May 16, 2023

If you are ISO 27001 certified, or considering it, you are likely wondering how the transition from ISO 27001:2013 to ISO 27001:2022 affects you.  With the notable changes, there are many uncertainties. For example, how soon can you get certified to ISO 27001:2022? Can you still get certified to 27001:2013? For anyone already certified, how soon can they transition to ISO 27001:2022?

In this episode, your host John Verry, Pivot Point Security CISO and Managing Partner, sits down with Andrew Frost, GRC Advisory Consultant at Pivot Point Security to explore the most effective and simplest practices for making the transition from ISO 27001:2013 to ISO 27001:2022.

In this episode, join us as we discuss:

  • An overview of what changed and why from ISO 27001:2013 to ISO 27001:2022
  • Timelines for certification to the new standard, including why it might be advisable to delay an ISO 27001:2022 certification audit until 2024
  • The level of effort required for the transition to ISO 27001:2022
  • Guidance on how to plan and execute the transition to ISO 27001:2022
  • How auditors might use the new #hashtags in ISO 27001:2022

To hear this episode and many more like it, we encourage you to subscribe to the Virtual CISO Podcast.

Just search for The Virtual CISO Podcast in your favorite podcast player or watch the Podcast on YouTube here.

To stay updated with the newest podcast releases, follow us on LinkedIn here.


See below for the complete transcription of this episode!

John Verry (00:00):

Hey there, and welcome to yet another episode of the virtual CISO podcast with you as always your host, John Very, and with me today, I think a two-time appearer, if that is a word on the podcast. Andrew Frost. Hey, Andrew.

Andrew Frost (00:15):

Hey, how’s it going?

John Verry (00:16):

It is going well. I’m let’s just say I’m glad it’s Friday though.

Andrew Frost (00:20):

Yes. <laugh>

John Verry (00:21):

<Laugh>. Always start simple. Tell us a little bit about who you are and what is it that you do every day?

Andrew Frost (00:29):

Okay. My name’s Andrew Frost. I am a GRC consultant at Pivot Point Security. Been been here for four and a half years now. Before that I was actually working for a client of Pivot Point Security, running their is s m s. So, you know, I’ve been doing, you know, is m s ISO related stuff for six or seven years now. And I’m not gonna go any further back in my history, but <laugh> Yeah.

John Verry (00:57):

You, you didn’t have a paper route. You didn’t, your mom didn’t give you 25 cents to vacuum the kitchen after dinner every night. I mean, all right. Well,

Andrew Frost (01:06):

Yeah, that’s

John Verry (01:07):

<Laugh> <laugh>. So

Andrew Frost (01:09):

So most, mostly what I do though, and I, I missed that part of the question was you know, I do ISMS implementations for our clients and I do internal audits but more maintenance and implementations than anything.

John Verry (01:25):

Right. And, and with a, with a, with a bulk of that work being ISO 27,001. But of course it’s other frameworks as well, you know, the SOC two s and the, and the, and the whatnots of the world as well. Correct. Cool. So this one’s gonna be an interesting one cuz I know the answer to the question. So, so I don’t know if I should change the question or just leave it. So I’ll just, I’ll just leave it and just Well, no, I know, I know. Bourbon is your drink of choice, generally speaking. Anything interesting that you’re drinking these days? Well, either bourbon or other than that.

Andrew Frost (01:53):

Well, I’m gonna, I’m going to go where I would disagree with you cause I know we disagree on, so

John Verry (01:59):

You’re not allowed to disagree with me at all on this pod. This is my podcast. It’s the virtual CISO podcast <laugh>.

Andrew Frost (02:04):

But you don’t like Scott.

John Verry (02:05):

Oh, I hate scotch. Yeah, it’s, it’s, you know, Pete, Pete Roons. It’s a whiskey roon by Pete.

Andrew Frost (02:12):

So, you know, we drink. Yeah. Me, me and my wife, sorry, <laugh>, we both drink the same stuff. We both drink scotch and we both drink bourbon. I agree with you on the bourbon side. The other part we don’t agree on is neat versus on the rocks. So I prefer both Neat with drop of water.

