ISO 27001:2022 is the first update to the global “gold standard” for provable cybersecurity in ten years. Notable changes from the 2013 version will likely significantly impact most organizations’ Information Security Management Systems (ISMS).
In this episode, your host John Verry sits down with Ryan Mackie and Danny Manimbo from Schellman & Co. to explain the most significant changes in ISO 27001:2022 and their potential impacts.
Join us as we discuss the following:
- How to determine the optimal timeline to migrate your ISMS from 27001:2013 to ISO 27001:2022
- Top areas that auditors will focus on during your transition audit
- How moving to the new ISO 27001:2022 can benefit your cybersecurity program (and your marketing)
- The critical importance of risk assessment/risk management for ISO 27001:2022 certification
- The “ripple effect” of ISO 27001:2022 changes on related standards like ISO 27017, ISO 27701, and CSA STARS
To hear this episode and many more like it, we encourage you to subscribe to the Virtual CISO Podcast on YouTube here.
To stay updated with the newest podcast releases, follow us on LinkedIn here.
Listening on a desktop & can’t see the links? Just search for The Virtual CISO Podcast in your favorite podcast player.
See below for the complete transcription of this episode!
John Verry (00:02):
All right. Uh, hey there, and welcome to yet another episode of the virtual CISO podcast, uh, with you as always, John Ver your host, and with me today. Not one, but two. Uh, and hopefully that means that they’ll be twice as smart as if they were a single individual. Uh, Mr. Ryan Mackey and Mr. Danny Mambo, both, uh, multiple time guests on the podcast prior. Hey guys.
Danny Manimbo (00:23):
Hey, John. Hey, John. Thanks for having us back.
John Verry (00:24):
Yeah, well, you know, if you hadn’t done a good job, you wouldn’t be back <laugh>. And we’re just, if anyone who remembers Ryan’s last visit, we’re all just gonna pray. His internet connection holds up <laugh>, and that’ll probably be not the last time that we make fun of Ryan, you know? No, it’s fine. Join the podcast. We’ll get to market. Thank you. You got those broad shoulders, <laugh>, so, so it’s a little bit awkward here cuz like, normally, you know, you guys have both been on before, and usually we do that little bit about who you are, but people should know who you are by now. Why don’t we do a, we change it up a little bit. Um, why don’t you give a brief, don’t you guys give like a, a brief, um, synopsis of Shelman and some of the things that they’re doing these days?
Ryan Mackie (01:05):
Danny, you can, Ryan,
Danny Manimbo (01:06):
I’ll let you, since you, uh, ducked out last time.
Ryan Mackie (01:09):
Danny Manimbo (01:10):
I said I’ll let you since you ducked out last time.
Ryan Mackie (01:12):
Okay. <laugh>. Well, so John Showman, we are a CPA firm and AIM assessment, cybersecurity assessment firm. Uh, you know, we, we deal with, uh, the attestation work from the a cpa, SOC one, SOC two, SOC three, uh, but we also do a lot of, uh, ISO work, which is gonna be the topic for this call. And, uh, high trust, uh, fedra, uh, pci, um, cybersecurity work that would include pen testing, vulnerability assessments, whatnot. So, if you think about it this way, we’re, we’re the trusted, you know, auditor. We don’t do any advisory work. And so if there’s some sort of technology or security framework out there that can be assessed against, it’s likely what we’re gonna be doing.
John Verry (01:54):
Gotcha. And if I’m not mistaken, you guys added Tacs to your portfolio recently. I think I saw. We
Ryan Mackie (01:59):
Did. We did.
John Verry (02:00):
Yeah. We’re starting to see a lot of activity around that. Mm-hmm.
Ryan Mackie (02:02):
John Verry (02:03):
Yeah. Uh, awesome. Now this is of course what I’ve asked you guys before, what your drink of choice is. So maybe I’ll change it up and just ask you the question. Have you had anything interesting to drink recently?
Ryan Mackie (02:14):
Danny Manimbo (02:15):
Ryan Mackie (02:16):
Danny, you wanna
Danny Manimbo (02:16):
Start? So, uh, I, I talked about last time, uh, outside of alcohol, I do, I do a lot of, uh, coffee. So I recently stumbled upon, uh, death Wish coffee <laugh>. It’s supposed to be the strongest coffee in the world. And, uh, it’s not a lie, so it’s, I gotta use it pretty, uh, pretty sparingly. But, uh, I’ve been, I’ve been dabbling with that lately.
John Verry (02:37):
That’s something I wish I would’ve found out about in college, I think.
Danny Manimbo (02:40):
John Verry (02:41):
Definitely. Is it, is it like in
Danny Manimbo (02:42):
The afternoon crash? Is
John Verry (02:43):
It just ca caffeine, just a jolt? It’s,
Danny Manimbo (02:46):
Uh, so it’s a different blend of beans. I, you know, gonna have to go look at the, the label, but I think all coffee was with, uh, what is it, Arabica, I’ll probably say it
John Verry (02:54):
Wrong. Yeah, Rakas Columbia Colo Columbia. Yeah. It’s
Danny Manimbo (02:56):
A certain blend of that and another type of bean, but just use more of, of, of one of ’em, uh, to somehow make their coffee. Just the caffeine content. Yeah. It’s, uh, it’s quite the experience.
John Verry (03:07):
Any, anything interesting from you, Ryan?
Ryan Mackie (03:10):
You know, I, I, I was at a friend’s 50th birthday party, and so, um, not quite interesting, but there were, there were a number of different yellow shots,
John Verry (03:19):
<laugh>, so, yeah. So you guys trying to recapture hit 50, try to recapture the youth. <laugh> did, did you guys go out and buy sports cars right afterwards? <laugh>,
Danny Manimbo (03:28):
John Verry (03:29):
Ryan Mackie (03:30):
Know, it was, um, uh, a lot of us that went to college together, so, uh, you know, all, all the memories started flowing back. It was, uh, yeah, I haven’t had one of those in about 30 years.
John Verry (03:38):
Yeah. And you probably won’t have one for another 30 at that 80th birthday party. When you guys get together, you’ll, you’ll, you’ll pull ’em out again, right? With your teeth? You, you’ll take the teeth out first then, then the, then do the shot
Ryan Mackie (03:49):
Does sounds smoother.
