of PII and cloud or cloud privacy as we would kind of talk about short name. Um, those do have a co-requisite with 27,001 for information security management. Got it. Yep.

Dawn 36:20

Yep, perfect. Okay, so AI is okay. AI stand alone. Yeah, yeah. I think we're gonna get that question.

Rob 36:26

Yeah, I will always stand alone because Skynet has to be built. Yes. Wow. Terminator goes. Good reference. Dude, it's over yeah. Schwarzenegger dies, folks. I I don't know what's gonna happen. He's got the plan, we got the movies.

Dawn 36:39

You should put the terminator thumbnail as the podcast picture. I'm just kidding. That could work.

Rob 36:48

Yeah.

Dawn 36:48

Well, I I have to I have to uh kudos give a kudos to David because saying all those numbers super fast, because you you are a super fast talker and you said them very clear. I'm actually very impressed by that. Just that alone.

Speaker 37:03

So uh probably a good segue to that's all Mastermind does. So you have to be very versed in it. I don't have to know all the other acronyms.

Mastermind Industries and Strategic Partnerships

Dawn 37:10

So so tell our listeners, I mean, we we obviously know uh, you know, we know uh the three of us know what what industries are customers that you've helped um through the the ISO 27,001 certification. But what other industries you work with um across the board at Mastermind?

Speaker 1 37:26

Yeah, so we kind of work with three kind of primary, what we call technical areas. Um and so the one that you guys are obviously most familiar with is cloud applications, cloud service providers. And that's gonna have a ton of overlap with a traditional SOC2 um examination kind of applicant and um kind of candidate. Um the other two that um you won't be surprised by, but obviously um highly regulated as well, is financial services, and then the second one being healthcare. So um those kind of three are kind of our bread and butter. Um, and we also view those as um being the ones that we have um good knowledge of like the traditional risks that plague a company that is a service provider within those specific technical areas. Um there are others that we've run into. Um and I'll say um I don't want to say that it's a core focus area by any means, but ones that um are starting to pop up more is higher education and then um ironically, actually law firms, which I say ironically, because like why now? Like Panama Papers was like 10 years ago now. Right, right, right. Um, but uh they do have interest uh for similar reasons as well, where they just have end customers asking, How are you maintaining you know trust and security in my data?

Dawn 38:30

Yeah. Yeah, that's great. Wow, yeah. Yeah, I wouldn't have thought, well, yeah, you're right. They it's kind of like you should have done it a while ago. Um yeah, we we have some uh customers that are that are attorneys. We haven't been asked that question yet from them, but uh it maybe it's coming.

Speaker 1 38:46

Uh it's typically driven from their end customers, not some you know, nice to have internally, yeah.

Rob 38:52

It's kind of like absolutely it's kind of like doctors in HIPAA. I mean, honestly, we have like three medical practices and they're yeah, uh they're either DPCs, direct primary care, or the concierge and they get it. Traditional physicians that are in the system, they don't care. Yeah, until they have to care. Right? Yeah. Until you know the change health of the world happen and go, oh you know, like you mentioned, or the equifax, oh, we gotta do something. There's gotta be an event of some sort that creates awareness or urgency. Yeah.

Speaker 4 39:21

Oh my gosh.

Rob 39:22

Now, where you know, David, you know, just so much information. So, how um how can people find you if they want to know more about mastermind? They can obviously reach out to Don and I and we can connect you, but how can we learn more about you and Mastermind?

Speaker 1 39:37

Of course. So Mastermind is uh on the internet, mastermindassurance.com. The dark web. No, it's not the dark one, but okay. Mastermindassurance.com that's assurance, so not insurance. Um, and uh you can also uh find our business page on LinkedIn. Um it's like LinkedIn.com slash IN slash mastermindassurance. You can follow myself as well, David Foreman, um, on LinkedIn. Um if you follow me, you I won't get off your feed. Um, so uh you you'll see a lot of announcements and notifications. Yeah, but also you're welcome to just email us too, so you can ping us at hello at mastermindassurance.com and we'll reply probably within 15 minutes. So time it. Awesome.