John Verry (02:31):

I think look, I, I I like one you know you know, that I’m drinking a, a really nice bottle of myam and green that someone, someone picked out for me that I’m very appreciative of. And you know, I think that is a perfect bourbon to drink meat with a little bit of water. Agree. it just real, it just really blooms really opens up when you drink it. So, so, I, I agree with you completely. All right. So let’s get down to business. I think anybody that lives like us in the ISO 27,001 world, the ISO cybersecurity community, so to speak we’ve had some big news over the last few months. ISO 27,001 has been updated from 2013 to 2022. So I’ll ask you, how has ISO 27,001 remain the same and how has it changed?

Andrew Frost (03:21):

Okay, so ISO 27,001 in itself, let’s not talk about the Annex A controls yet. We’ll get there has not changed much. The, the guidance is mostly the same. The, the language is mostly the same. There’s a few tweaks here and there, but you know, in terms of the management system, there’s not much different mm-hmm. <Affirmative>. what changed more is in the annex controls, which is also, which are also covered in IO 27,002. And a lot of it had to do with like changes in the industry. Everyone’s moving to the cloud, there’s a lot more privacy regulations now. So those are the, the really the big things. I think you know, while 27,001 still has some, what I would call light touch on privacy compared to 27 7 0 1 and 27 0 18 you know, private protection’s now, like it’s actually in the standard title. So they added, they added it to the title. They added a few controls that I think point directly towards protecting p i I like information deletion and data masking. Mm-Hmm. <affirmative> and even data leakage prevention is, they’re really about protecting pii. And I think that the privacy, the one privacy control that was there before is now, you know, maybe like four controls, you can think of it. Right. if you include those three new ones.

John Verry (04:53):

So when you said the ISMS is largely the same, just to be clear, we’re talking about clauses four through 10 Correct. Are largely the same. Right. So the recipe for the actual management system of ISO is largely the same with just a couple minor changes.

Andrew Frost (05:07):

There’s a few minor changes. There’s an additional control, which is a one-liner that says basically you need to control your changes within your I S M S mm-hmm. <Affirmative>. for some reason they, they reverse the order of the of the 10 of clause 10

John Verry (05:26):

<Laugh>. Really?

Andrew Frost (05:27):

Yeah. I don’t know why <laugh>. So one was you know, the non-conformity versus corrective action. I forgot the order they were in, but now they’re in the reverse order. So 10.1 is now 10.2 and 10.2 is now 10.1

John Verry (05:41):

<Laugh>. Yeah. That’s weird. Just, just, just enough to mix up the people that have really, really comfortable with the standard and then Exactly. So we, let’s talk a little bit about, what I was intrigued by when I looked at it was the obvious, I think, like you said, reaction to what’s changed between 2013 and 2022. So you mentioned and I think that’s mostly, I don’t know if you’d agree with me, mostly reflected in the new controls that we see mm-hmm. <Affirmative>, so you mentioned the three controls that are I think related to privacy and I think you could argue or a direct response to things like GDPR and C P A. What are some of the other changes and and what do you see as being the rationale or reasoning behind the fact that we needed this new control?

Andrew Frost (06:29):

Okay. Yeah. And I mentioned, I, I briefly touched on cloud. So there’s a, there’s a new much needed control for cloud services because we, we had nothing specifically about cloud because in 2013, cloud wasn’t really, you know, as big, you know, now everyone is using some kind of cloud service, even if it’s, you know, for Office 365 they’re using, that’s a cloud service now. So they had to add a control for that. And the control is, while it’s very, you know, written at a very high level, there’s two pages of guidance in the standard for it mm-hmm. <Affirmative> and, and those two pages of guidance really get into more detailed vendor management, making sure you’re picking the right cloud service provider, making sure you can move away from that cloud service provider, you know, and move your data, you know, portability of data and things of that nature. Question

John Verry (07:23):

Is, is it, so does that control more focused on a cloud consumption or does it also like, you know, cuz like 27 0 17 has a consumer consumption side and a provider side. Does the, the new control, is that just consumption side?

Andrew Frost (07:40):

It is. And that was, that was, you know, when I first started reading the standard, that was an area for confusion for mail, I’ll admit. But when you read, like at the very bottom in not very big letters, it says this is for the use of cloud services. I mean, the controls called the use of cloud services. Okay. but you don’t think of it that way when you first start going into it cuz it’s, it’s cloud.

John Verry (08:04):

Right. And so many of your customers are cloud service providers as well as cloud service consumers. So I think you have a tendency to think from the side that you’re working on, right. Helping organizations get prep for certification.

Andrew Frost (08:16):

And, and the other part is if you’re looking at 27 0 17 from the, from the use perspective, it’s very similar to this new control. If you’re looking at the provider side, it’s obviously very different.