John Verry (03:50):
Yeah. Yeah. I had a, uh, I was in, uh, uh, I’d never been, first time I was ever in Dominican Republic and I, I had a drink down there, which was really cool called Mama Giana. Uh, it’s this strange combination of, uh, age rum, red wine and honey. And it is, it’s served in a bottle and the bottle is jam packed with like bark and herbs. So like, when you pour the bottle out, like literally you get half of the liquid fluid, because I mean, that’s literally how many, how much, uh, bark and herb there is in there. Um, but apparently they’d been doing it down there for hundreds of years, and I kind of fell in love with it, uh, as sort of an aif you know, late night thing. And supposedly it’s an aphrodisia. So, uh, my wife probably my wife wasn’t happy when I bought a bottle to bring home with me.
Ryan Mackie (04:36):
John Verry (04:38):
All right. So enough fun in frivolity. Uh, so 27,000 1, 20, 20 22 is official. Uh, and, uh, many of our clients, and I’m sure many of your clients are looking to move to the new standard. Um, so first question for you is, when will registrars and the accreditation bodies be ready to certify a company to the new standard?
Danny Manimbo (05:01):
Yeah, so I’ll jump in on this, Ryan, and feel free to feel free to add on. But, uh, so John, as you know, so that this standard, I’ve sure lot, lot of buildup definitely over a year of, um, anticipation and delays as, as, as we get to know with, with iso, um, it got published in, in late October. Right. Um, but we weren’t able to, to your point, to do certification audits against that until we had our accreditation updated with our accreditation bodies. So we we’re with A and a B and, and the US and, and ucast and the uk. So we’re actually going through that process with them currently. Um, and hoping to have our accreditations here at Shelman, you know, updated by the end of the end of the quarter. So end of March.
Ryan Mackie (05:43):
Yeah. Yeah. And John, I, you, you probably know it if you don’t, it’s, it’s a free standard to get. So, um, you know, ISO comes out with standards, you know, but sometimes the guidance is missing. So the International Accreditation Forum, which is the I f they came out with, uh, well, they have a host of different, what they call mandatory documents. Um, this one for the ISO transition for 2022 for 27,001 is what they call mandatory document 26. So it’s MD 26, uh, again, you can search it up, it’s free. Mm-hmm. <affirmative>, you can get a copy of it. Um, it was actually updated two days ago. Yeah. <laugh>. So this is fresh data.
John Verry (06:25):
So I’m sorry. I’m sorry. Take a, can we take a step back for a second? Cuz I’m, I’m not sure I’m following you. Are you saying that, that every ISO document that I’ve ever gotten has you pay for, are you saying that ISO 27,001, colon 2022 is no longer something you have to pay for?
Ryan Mackie (06:40):
No, it is something you have to pay for. Okay. So the, the international accreditation form is basically the conglomerate global conglomerate of accreditation bodies. Okay. And so what they do is they decom at, with guidance standards on ISO standards.
John Verry (06:54):
Oh, I gotcha. So
Ryan Mackie (06:55):
Those, those documents that they come out with are free.
John Verry (06:59):
Okay. And you called that MD 26? I have not seen that. MD 26.
Ryan Mackie (07:03):
Yeah. MD 26. And, um, like I said, we, we actually had a lot of content and info out there off of, uh, version one of MD 26, uh, which was again, just recently updated two days ago. So some of, some of the content we’ve got out there was, uh, was well, it needs to be updated. Yeah. Um, but, uh, but the, the guidance there is that the accreditation bodies, they have six months to be able to get ready to assess organizations against or certification bodies against a 2022 program. Right. So now you can’t send Annie b as Danny had mentioned, um, in January, they already released that they were ready. Okay. You know, so they, they’ve got an application process. So if, if your certification body is accredited by one of them, um, you can go through that process. Our timeline for certification bodies, we’ve got a year from the date of the 2022 publication to go through that transition process. Mm-hmm. <affirmative>. So by October 31st, 2023, all certification bodies have to be, you know, able
John Verry (08:08):
Can we, can you, when you say so, so real quick just to make sure people are following along. Certification body equals registrar accreditation body equals you, you anab. Ucast. Okay. So what you’re saying is that as the abs the accreditation bodies are already ready, the CB’s or registrars have up to one year to be to, to get ready. And what you’re saying is that you’re going to be ready before that you’re going to be ready. That’s right. You know, this quarter. Yeah. Okay. That’s right. Okay. Do you expect, just, do you expect most registrar will be in a position to, to do that sooner than a year?
Ryan Mackie (08:42):
I would hope so, yeah. Um, you know, the expectation is yes. Um, you know, from a standards perspective, you know, a lot of the management system is gonna be the same, you know, between 2013 and 2022. So it’s the, and the approach for the control set, um, obviously you gotta get your team trained up on that new control set, understanding, you know, how to test it and whatnot. Um, you know, so there, there are activities that all certification bodies have to make sure that they can demonstrate as part of that application process. But, um, you know, given that there’s a lot of organizations out there that are certified and they want to demonstrate that they are certified against the 2022 version, um, most certification bodies would be wise to start this as soon as possible. Mm-hmm.
John Verry (09:26):
<affirmative>. Yeah. I gotcha. Uh, so let’s talk about, so most of the people that are listening are not part of a certification body or registrar. They’re the, they’re the people that you work with like us, <laugh>, uh, and we just finished our audit with you guys, uh, today actually, well, yeah. Technically, uh, with the, the, uh, closeout meeting is next week. Um, okay. The, so let’s talk about somebody listening to this that is thinking about getting ISO 27,001 certified. So let’s say they’re not yet certified, uh, and they began the process and they started with ISO 27,001, colon 2013. Are they hosed?
Ryan Mackie (09:59):
No. Okay. They, they, they were hosed more in version one, <laugh>, this version two of that MD 26 document. Um, they’ve got a little bit more leeway, uh, before the requirement was that by October 31st, we can’t issue any new certs against 2013 of this year. Right. Yeah. So what they’ve done is they’ve pushed that out to April 30th, 2024.
John Verry (10:22):
Wow. Yeah. Yeah. I don’t, I’d always heard 30, uh, that October 31st was the, was that deadline. So that’s actually interesting. Do you think that that really matters that much? Because I think a, anybody that started the process already probably was already using 2022 guidance, right?
