October 12, 2017

Last Updated on January 16, 2024

Bart is the IT director for a hypothetical regional health system that is seeking ISO 27001 certification. He’s the point person assigned to work with third-party InfoSec consultants on his firm’s ISMS internal audit. The goal of the internal audit is to validate whether the controls meet the business requirements, perform as expected and conform to the ISO 27001 standard.

Scenario 1

After several weeks of information gathering and a series of meetings over a couple of days, Bart is sitting across a table from the third-party team lead, reviewing the audit findings.

“We found that your controls X, Y and Z don’t conform to the standard. And your processes A, B and C don’t work as documented. You have a lot of work to do before you can expect to pass an ISO 27001 certification audit. Thanks for doing business with us. Have a nice day.”

Bart feels as though he’s been hit with a brick. His program has been judged and found wanting. And while he now knows more or less what’s wrong, he doesn’t know how to fix it.

Scenario 2

Let’s rewind and try again. Same IT director, same ISMS, different consultant. This time, the consultant shares the findings in context, explaining in depth how she arrived at them. Then she presents specific recommendations for remediation with a company-specific focus. She offers value-added information and opinions, making sure everything she says is clearly understood. Bart leaves the meeting feeling like the internal audit has been very worthwhile, his company’s money is being well-spent, and next steps toward ISO 27001 certification are clear and achievable. 

The Key Differentiator: Communication Skills 

Information security consultants are often the bearers of “bad news” pertaining to audit findings, penetration test results, risk assessments and so on. In this regard, it’s vital to ensure clients understand not just “what they’re doing wrong” but also the bigger picture of how this information can help them, what their options are and how best to follow through given their specific situation.  
In short: our clients don’t pay us to tell them what’s wrong. They pay us to communicate to them how to solve their business problems. Sure, we can just make your audit or compliance issues “go away.” But our higher purpose—what gets us out of bed in the morning—is helping your business and its stakeholders become demonstrably more secure. 
That’s why communication is just as important as technical know-how in this business. Because it’s only through clear communication that our clients get all the value they’re paying for. 

The Importance of an InfoSec Company’s Core Values 

Over-communication and transparency are core values at Pivot Point Security. This enables our work to run smoothly and deliver greater benefit, both internally and with clients. (It’s also part of what makes working here so great.) We strive to get to know people and companies, build a relationship and add maximum value, not just check the boxes or hand off the results.
You’ll see this in every aspect of our process, whatever the service we’re providing. That’s how we’ve established a 100% success rate in bringing clients to ISO 27001 certification, for example.
If you’re looking for an information security assessment and consulting firm that focuses on customer value and offers the guarantee of assured success in accomplishing your goals, contact Pivot Point Security.  

ISO 27001

ISO 27001 is manageable and not out of reach for anyone! It’s a process made up of things you already know – and things you may already be doing.
Get your ISO 27001 Roadmap – Downloaded over 4,000 times