John Verry (08:29):

So that would be why people would continue to use 27 0 17. So a a pure consumer of the cloud probably no longer needs 27 0 17. But a a, a cloud service provider probably still would benefit from it,

Andrew Frost (08:42):

Pretty much. Yes, I would, I would definitely agree with that.

John Verry (08:46):

Cool. What else? What else is what else is new? And why do you think that, that they edit it?

Andrew Frost (08:53):

Well, one of the areas that I was thinking about is configuration management. That’s a new control, but it’s something that we always kind of skirted around. We always looked at it when we looked at network security, when we looked at, you know security of of software development environments. But it was never an auditable control. It was, you know, so now we have this control configuration management, we’re gonna make sure there’s a policy that says this is how we’re doing it. This is how we’re making sure that we’re, you know, have hardening standards and we’re following those and we’re making sure that they don’t change over time, et cetera. So that’s, that’s a really good one. Even though I think we were kind of doing it before some of the other ones are threat intelligence, which a lot of these were being done by most of our most clients.


I think that there’s less of an uplift in some cases than you think there might be because you might be doing a lot of these controls already in one way or another. Threat intelligence is a good example of that. You’re, you’re probably doing that by, you know, the control for special interest groups you’re following, you know, like csar or whatever and getting vulnerability information back, finding out, you know, what’s coming, what threats are coming on the horizon and what you should be looking out for. You’re being notified about zero day vulnerabilities and you know, you’re already getting that threat intelligence. You’re just not documenting that in a policy possibly. What other ones? I’m trying to think.

John Verry (10:44):

I, physical, what is the ICT readiness or business continuity?

Andrew Frost (10:49):

I mean that’s another one that I think was,

John Verry (10:52):

We were covering anyway. Yeah. So a lot of this is just, I think formalization like mm-hmm. <Affirmative>, you know, much the same way ISO documents, the things that you are often doing. You know, I think in a weird way, 27,100 2022 documents what we were already doing with 2013 in many instances.

Andrew Frost (11:08):

Correct. I mean, especially that one I, that I c t readiness for business continuity is basically basically disaster recovery. Hmm. Which, you know, was part of most companies, you know, B C D R plan, that’s why it was called that <laugh>. I think one of the other ones I was thinking about was, you know, physical security monitoring, like that’s basically camera coverage. And one of the areas that we’ll get into, you know, that we haven’t gotten into yet is like they added this these hashtags mm-hmm. <Affirmative> that to the controls. They, they describe at the beginning of the control, you know, if it should be preventive or corrective or, or what. Basically it helps you understand what they mean by what, what you want to do with that control mm-hmm. <Affirmative> or what they want you to do with that control.


So like physical security monitoring was one I was actually talking to a client about recently. Because when you look at it, it says you need to have 24 7 monitoring, you know, <laugh>, I mean, it doesn’t say that, but you think, oh, do we have to have 24 7 all all the time monitoring, making sure, you know, there’s a security guard watching cameras at all times. And you know, if you think about it, physical security monitoring could just be recording or it could be, you know, someone watching it. So when you look at those hashtags for that control, it’s actually listed as detective and preventive. So that led lead us to, led us to believe that maybe, you know, there should be some kind of monitoring or at least review on a regular basis. Or at the very least, you should document that as a risk that you’re not, that you don’t have 24 7 monitoring.

John Verry (12:56):

Yeah. The hashtags are, are interesting and let’s, let’s, let’s make sure we touch on this a little bit deeper cuz I’m curious as to how you, how you see people using them and how you think auditors are going to use them. Cuz I think that’s going to be important component. And then I think the last major change that I noted was there were some controls that I think were directly relating to I think our shift into the agile DevOps infrastructure as code world. I think, you know, the secure coding, the data masking and the configuration management, I think kind of point to that. Mm-Hmm.

Andrew Frost (13:29):

<Affirmative>, I mean, secure coding is one that I almost didn’t feel like it was needed in a way <laugh>. I mean with all the, with all the secure development controls that were there before, we were always looking to make sure that code was secure. We were always looking to make sure that there was some kind of, you know, some kind of review of code to make sure and making sure that it was, I mean, I, I think it’s adding some policies, formalizing it, like you said, in most cases we’re just formalizing things that were already being done. Cool. And that’s, that’s a good one, a good example of one.