Ryan Mackie (10:38):
Yeah. Yeah. Well, I mean, you know, it depends. I mean, if they started saying in, you know, q3 mm-hmm. <affirmative>, you know, 2022 wasn’t technically published yet. Right. So they’re, they’re going off of what they think. Right. Right. Um, but at the same time, and you, you probably know ’em, we’ve had conversations with, you know, those starting that initial path, the recommendation is that even if you started with 2013 transition right now before your certification audit, you know, so that you don’t have to go through that transition audit after you get certified. You know, so regardless of when that stage one, stage two is, you know, if it’s, you know, July or later start, start that process to, to really get on that 2023
John Verry (11:18):
Version. Yeah. So, so that’s interesting. So we have a, a, a joint client, um, you know, a client here in New Jersey, and we got a phone call from them and they’re like, Hey, we, we, you know, we need to go to 2022. Uh, and before this year’s, uh, uh, certification audit and, uh, or surveillance on it, I can’t remember which one it was. Uh, and I was like, I was like, okay, well, you realize you don’t need to go that fast. You know, you should, you, you’ve got three years technically right. You can go all the way unless they changed that in MD 26. Right. October 31st, 2025 is the last there’s a
Ryan Mackie (11:52):
Catch. They they did to an
John Verry (11:54):
Extent. Did they? Oh, they changed that too. <laugh> Curve fault. Hold on, hold up on that. Hold off on that for a second. Let, let’s stay, let’s stay with this particular client called. Cause I was really surprised, and it was probably one of you guys that spoke with them. And, and I was like, I was like, well, look, I said, you know, we’re we’re counseling clients. Like, Hey, if you don’t wanna rush through it, don’t rush through it. And they said, well, Shelman suggested that we, we do do this. And I was like, really? I, I’m surprised. I wonder why Shelman is pushing so fast and, and, and, and I think it was because it was their certification audit. And you guys had said that there would be a benefit to doing this during a certification cycle as opposed to doing a surveillance cycle because you, you, you, you saved some money, right? Because you don’t have the, the upcharge during the surveillance audit in the following year. Is that what I understood?
Ryan Mackie (12:44):
They, they changed that too. Okay,
John Verry (12:46):
John. Okay. So, so basically everything I knew 30 minutes ago, I no longer know. You’re gonna know today. Okay.
Ryan Mackie (12:54):
Yeah. So, so the requirement previously was if you do this in a recertification mm-hmm. <affirmative> that you do not have to add any additional time. Okay. Right. From an external audit perspective. Okay. So what they’ve done now is that you, if it’s a recertification, we are required to add at least one half day to the audit time. Okay. If it’s during a surveillance, we have to add one full day, whereas before, that was one half day. Okay. So the,
John Verry (13:21):
But that’s a, that’s a relatively small savings, right? It is. I mean, you know, I don’t know exactly what your rate is, but it’s probably in the 3000, 3,500, $4,000 price range. Right. So you’re only talking about a, a couple thousand dollars worth of difference. Yeah.
Ryan Mackie (13:35):
Okay. Yeah. I mean, you know, it’s, it’s not significant, you know, with regards to the amount of time that we have to add and any, any, you know, kind of associated cost, um, what we’ve been saying. And, and so hopefully the communication’s not getting lost in translation. Um, you know, we’ve been encouraging every organization to, to target the transition in 2024. Okay. You know, in unless they’ve gotten headstart. Okay. Mm-hmm. <affirmative>, and reason being, and, and I think you probably know, is that, you know, some of the updates are so tied to those annual cadence activities, the risk assessment mm-hmm. <affirmative>, you know, the internal audits, you know, uh, making sure you go through and update your soa. You don’t want to rush that mm-hmm. <affirmative>, and you don’t want to have the standard update, you know, really drive what your cadence is. So if organizations, you know, maybe if you know q1, they’ve already done that risk assessment, they’ve planned it, you know, and it’s based on the 2013 version, you know, wait until 2024 and then do that transition, then <affirmative>,
John Verry (14:35):
What do you, Danny, a question for you. Like, do you think that there is a marketing value to moving to 2020, you know, to 2022 in terms of, you know, communication with your clients?
Danny Manimbo (14:50):
Well, I think known, I say 27,000 1, 20 13 for so long, I mean, it’s been 10 years since it got published. Right. But I do think that there is going to start to, um, be a lot of chatter in the market space. You know, this thing got published in October, it’s been, what, four, four months or so? So I think there’s going to be a lot of questions that start to be getting asked, um, around, hey, you know, whether it’s business partner, a supplier, a prospect, or a current customer, what are your plans for transitioning? So I think from a marketing perspective, um, to demonstrate that you are on the latest version of an information security standard, you know, that historically was, was 10 plus years old. Mm-hmm. <affirmative> is, is certainly a good thing. Right? It demonstrates that you are keeping up with technology and times and trends and, and whatnot. So, um, to, to Ryan’s point, that’s why we’re suggesting, hey, don’t wait till the last minute. Um, yeah. You know, there’s, there’s certainly benefit to be had to, uh, transitioning to the latest and greatest version of any, of any information security standard.
John Verry (15:53):
Yeah. So we’re ISO certified as, as you guys know, when we just went through our, uh, re-certification audit, uh, this past week, you know, unfortunately with 2024, you guys not no one being ready Right. To issue, you know, against 2022, we couldn’t do the transition this year. Um, so our thought process is we’re gonna do the transition next year, uh, and do it as soon as possible, you know, because obviously we look at it as being a marketing advantage. Sure. Also, like it teaches us as, as you know, so that when we’re helping our clients go through the transition, we can say, Hey, we’ve been through it. Here’s what it took here. You know, here, here’s here were the, here are the gotchas, if you will. Right. As kind of going through the process as well. Um, so what are the, some of the other things that would, um, you know, influence your thought process on, on going through this? Um, like I said, we’ve got this idea of certification versus surveillance audit. Do you think that, that that is something that you would do it, um, other standards and scope? What, what are some of the things that you think would, would Dr. Would drive that conversation that you’re having with a client is to say, Hey, should we do this now or should we wait a little, you know, to the following year?
Danny Manimbo (16:59):
Yeah, Ryan, I’ll, I can jump in on this one. Yeah. Just, uh, based on the, the new updates that came with this MD 26 document, and we’ve got a blog that, that we can post that you can, uh, you can share with the show notes, John mm-hmm. <affirmative>. But, um, the one thing that they did was originally to Ryan’s point, they said, anybody new. So if you’re thinking about getting certified, you know, you would have to be basically to begin your certification audit no later than Halloween of this year, October 31st. Right. So we talked about how that has subsequently been pushed back to April 30th, 2024. So they said, not only do you get an additional six months, you have 18 months if you’re new, but if it’s a re-certification, you can start, you can’t start any later than that same 18 month date. So if you’re new re-certification year this year or next year, there’s basically, you wouldn’t be able to start, they used the word begin by, um, or begin by, begin no later than they say, um, April 30th of next year. So if you’re re-certification for next year and you’re, you know, in Q1 or before four 30, you, I guess you have that option. But if you’re at any point later than that May 1st forward, your, your, your, your hand is, is essentially forced by this new md, MD 26. Um,
John Verry (18:14):
Well, that’s kind of weird. It, it kind of, it, it disadvantages someone who happens to be in year two of their cycle as opposed to year three.