Dawn 40:18

So I have to ask, hang on. I have to ask because I because your your logo is obviously mastermind, the mind. I see a lot of you know, your your posts have the brain, obviously. But tell me about the logo and what what went into developing that.

Speaker 1 40:32

Yeah, so the logo uh it was purchased. I did not develop it, but I did do um uh quite the research into it, to be honest. Um especially as I was first um uh founding the company and establishing it. Um but I do have all the paperwork on it. It is mine now, so I'm happy about that. But um I actually had a customer tell me this uh the other day. There is a um like I guess semi-villain in one of the uh I think it's the Incredibles movies that this kind of like mirrors a little bit. Um it kind of looks like it. But I was looking for basically that traditional kind of like hacker like look where you had like the hacker with a hoodie on and it's like you know, kind of has the anon kind of view to it.

Speaker 4 41:12

Yeah.

Speaker 1 41:12

Um and but I didn't want it to be like that dark either. So, but um, I'm big into um, I'll say monochromatic um kind of color schemes as well. So black, white's a hat right now. Um, we do have a primary color palette, but basically one thing I was doing when I was just building the company was I wanted to make sure that everything from um the brand to formatting to any text you would read or copy that you would read um related to the brand, it was all very crisp. Um it followed the same voice. Um, and because I I believe when you're building a brand and building a company that what you see in well say pre-sales is as a customer, what you will get as part of the actual delivery and execution of the project. And so um maybe that's a little deep for this uh webinar here, but um it's it's been something that I've been very focused on as well and um how we've been building this company is just make sure there's quality in every interaction with the brand, whether it be you as a customer, you as a partner, or you as an employee. Um I just want to make sure that this is coming out as um a very high-touch um program here.

Speaker 4 42:22

Yeah. Yeah, yeah.

Rob 42:24

That that's a great question, Don. And that that you know is a great way to kind of wrap up as well is um being strategic partners. You know, uh we are strategic partners with David there at Mastermind, and we do the readiness, we do the lift, and then we package it up and give it to David, and he goes, Yay, you're great, or oh, you gotta go fix that. And he is he's able to apply that that true certification. And so that's what we're so excited about, our partnership with you. And uh able to build build both businesses because small business is the backbone of the US economy. 100%. Heck yes, Rob. We know that we've worked in the big machines. You've mentioned coal fire, I was at IBM, and Don, you've done Golly, you've done your family, big insurance companies. And the you know, you don't want to be the cog, it's better to be the linchpin and do your own thing. And um, you just thank you so much for joining us this week and just talking about ISO and how amazing ISO is, and it's the only certification, and you don't need anything else. That's what you told me in the green room. Um, everything else is junk. Uh ISO's the best. I I don't I don't know. Did I get that? Did I go off cue? Oh, sorry. Yeah. Um, but we're gonna go ahead and put all the links how to connect to you in the show notes. And uh and we thank you, man. No, thanks for being here.

Building Longstanding Sponsorship Relationships

Speaker 1 43:37

Uh thank you both as well. Um, and uh I appreciate you guys giving me the time. Um, but I'll I'm gonna even go a step farther here on this idea of a street partnership um for anyone listening, and that this is why I was cracking up when he was talking about it as well. Um the Van Ryan team was actually the first partner of Mastermind as well, um, in the sense that um it was the first referral to Mastermind, and it was the and it was also the first customer. were executed by mastermind. So um thank you guys very much for the opportunities, the um the sponsorship you guys have created for the company as well.

Rob 44:08

And uh we hope that uh not only can we reciprocate but um that this is uh a longstanding uh relationship that's just starting yep definitely is that's we loved it we've had we've had people help us you when we we were up to what almost eight years in this whole thing Dawn we've had people reach out and help us and it's now our turn to help others build their their own small brand business that's what's critical and that's yeah that's the American dream right there. So very good again David appreciate it thank you so much for having us and having you thanks for joining man yeah all good all goods I enjoyed it