John Verry (14:11):

So, so let’s talk a little bit about about someone who is moving towards certification. So if someone’s just getting certified for the first time how soon can they get certified to ISO 27,001? 2022 and can they still get certified to ISO 27,000? Excuse me, ISO 27,001 coal in 2013.

Andrew Frost (14:33):

Okay, so first, first of all, like most of the registrar, many of the registrars are ready or will be soon ready to certify. They don’t have to be ready until I think October, 2023 cuz that’s 12 months. So, okay. So this doc, there’s this document that’s called the I A F MD 26, which is the International Accreditation Forums Mandatory Document 26, which basically is a document for the registrar of the accreditation bodies to tell them what they need to do and when they need to do things. And I’ll probably be referring to that document a few more times, so I wanted to make sure to bring that up. So per that document, they have 12 months from the date that ISO 27,001 2022 was published to get certified to certify, I forgot what that terminology is, but accredited to certify <laugh>. So that’s basically, you know, basically they should be ready to do it soon. I think most of ’em are doing it before then. Mm-Hmm.

John Verry (15:43):

<Affirmative>. Yeah, I know, I know a couple are are are ready now as I understand it. Correct.

Andrew Frost (15:48):

Correct. But back to the original question, like per that same document I f MD 26, they have, they, they now have 18 months from the publication date to start their 2013 audit.

John Verry (16:05):


Andrew Frost (16:06):


John Verry (16:07):

That would be like, almost like April of 2024 roughly, cuz it came out October, I think it was October.

Andrew Frost (16:12):

It’s April 20,

John Verry (16:13):

April, 2024. Okay. Yeah. All right. So, so in other words, so you could probably get certified now if you picked the right registrar and if you are already down the path and you’ve prepared your whole Issm s using 2013 you’ve got another effectively year to be, to go through your certification order.

Andrew Frost (16:31):


John Verry (16:32):


Andrew Frost (16:33):


John Verry (16:34):

All right, so let’s talk about the other side of that coin. So if you are already certified, how soon can they transition to ISO 27,001 Coal 2022?

Andrew Frost (16:45):

I mean they can transition whenever they want. It’s, you know, obviously without having an additional expense or much of an additional expense, you wanna wait until the, at least her first surveillance audit. Okay. Or your next surveillance audit or next re-certification audit. We’re mostly recommending that people wait until 2024 if they can just because the auditors are still, are still starting. Like they haven’t even started to audit it yet. We don’t know how they’re gonna audit it yet. There could be interpretations that we haven’t seen, you know, so I think we’re kind of leaning towards trying to lean towards getting people to start looking to transition 2024 or 2023.

John Verry (17:27):

Yeah, we see. Yeah, it’s interesting cuz you know, you live on the, working with the clients, you know to do the work and I lean on the live on the, talking to the clients about what they want to do or should do. And it’s interesting because many clients are looking to move soon. You know, I think they see it as a competitive differentiator. I think they see it as thought leadership. So I think gonna have an interesting an interesting blend of people. I also think it depends on when you’re doing it, if you’re, if you’re scheduled for a surveillance or recertification audit this summer, you know, early fall, you’re probably putting yourself in harm’s way to have to try to squeeze all those changes in, in that period of time. However, I mean, I think if you were looking at like, I know it personally, right? As Pivot point Security is an ISO certified company, we our certification, excuse me, next surveillance audit is in February. We’ll make the transition for that one.

Andrew Frost (18:19):

And we have I know one client I’m working with now is their certification audit or their surveillance audit is in January. It’s actually a recertification audit and they’re gonna be doing 2022.

John Verry (18:31):

Yeah, it’s gonna be fun. It’s, it’ll, it’ll be interesting. I do think, I think you, I think you can make an argument both ways. I think to some extent some people might have a few arrow in the back. I think on the other side of the coin I think you’re gonna get more leeway as the auditors are figuring out figuring their way as well.

Andrew Frost (18:50):

That’s true. So, and the worst thing that happens is you get a nonconformity that you fix

John Verry (18:55):

<Laugh>. Yeah, exactly. Exactly. Yeah. I mean, you know, the reality is, I think, I think you said it well, you’re, it’s really a formalization of many of the things that you were doing anyway. So I don’t think it’s going to be, I think it’s gonna be more a paperwork exercise than it’s going to be a significant change in the way you conduct operations. And I think the likelihood of you having nonconformities of significance around the actual operation, the control are probably not that high. It might be just in the way that you document some of the things.