Danny Manimbo (18:22):
That’s right. So if you think about it in your case, you know, you have 2024, you have 20, you can, you basically
John Verry (18:29):
Could go to the limit. Yeah, we could, we could push it to the limit.
Danny Manimbo (18:32):
Whereas some folks, they get cut, you know what, what is that bad at math on the spot? 18 months short. Really? Yeah. Because it’s a 36 month transition on the, on the surface. But there’s gonna be very few firms that have the ability to take advantage of that whole thing just depending on where they are, where
John Verry (18:46):
They’re on the
Danny Manimbo (18:46):
Surface cadence and, and their cycle. So, yeah.
John Verry (18:49):
What, what about the, what about, you know, a lot of our clients are tied to, you know, uh, 27, 0, 17, 18, yeah. 27 7 0 1 is an important one. CSA stars talk about like how that, you know, might influence this and, and when we can expect to see those fully aligned.
Danny Manimbo (19:06):
Yeah. This is where it gets fun. Um, so a lot of those standards,
John Verry (19:10):
But you have a, you have a strange description of fun, Danny. I mean, yeah. <laugh>, your fund sounds, your fund sounds like Ryan’s party, <laugh>. We’re, we’re
Danny Manimbo (19:17):
All iso nerds here. But, um, so all those, I mean, you know this, but maybe just for the listener, all those 27,000, we’ll call ’em family or, or sector specific standards that you just mentioned. They all link back to the control set, which is annex A in what is currently ISO 27,000 1, 20 13. Right. So 27,002. Um, those, um, those standards haven’t been updated as far as, when I say link back, they’ve got basically additional guidance mm-hmm. <affirmative> on top of what, 27,002 or annex A of 27,001 says. So, so for example, with, with 27,018, you know, it’s, it’s, it’s a privacy control for, for PII processors privacy control set. So they may say, okay, okay, for control the security awareness training control in, in 27,000 1, 20 13, 7, 22, well, in your security awareness training, you know, consider having topics that cover processing of pii mm-hmm. <affirmative> or, you know, privacy considerations.
Um, so those without those standards subsequently being updated, they’re basically pointing back to, um, what will eventually be, you know, a, a standard that has been superseded by 27,000 1, 20 22. So it’s a bit of reverse mapping that we need to do on our side. Um, it’s not gonna impact our clients. Uh, we haven’t received any guidance that would say that’s going to put their certifications at risk in any way. We can still continue to deliver our clients who due 2 7 7 0 1 20 7,018, 17, all those extension standards, but we just kind of need to do a little mapping on the back end, should they pivot to 27,000 1, 20 22, and, and say, okay, well that map to, you know, control X, Y, Z and the 2013 standard, which we know maps to <laugh> mm-hmm. <affirmative> this control and the new version of this standard, and kind of, kind of do it that way.
I will say, of those standards that you just mentioned, it does seem like 27,017, which is, you know, cloud security mm-hmm. <affirmative> that seven or so controls in that, in that, uh, control set is going to be the first one that’s gonna be updated. Uh, they just released a draft international standard of that. So that one’s close. I don’t whether it’s sometime this year, um, you know, is is to be seen. But, um, I know they were working on updates and, and a big part of that update is in alignment to the, yeah. New control set of 2022.
John Verry (21:37):
What about 27 7 0 1? Because that to me is increasingly probably the most important of the additional Yeah. Guidance.
Ryan Mackie (21:47):
Yeah. And as Danny said, I mean the, um, um, all of those standards that you mentioned, so ISO is going through the revision process right now just to, to get those associations updated. Um, you know, the challenges is that, you know, with, with, with anything ISO it’s process, you know, so they have to go through and, you know, pass it along for, you know, um, q and a, you know, for, you know, draft feedback, comments, you know, go through their process. So it moves a little slow, but everything is in the process of getting updated. Mm-hmm. <affirmative>, it’s just in that interim, there’s gonna be a gap as Danny had mentioned, you know, between, you know, probably well now until potentially October of this year, maybe later mm-hmm. <affirmative>, you know, before some of those standards get published.
John Verry (22:33):
What about, um, other attestations that are related to 27,001? So as an example, CSA Stars, do we, do we know, do we know much there yet?
Ryan Mackie (22:45):
Well, so for the ccm mm-hmm. <affirmative>, which is basically the cloud control matrix, you know, which all organizations have to, um, uh, review for level one, level two, or, you know, eventually level three as well. Um, you know, they, they haven’t updated that mapping yet. Uh, so, but, but again, because everything is already cross mapped,
John Verry (23:04):
So, so you’re cross mapping, you’re cross map in the same way you were talking about the other ones. Okay. And, and then, uh, would the same hold true? Like, uh, what about something like high trust or what about if you know, or would there be, you know, SOC two isn’t directly mapped to it, but I mean, if someone has a SOC two and an ISO 27, uh, 27,001, any, would, would there be any consideration there of, of this?
Ryan Mackie (23:26):
There would be. We’re working through that. As a matter of fact, the, a CPA has a really great mapping mm-hmm. <affirmative> to the 2013 version mm-hmm. <affirmative> of 27,001 in, in the soft two criteria, um, point to it, you know mm-hmm. <affirmative> maybe weekly mm-hmm. <affirmative>, you know, so, but they haven’t updated their mapping to the 2022 version. Okay. So we’re kind kind of in this zone of just, you know, having to manually, as Danny had mentioned, cross map, you know, between standards. Um, again, as you know, with the 2022 version, you know, all controls from the 2013 version were, you know, basically covered, you know, whether they were combined one for one, I mean, the implementation guidance was updated. So there’s those 11 net new controls that somehow just can’t really find that mapping. So we’re gonna have to manually make sure that we can draw them back to either SOC two, high trust, ccm, whatever it may be.
John Verry (24:17):
Gotcha. Yeah. And one other thing that, that I think would also potentially influence is if you’re on a GRC platform and they haven’t yet integrated 2022 into the GRC platform, uh, you know, that might negatively impact your ability to move, uh, when you’re ready to move. Right?