Andrew Frost (19:25):

I would agree with that.

John Verry (19:26):

Yeah. So as you said, it’s probably not that hard if you do end up with a nonconformity to correct it. So we talked about they can get certified soon and, and some of the, you know, they’ll have to figure out when works for them. Mm-Hmm. <affirmative>, what’s the latest they can transition?

Andrew Frost (19:44):

It’s three years from October, 2022. So it’s October, 2025, the end of the month. And I think they have to be completed again to, because the, based on that i I f document the audit has to be comp, I’m not sure it says completed. I’m, I don’t know if that means the audit has to be completed or the actually active have certification in hand. I I read it as the audit has to be completed.

John Verry (20:09):

Okay. So, so basically 10 31, 20 25. Yes. Okay. And then, you know, you said that the likely path for doing this would be either to do it during a recertification or a surveillance audit. Do you think there’s a big difference in doing it in one or the other?

Andrew Frost (20:31):

There isn’t an it, it basically adds a half a day. Like if you do it in a surveillance here, the, the registrar is required to, to add a day to your audit to, to basically do what they call the tran. But they’re calling the transition audit, but they’re gonna look at, you know, your transition plan, which is either a gap assessment or just a list of what you did like, and, and that’s a requirement that we haven’t talked about the, the re the required to look at a transition plan that you, you have to have something documented that says this is what we did, you know, either in most cases it’s gonna be a gap assessment or something. So, but they’re gonna look at that. They’re gonna say, okay, what did you, what changes did you make for the uplift? And then they’re gonna look at the 11 net new controls and, you know, your o a maybe your risk assessment if you need to update that. But basically it’s a half a day added if you’re doing a, a surveillance audit year. Wait, did I get that backwards <laugh>?


It’s it’s an extra half a day on a surveillance audit year on a recertification year on a, an extra day on a surveillance audit year. That’s what I, I

John Verry (21:50):

Did. So, so, so net net it out, it’s really, you know, that’s not going to be a decisive factor in deciding when, when you’re ready to do it.

Andrew Frost (22:00):

Right. It’s basically a half a day of auditor time, which is a half a day of cost, which I don’t, I don’t know what that, how that calculates out

John Verry (22:07):

Output. It’s a, it’s, it’s probably 1500 or $2,000 or something of that

Andrew Frost (22:11):

Nature and it’s a half a day of your time in an audit, possibly <laugh>.

John Verry (22:19):

So let’s talk about what this, what’s the level of effort and what does the actual trans transition look like in terms of work effort?

Andrew Frost (22:30):

So basically most of your policies are gonna have to change, at least minorly especially if you have a reference section in your policies. Cuz every single one of those is gonna have to change the reference section at the, at the very least there’s some documentation that needs to, in most cases added to policies for the 11 new controls. The only probable new, like entirely new policy that I think you have to have is con configuration management. But you can even argue that that could go into the security development policy or another policy or the network configuration, the network management policy your updated scope document, you definitely have to update the SOA cuz the s SOA is gonna point to all the, the new annex A controls. That’s one of the bigger changes. But yeah, like I said, most of the policy changes are not major. Okay.

John Verry (23:36):

And remind me, remind me to circle back when we talk about the hashtags cuz I’m curious as to whether or not you think risk methodology and risk assessment are audit if auditors are going to look for changes to the methodology based on some of those hashtags.

Andrew Frost (23:54):

Well one, I mean, and I did kind of mention that before in, in brief mm-hmm. <Affirmative> briefly because

John Verry (23:59):

You want what you want, let’s take into it now then.

Andrew Frost (24:01):

Yeah. I mean basically the way I was, the way I was picturing that one control, the, the physical security the monitoring control is that if you’re not doing it because the hashtag says preventive, if you’re not, if you don’t have preventive control, I would think that you would want that in your wrist register to say we don’t, we know that we don’t have a preventive control, but you know, we don’t need it because they’re, I don’t, we basically we’re, we’re accepting the risk of not having that as a preventive control and we’ll just review the doc, review the the video on a weekly basis or a monthly basis or something.

John Verry (24:42):

Or you could, or you could argue that the detective control or you know, or, or add a corrective control and claim that that is a good compensating control.