Ryan Mackie (24:31):
John Verry (24:32):
Um, so we’ve kind of stayed focused on the technical and tactical side of the migration. What about moving for the real reason? We we’re theoretically on ISO anyway, right? I think a lot of people here really for the attestation, right? Being provably secure and compliant, but realistically, ISO is about managing risk effectively. Um, thoughts on, uh, people moving to 2022 because it’s a better risk management framework. And, and, and, and if so, if you agree with that tenant, uh, how do you think it’s a better risk management framework? What are some of the benefits that people should be thinking about?
Danny Manimbo (25:16):
I think one of the things, we might have talked about this a little bit on our initial conversation, but one of the things that’s interesting, you know, is to Ryan’s point, the actual framework, um, especially the ones that has to deal with the risk assessment, um, didn’t really change as far as what’s contained within the, the management system framework clauses four through 10 for, for risk assessment. Um, but one of the things introduced with 27,002 when that got released last February, um, were some tools and terminology, if you want to call it, to assist with the risk assessment process.
John Verry (25:52):
Danny Manimbo (25:53):
The hashtags. So, for example, controls have these things called the tributes. Um, uh, so
John Verry (26:00):
We just wanted to be, we just wanted to be cool in security and, and have hashtags, I think. Exactly. I would’ve loved to sat on that committee, cuz I would, I would’ve just been giggling the whole time.
Danny Manimbo (26:10):
Oh gosh. But, uh, ICEO attempted being cool. So they’re, they’re, um, that,
John Verry (26:17):
Did they, did they do jello shots during the, during the, oh my gosh,
Ryan Mackie (26:22):
It was virtual. It was virtual. No jello, no virtual.
John Verry (26:26):
No virtual <laugh>. Sorry, Danny, I couldn’t read.
Danny Manimbo (26:29):
Resist. No, you’re good. I mean, like I said, the whole, as much as we can lighten up an hour long conversation about iso, I’m all for it. But, uh, yeah, the whole intent there was to facilitate the risk assessment process, making sure your bases are covered. Hey, you know, it’s got now, you know, uh, labels you want to call ’em or attributes related to controls. It’s corrective, it’s preventative, it’s, um, detective. So it allows you to basically, or it’s associated with CI or a confidentiality, integrity or availability and, and a couple other categories that they’ve, they’ve put out there. And they also leave it open to, to organizations to customize for their own benefit, uh, for identifying control owners and other purposes. But hey, you know, now it allows you to assess your whole control inventory and say, Hey, look, do I only have, you know, detective controls in this area?
Or do I have, uh, not enough controls around availability? So I think it provides a little bit more visibility and less guessing maybe, uh, especially for those who are more, uh, new, uh, to, if you want to call it to, uh, to these risk management frameworks, how to use ’em, where to get started. I mean, it’s a little, um, uh, intimidating maybe to, to have such a framework with, you know, what was 114 controls, now it’s 93, it’s still a good amount of controls for which to, uh, to, uh, to select from. So it kind of helps you narrow down those choices a little bit to hopefully more effectively manage risk within your org.
John Verry (27:51):
Do you guys see, do you guys think that, uh, that’ll be something that your auditors will be looking at, is looking at the risk assessment and saying, you know, so as an example, if they notice that in a particular, let’s say that we’re migrating, you know, new systems, systems to the cloud, you know, did we consider not only confidentiality risk, but did we consider integrity and availability in our, on our risk assessment process? And, and then when we did come up with our, uh, risk mitigation plans, right? Did we, like you said, did we cover corrective detective, preventative, et cetera? Do, do you guys see that that’ll be part of your audit process that your, you know, your auditors will be specifically looking for that?
Danny Manimbo (28:30):
I think they’re all tools to facilitate the conversation around that. I mean, one of the things obviously that we’re looking for in any audit, you know, surveillance research is how, is how somebody might have, um, you know, incorporated changes within their certified management system. So if they move from on-prem to the cloud or whatever it might be, CSP to csp, um, can they demonstrate that their risk assessment, you know, kind of scaled accordingly. So whether that’s looking at attributes or, or just the, the, the process and the, um, the methodology in general. So I think, you know, assessing change risk is, is always, you know, kind of gonna be part of our approach. And, and I think these tools can help, like I said, facilitate that, that conversation. Yeah.
John Verry (29:15):
Yeah. One of my, uh, one, one of the, you guys gave us, uh, an offi this year that I actually liked and, and complimented gel on. Um, and it was an offi for, it was an offi for, we did something good in, you know, it was funny. Like we, we, we, we added conditional access, right? So, so conditional access at the end user level, and we have a plan to, to get it to the device level. And, but he gave us a finding, uh, or excuse me, an, um, because he didn’t see evidence of that in the risk assessment, uh, which I actually thought was very clever. And it’s really the way that, you know, that whole process is supposed to work. So I do think that, uh, I do think that it would be, I would be encouraged by the auditor, you know, using those attributes in the way that you discussed in being critical of our risk management process. Mm-hmm. <affirmative>. Yeah. I, I, I think that would be value add if you guys were actually doing that.
Danny Manimbo (30:12):
And I think the risk assessment, I don’t want to call it underrated, but it’s, it is really the foundation of, it’s the hard management system, right? So it’s like, how do you effectively roll out controls if you haven’t, um, you know, assessed risk around those areas? A lot of people kind of think that’s independent of, I’ve got a risk assessment and I’ve got my soa, I need ’em both, but do you understand really how they work together and what the purposes is, uh, you know, of those documents and, and you know, how one’s derived from the other, et cetera. So, um, a hundred percent it all revolves around the risk assessment and having that effective, so
John Verry (30:47):
Mm-hmm. <affirmative>. Yeah. I’ve always said that you could, you could look at the budget request that somebody’s making, and if you can’t find risks, then, then something’s wrong, right? Mm-hmm. <affirmative>, because, you know, technically right. A risk is a, a mechanism that, you know, that mitigates risk, you know, if you’re implementing a new control, I should be able to rationalize that to the risk that it’s tied to, right? And so that was exactly how he, he used it, you know, and I, I’ve said it for you. So I, I, I just, I just laughed him. He’s like, well, and you could tell he was, you know, you know how like auditors are when they present offi, right? They prepared for the fight and they saw sell it a little bit. And I’m like, no, dude, that one’s, that one’s awesome. <laugh>. Yeah. Oh, okay. He was, yeah, he, he was really happy. Yeah, he was really happy. Um, that’s
Danny Manimbo (31:31):
John Verry (31:32):
So what else do you think? So, you know, I, I do agree with you. I think that’ll facilitate better risk management, which is the heart of the system. Mm-hmm. <affirmative>. Um, what about some of the changes to the controls? You know, are there benefits there? So as an example, I th I, I think, you know, 27,000 1, 20 22 does a better job of, of, of, of handling cloud.
Danny Manimbo (31:53):
Yeah. Yeah. So there’s, there’s the 11 net new controls, um, that got introduced, right? Because with the consolidation and everything like that, and we went down for, for 21 controls from one 14 down to 93, there’s one control specifically, you know, I think it’s security of cloud services or something along those lines. So when I first read that actually, I thought, oh, you know, are they just, are they pivoting away and eliminating 27,017? Is this gonna be, you know, kind of, you know, consolidated into this new control set, but that, that’s still gonna be there? Um, well I think that was part of the, the, the idea behind the update was a, was a modernization of the controls and, and, um, more of a, uh, representation of the fact that so many people are in the cloud. There was a lot of obsolete references in that 2013 standard.
So, uh, yeah, they’ve got, they’ve got a control around the cloud. They’ve got control around data loss prevention, configuration management, secure coding. Um, all of those things I don’t think should be foreign concepts, uh, to a lot of organizations cuz it’s kind of the messaging that we’re giving is, um, you know, if your, your ISMS has been staying up to date with, with trends in tech and, you know, yeah. Um, you should be well positioned to meet this. So, um, the cloud controls will still kind of take the deepest dive in in 27,017. But, uh, yeah, there are controller two that, that are specific to that don’t to memorized yet. So, <laugh>, what’s that said? I don’t have that control memorized yet, but,
John Verry (33:22):
Well, you haven’t had to do an audit yet.
Ryan Mackie (33:26):
Well, you know, and, and John, one thing that they did is, is, you know, before it was in just, basically it was, it was information security, you know, now the standard itself is information privacy and cybersecurity.
John Verry (33:39):
Ryan Mackie (33:40):
Right? So what they’re trying to do is, with some of those new controls, is really make sure that it’s not specifically within the boundaries of the organization. You know, so you’re looking at things that would be more cyber security, privacy related. Um, so again, as Danny had mentioned, I mean, it’s, it is not new. You know, there’s nothing that they, there’s nothing that’s, uh, innovative that they’re saying, Hey, we’re gonna have this new control that an organization has to consider. Organizations hopefully should have already controls in place. It’s just now it’s defined control criteria within 27,001.
John Verry (34:14):
Right? I mean more it’s modernized. And so we have more, I don’t wanna use the term prescriptive cuz I think prescriptive in general, ISO doesn’t tend to be highly prescriptive, but it’s more prescriptive, more contextualized maybe is a better word. Right? I think that the guidance around cloud privacy and development has been better contextualized to the technologies and infrastructure and processes of today. Yeah. Okay. Absolutely. Yeah. So I think that’s another benefit is that mm-hmm. <affirmative>, you know, and I think even just when you review the document with, with that context, I think it helps you look at risk and looks at how your control should be architected in a little bit sharper and more contextualized way.
Ryan Mackie (34:52):
John Verry (34:54):
<affirmative>. Yeah. Yeah. So, so I do think that that’s an advantage and I think that’s one of the things that we can’t forget as when we’re providing people guidance. Cause so much of the guidance is around how to do it easiest and when to do it best and what the timing is. But I think the sooner that you move, the better your isms is going to be. Plus I think if you’ve, and I hate to say this is an ISO guy and I love ISO and we’re ISO certified, but it’s going to make you revisit a lot of your isms and, and you know, we do revisit it each year, but do we do a truly deep dive or not? No. So I think anytime that you’re gonna revisit a, a, a, a big process that’s been in existence for four or five or six years and hasn’t truly been almost rearchitected, you know, this idea of revisiting that with a fresh lens with new guidance, I think is gonna end us, you know, your ISMS is going to be better at the end of that process, right?
Danny Manimbo (35:44):
John Verry (35:45):
Okay. Um, so you mentioned that it adds, uh, depending upon when we do it a half a day or one day to the audit, so what, you know, quote unquote new things, will the audit include, you know, what will, what, you know, if I was preparing for this, what are some of the areas that you’re gonna focus on that I should be prepared for?
Danny Manimbo (36:04):
Yes. So they actually kind of published guidance around that too, within, within MD 26. But, you know, at, at a minimum, you know, we would be looking at those 11 net new controls. So whether we’re doing it in a surveillance or a recert, um, I think there’s a lot of, um, nerves out there that when that transition occurs, we’re gonna be auditing a hundred percent of the controls, whether it’s a surveillance or a re-certification, right? We know that we would do that if it’s a re-certification because we do a full system audit, but people think, you know, if I transition to it, maybe I’ll, I’ll just wait till the ER cuz you’re doing it then anyway. Um, and you’re, I don’t want to have my surveillance be more than it, than it, uh, than it might have been otherwise. But, um, that’s not the case just because, you know, if we, if we’re doing it in a surveillance say, or if we’re just doing a standalone transition audit, maybe you’ve got a client, um, there audit’s not tilt December and they want to be certified now, um, we can do a transition audit and that would basically be a focus on what’s changed.
So think those 11 net new controls, we know as to Ryan’s point, there’s a hundred percent of the 2013 controls got mapped over to 2022. So we know there’s an implementation there, maybe the context has changed and the verbiage has been updated, they’ve been consolidated, but they’re still there. Um, so we know our, our bases are covered to a degree. And then you’re basically looking at the management system elements that needed to have scaled accordingly while the clauses didn’t materially change. Um, we know that you’re gonna have to update your risk assessment for the reasons that we just talked about. We know as a result and risk treatment’s gonna change your statement of applicability. Did your internal audit cover these things? So, um, those are kind of the main elements of, of what we look at beyond, you know, kind of what we do for an existing surveillance. So,
John Verry (37:54):
Um, do you think that they’re gonna be specific areas of the 27,000 1, 20 22 that people struggle with a little bit,
Danny Manimbo (38:05):
Maybe interpretation of certain controls? Um, I’ve got, you know, data loss prevention has seemed to be one that has, I’ve had more than one client tell me immediately is gonna be not applicable to them. And when I ask them why <laugh>, they think it’s because they have to implement a dlp, right? That’s the only way that they can demonstrate compliance. And if anybody knows iso, there’s not one tool or technology that you can implement to basically say, or that is required, I should say, to, to meet a control, right? They’re so high level and if you read the implementation guidance in 27,002, it’s paragraphs and paragraphs. So if there was one thing that you needed, it would just say that. So, but it’s more than just that certainly a dlp, if you had that, great, let’s look at that and see how you’ve configured it and, you know, likely it’ll meet the control.