Andrew Frost (24:54):


John Verry (24:56):

Yeah. Yeah, that’s what I was thinking is I’m wondering, I’m wondering what that, you know, the other thing too is that I was wondering on the risk assessment, right in, in ISO 27,001, we know how we have the, the language in, I forget which one of the, probably the planning clause where, you know, you’re asking how you consider the impact to confidentiality, integrity and availability when you’re implementing controls and in your risk assessment. And now, you know, and I know that they have the CIA hashtags as well, right? So, so I was wondering whether or not we were going to see auditors start to ask that question when you’re looking at a risk, you know, is that, is that a risk to confidentiality integrity or availability or some combination thereof?

Andrew Frost (25:37):

It’s really hard to say <laugh>.

John Verry (25:39):


Andrew Frost (25:40):

And, and that’s, that’s one of the things where I’m, you know, I’m excited to see how the auditors are actually gonna approach it, but I mean I could definitely see how you can improve your risk your risk register by using some of those hashtags.

John Verry (25:59):

Yeah. How you can, and I’m gonna go a step further how you can, cuz you know, iso ISO has a security component and a compliance component mm-hmm. <Affirmative>, like, like every framework does. And I think where sometimes the compliance component can be used to drive changes in security. So an auditor insisting that you do something can have a positive net effect where you can just, if they’re not enforcing it, you could do it, you know, unilaterally. And I think the idea of considering CIA and considering as you’re implementing controls, whether or not they’re preventative detective corrective, I think those things could be beneficial to, to effectively managing risk in an

Andrew Frost (26:43):

Absolutely. Yeah. I I can definitely see that. I like, I don’t know if it’s gonna be audited that way, but I could definitely see it helping your security.

John Verry (26:55):

Yeah. I could see more advanced clients updating the risk methodology to incorporate that.

Andrew Frost (27:02):


John Verry (27:03):

I definitely

Andrew Frost (27:04):

Agree with that.

John Verry (27:06):

Let’s, what else we gotta cover here? Let’s see, so let’s talk about how to get there, right? So we know we’re gonna, we’re gonna make these changes, you know, how do we know to make those changes? So in a typical organization, how are we going to recommend the most, you know, effective and efficient way to initiate and execute this transition?

Andrew Frost (27:29):

So we currently have, you know, two ways we’re gonna, we’re we’re planning on going about doing this for our clients. You know, the one, the first way would be, you know, maybe we add some time to your internal audit, like, like a half a day or a day and do a gap assessment of these 11 new net new controls, you know, as part of the audit. But it’s really a gap assessment and provide like a separate transition plan, which then they can use either with us or without us to do the uplift. The other thing we could do is a full transition, which is, you know, a, a full gap assessment with a, with a a risk refresh and then help with the policy uplift so that, you know, that would be the more hands-on model that, you know, that we would work closer with you on.

John Verry (28:27):

Yeah. So that’s gonna be the, so you know, it’s, so it’s, that would be a more robust way of doing it, right? Where you’re, you’re going in ahead of time and, and, and doing it from a consultative perspective as opposed to doing it as a an external, excuse me, an ISMS internal audit where we’re just giving them the detail on what needs to change in the environment.

Andrew Frost (28:48):


John Verry (28:51):

And then just generally speaking, we’re gonna have to add, I guess a little bit of time to like, much like the auditors do a little bit of time to internal audits in that year one transition to kind of accommodate the extra the 11 controls and the changes, minor changes in clauses.

Andrew Frost (29:09):

Yeah, I would, yeah, definitely. Like I haven’t figured out how much time that is yet, but yeah, there’ll be a little bit of extra time there.

John Verry (29:17):

Okay. Gotcha. So we got ISO 27,001 Coal in 2022. What I noticed, and I, I only only noticed that today that there’s a 27,005 2022. Did you, did you see that head come out? I logged in into tech, I logged into Tech Street. Didn’t, no, I didn’t see, I didn’t know it either, but I logged into Tech Street. I wonder if I still have it open. No, I don’t. But I logged into Tech Street today to get a copy of 27, another copy of 27,000 1, 20 22. Cause I was working on a different computer and I was surprised that 27,000 5, 20 22 popped up. Wow. So that, so that’s, so that’s news. Look forward to looking at that. So we’ve got 27,001, 27,002, 27,005. We don’t have 27 0 17, 27 0 18 and 27 7 0 1. How will that impact a client if they’re, if they’re using 27 0 17 as an example or 27 7 0 1, how will that impact their work? This is transition.