But it’s, it’s, it can be more than just that. It can be, uh, hey, do you encrypt your backups and secure those from unauthorized access? Are you using encryption in tech technologies in general when you’re, when you’re sending data? So it’s, it’s, you know, there’s there’s other ways to, to look at controls. They’re just looking at the title of the control, um, and it’s just immediately kind of putting their hands up and being like, oh, that’s, that’s, that’s something that won’t apply to us. So I think that’s why we’re suggesting all the clients because when you get 27,001, it’s control, title control no other context. That’s why we’re suggesting everybody to get a copy of 27,002 read that understand, you know, cuz it’s got the purpose of the control, it’s got the implementation guidance, any additional context behind the intent and how you can demonstrate that you’ve, you’ve got a process in place or if you don’t have a process in place, how to potentially put one into place. So that’s one thing.
Ryan Mackie (39:49):
Yeah. And, and John, I would, I would add to that too, and this is kind of, you know, you, you touched on it before, you know, just in terms of preparation right? That, that i f MD 26 document, um, it does require the certification body or the registrar to assess the organization’s gap assessment to the 2022 version Yeah. As well as what their transition plan is. Hmm.
John Verry (40:14):
So that’s, that’s actually a requirement.
Ryan Mackie (40:16):
That’s a requirement that we have to do. Wow. So if we have to do
John Verry (40:20):
It, then, so, so if somebody made the transition but didn’t conduct a gap assessment and doesn’t have evidence of that, that’s gonna create a little bit of a challenge. Yeah, that’s pretty cool. I mean, I’m, I’m glad you’re mentioned that. Um, I mean, I think it’s the most logical way to do it anyway, but, but, you know, but creating a formal gap assessment is really interesting. Any, anything else that, that you think are gonna be some gotchas?
Ryan Mackie (40:41):
Well, I mean, they do say that we have to assess the new audit program. Hmm, yeah. You know, to make sure that that audit program taken into consideration, you know, basically going forward, addressing those controls from the 2022 version. Yeah, that’s a good point. Um, those are the three things. I mean, obviously the risk assessment is Danny mentioned, you know, I mean, it’s critical, you know, so, um, an organization would have to make sure that they go through that, you know, in, in detail, you know, not say, well, it’s already good as is, we just have to kind of update the cross references to the controls. Right. You know, that that’s <laugh>, that’s, that’s not a, a good process, but it’s those two documents, the gap assessment and the transition plan that are gonna be very important. You know, and I would definitely, you know, recommend anybody that’s listening to this, you know, start to go down that path, you know, understand, okay, what is the delta? We already know it is, I mean, there’s so many publications out there, but what is it relevant to your management system mm-hmm. <affirmative>, and then what’s your timeline? What’s your plan to transition? You know, do you have the right people? You know, have you gone through the right steps?
John Verry (41:42):
Question, question for you on that transition plan. So do you, you kind of perceive that as being a formal plan or, so like typically when an org does a gap assessment, you do what’s called a gap remediation plan, gap treatment plan, or whatever you wanna call it, right? Yep. And imagine, I think you, you probably see this quite frequently if they’re not using a, uh, a GRC platform, it’s an Excel spreadsheet with, you know, columns and you’ve got the, Hey, we have a finding, we don’t, we don’t, we don’t have a dlp and where we don’t address the DLP we need. So the the remediation is we need to address dlp, right? And here’s how we’re going to do it. Do you consider that a transition plan or are you gonna look literally for something that looks more like a project plan, which is a list of things that, you know, with people being assigned to it and dates and, you know, thoughts,
Ryan Mackie (42:29):
You know, I mean, I hate to say it’s, it’s gonna
John Verry (42:31):
Vary. So it’s gonna be open to auditor interpretation. Okay. Yeah.
Ryan Mackie (42:35):
I mean, you know, there’s nothing that is formal guidance that says it has to be in this format. Right? Um, now clearly if, you know, you have an Excel spreadsheet, you have three columns, you’ve got 10 rows, and you say, this is my transition plan, you know, as we get into that audit, you know, we’re gonna be a little bit more, um, we’re gonna, we’re gonna turn over some stones. Yeah. You know what I
John Verry (42:57):
Mean? Yeah. Bad transition plan’s gonna gonna create offi and nonconformities in and of itself. Right. So maybe you don’t have one on the transition tech technically that, that’s a really interesting question. Could you have a non-conformity on the lack of a transition plan, or would the nonconformities just be on the you You could technically,
Ryan Mackie (43:13):
Because I mean, there requirements on us.
John Verry (43:14):
Yeah. But, but there’s no, but, but on my side, there isn’t a transition plan requirement. Like, you know what I mean? Yeah. Like, you know, if you think about it, most of the time when you cite an nc you cite an NC to a clause, an ISMS clause, or you cite it to a, an annex a control. You know, you wouldn’t, you know, what would you cite it to there? Uh,
Ryan Mackie (43:31):
Yeah. And I think it’s, you know, if, if you look at the new mm-hmm. <affirmative>, the, the one clause that they did add mm-hmm. <affirmative> to, uh, 27,100 2022, which is six point 613. Okay. And it is inform, or it’s project management for your information management system.
John Verry (43:49):
Yeah. So that would be a perfect place to put it, because that’s where the planning would be.
Ryan Mackie (43:53):
And yeah. So it’s, it’s so no surprises if you didn’t look too closely, you know, we, we can always tag it to 1 613. Yeah.
John Verry (44:01):
That’s actually a really interesting, I I thank you for pointing that out. I I, I, I didn’t recall that. I do remember seeing it now that, but it’s been a bit, um, I, I think that’s actually a really an interesting clause that they added because in increasingly, I’m referring to an ISMS as Yeah. Just a, a, a plan a master task. Right. And, and I’ve always said for years that some of the best isms that I’ve ever seen are ISO 9,001 or run by ISO 9,000 thousand one personnel. Right. Who tend to be those project managers, tick and tie type people. So yeah, I think a PMP would probably be the best person PMP, who has very little security knowledge or moderate security knowledge is probably better at running your isms than an infor than than information security practitioner who loves Yeah. Bits and bys and technology, right?
Ryan Mackie (44:49):
Yeah. Yeah. Yeah.
Danny Manimbo (44:51):
And that planning for changes is, is a component of, of 9,001. It’s a component of 2 23 0 1, et cetera. So I think they’re also trying to make ’em more consistent, those management system frameworks that we all know.
John Verry (45:03):
Yeah, that’s actually an interesting question for you. Um, did they make any changes? You know, like, so I know in 2016, maybe it was they tried to normalize the management systems, so 9,001 and, and, um, 27,001 were aligned. Did they make any changes that would necessitate changes that necessity changes in other management systems, whether it be quality, whether it be, you know, continuity, et cetera? Yeah.
Ryan Mackie (45:30):
Yeah. They actually, so the, the documented that you’re referring to, I’m just gonna throw just a whole bunch of nasty iso, you know, acronyms out here, but it’s Annex sl. Okay. And Annex SL is the framework. It’s the template for any management system standard.
John Verry (45:46):
Oh, I didn’t know that. Annex sl. And
Ryan Mackie (45:48):
So yeah, annex sl, now they, I think the most recent one they published captured everything, you know, because it was, I think it was 2015. Okay, so that 20, that 9,001 2015 mm-hmm. <affirmative> already had that format. Okay. And then thereafter the 2 23 0 1, which was 2019 20,001, which is 2018, and now this one, you know, this, this 27,000 1, 20 22 uses that same template. So they, you know, they, they are as, as Danny mentioned, basically kind of harmonizing exactly how an management system is gonna be demonstrated, you know, in, in, in a documentation. Yeah. Yeah.
John Verry (46:27):
Um, we beat this up pretty good. Anything we miss?
Ryan Mackie (46:33):
Get that, get that, that MD 26 document?
John Verry (46:36):
Yeah, I will. I, I, it’s on my, you saw me taking notes <laugh> with my pen and paper, cuz if I type it makes a racket. So now, now I just have to not lose the, the piece of paper, which I’m, I’m, I’m 50 50 probably. Um, so, so Danny was kind enough to point out, he said, Hey, should you change the amazing or horrible Seeso question? Cuz we’ve both answered that already. And so I thought about it a little bit and I said, I’m going to, but I’m not going to tell them ahead of time. Yeah. I, because I want to test surprise. I want to test to see who can think quickest on their feet. So I’m gonna make it relatively easy. One, give me a fictional character or real person that would make an amazing or horrible new quarterback for the Tampa Bay Buccaneers. And by the way, Shelman is located in Tampa, so this is very contextualized. Right. Come on. That was kind of a brilliant question when you think about it, right? You guys are from Tampa. Yeah. You know, and why
Danny Manimbo (47:34):
Shane Falco from The Replacements that piano,
John Verry (47:38):
Danny Manimbo (47:38):
<laugh> <laugh>, he was the first fictional quarterback that
John Verry (47:42):
Came to my mind. <laugh>.
Danny Manimbo (47:44):
Oh, he was great. He was, he was a team player. People rallied around him. No ego kind of came in very unassuming. So he’d be, he’d be definitely different flavor from Brady, but, uh, <laugh>, we’ll see if
John Verry (47:56):
Up. Fantastic. That was, that was pretty damn good, Danny. All right. So Ryan, gimme a real world quarterback that you’re hoping comes to Tampa Bay.
Ryan Mackie (48:03):
Uh, I, um, oh gosh, you gotta put me on the spot now. I was thinking of, of, um, uh, yeah, I think Tom Brady should come back.
John Verry (48:13):
<laugh>. I don’t think he’s left yet. Uh, Giselle, Giselle disagrees.
Danny Manimbo (48:17):
Ryan Mackie (48:17):
God. Just give him, give him a month. You know, he’s gonna feel
John Verry (48:20):
That, uh, it, you
Danny Manimbo (48:22):
Know, that’s a little pto. He’s
Ryan Mackie (48:23):
Gonna, you know, practice squad next thing you know.
John Verry (48:25):
So Yeah. I thought you were gonna go with Jimmy g I thought you’re gonna go with Chichi
Ryan Mackie (48:28):
Too. I, I mean, I think that’d be a great fit. I do. Yeah. I really do think that’d be a great fit. I’ve seen a lot of names out there and, and kind of concerning, you know, some of ’em, oh,
John Verry (48:36):
Some of them. I think
Ryan Mackie (48:37):
It’s just, it’s, it’s a bandaid and it’s going to just create another problem. But,
John Verry (48:41):
Um, yeah, well listen, uh, as a, as a, a long suffering fan of a team that has not had a quarterback in 50 years, the New York Jets, I’m hoping that you don’t get anyone. I I’m hoping you get someone good after I get somebody good <laugh>.
Ryan Mackie (48:58):
I think the last one was what? Tesa Verde.
John Verry (49:00):
I really enjoyed those days. Oh yeah. I mean, yeah. I mean, you know, Chad Pennington before he blew out his shoulder. Yeah. Kenny O’Brien was a pretty solid quarterback. The problem with Kenny O’Brien was we took him before Dan Marino. Yeah. You know, we could have taken Dan Marino and we took Kenny O’Brien instead. <laugh>. Yeah. It’s just the pain of being a Jet fan. All right guys, if, uh, folks wanna get in contact with, uh, you, you guys, what’s the easiest way to do that? Shelman? Are you guys?
Ryan Mackie (49:26):
Yeah, LinkedIn. I mean, it’s the easiest way, you know, just reach out to us. I mean, profiles are out there, the firm’s out there, you know, so happy to do that. Our website, we’ve got a lot of content that, uh, blog as Danny had mentioned. Um, you know, and we’ve got a, um, um, you know, a way to contact anybody on our team, you know, through our website. So,
John Verry (49:45):
Ryan Mackie (49:46):
John Verry (49:47):
Yeah. Awesome. Well, you know, here’s the good news. It’s 3 54 on a Friday. Yeah, you can for
Ryan Mackie (49:53):
Me and you John.
John Verry (49:54):
That’s good for Danny. Oh, Danny. So Danny’s, he’s just
Danny Manimbo (49:56):
John Verry (49:56):
Started. Oh, Danny, sorry. Well listen to, you know, course some
Danny Manimbo (50:00):
Death Wish coffee And see what
John Verry (50:01):
They Yeah, you’re you’re gonna start on a death wish coffee. I’m gonna start on a bourbon.
Danny Manimbo (50:06):
There you go.
John Verry (50:07):
All right guys. Jealous. I a good one.