Andrew Frost (30:20):

This is a little tricky, <laugh>. So, oh, first of all, 27 7 0 1, there is a new version in development. I don’t, I don’t, I think it’s in like what, what they call level 40 of the 100 steps, steps in the process. But, so my guess is it won’t be published until late this year. And that’s my guess. I don’t know if that’s true. So there will be a new version of that 27 0 17. There’s also a new version in development, but I think that’s even further back and I don’t see any indication of 27 0 18 being updated. So I, I think for now what our clients are gonna have to map, do the mapping themselves in 27, I think it’s in 27. Yeah, 27 0 2, 20 22 and the standard in the back and the appendix, there’s actually, it has the mapping from the ALT to the new mm-hmm. <Affirmative>. So you can utilize those tables to kind of back map those three standards as well. But I, there’s no, there’s no clean way to do it because they, you know, they haven’t given us, you know, new versions of the standards that map to the new version of Annex Air.

John Verry (31:35):

Okay. So what you’re saying is that the translation tables at the end of 27,000, so it’s mapping 27 0 13 to 27 0 22. And so if you know that 27 7 0 1 control A maps to control B 27 0 13, which maps to control C 27,000 1, 20 22, hence we know how to map 27 7 0 1 to to 27,200 2022.

Andrew Frost (32:04):

Now just say all that again. One, one more time. <Laugh> <laugh>.

John Verry (32:08):

I’m not, not sure I said it, I’m not even sure I said it correctly. This is like, you know, if A equals B and B and B equals C, then A equals C, right? Correct.

Andrew Frost (32:16):

<Laugh>. That’s

John Verry (32:18):

Right. I think, I think the average person listening probably followed that better than what I, what I tried to do earlier than that <laugh>. All right. Anything else? We beat this up pretty good. Anything else that you think we should chat about?

Andrew Frost (32:34):

I would recommend that people that are transitioning to download that I A F MD 26 I talked about, it’s a free download. It’s, it’s very informative. It tells you in a lot of detail like what changed in, I’ll make sure you get issue two by the way, cuz issue one and issue two are very different and they’re both out there <laugh>. Issue two has all the dates that I talked about earlier. It has some details about what changed in ISO 27,001 in the clauses, you know, those minor changes that I was talking about. And I also recommend that purchasing ISO 27,001 and 27, 20 7,001 and 27,002, not, not only because you have to have them to follow the standards, but you know, they, it always obviously helps to have that. Plus auditors sometimes look for you to make sure that you have them <laugh>.

John Verry (33:29):

Yeah, no, I’ve seen, I’ve seen, I’ve, I’ve, I’ve been sitting at the table when, when somebody got called on not having a copy of 27,000 not having an officially licensed copy of ICE 27,002.

Andrew Frost (33:40):

Yeah. And I’ve written up people for not having it. So <laugh>, <laugh>

John Verry (33:46):

All right.

Andrew Frost (33:48):

And the the other side note that I wanted to make is that the guidance in 27 0 2, while it reads like something that you have to do, it’s not something that you have to do. This was true in 2013 as well, it’s guidance. It’s not, it’s not, this is what you have to do. This is, it’s, this is kind of how we think you might want to do this. So don’t take it as instructions. Take it as guidance like it

John Verry (34:13):

Is so it’s not thou shall it’s thou shall think about.

Andrew Frost (34:18):


John Verry (34:19):

Yeah. Yeah. I always tell people when they, when they look at 27,002 and, and they think about rationalizing a thought process to an auditor about why they did or didn’t do something that was listed in there, you know, I always use the analogy if you’re sitting at a, at a bar with a friend over a beer and you’re explaining why you did or didn’t implement, you know, a passwords at a certain length or multifactor authentication in, and that person’s moderately knowledgeable on information security, if you can make a, an argument where your, your friend says, yeah, that, that, that makes sense, then you’re gonna be fine during an audit.

Andrew Frost (34:53):


John Verry (34:54):

Yeah. All right. Give me, and I dunno if you’re prepared and, and you’re not allowed to reuse whatever you said the first time, and I’ll remember, give me a fictional character, real world person you think would make an amazing or horrible ciso and why

Andrew Frost (35:07):

I I got a better, I got, I kind of got a better answer. So I’m, I’m, I’m switching the, the topic to AI a little bit <laugh>.

John Verry (35:14):


Andrew Frost (35:14):

Okay. Because last time we talked last time I said Sheldon Cooper. So, and

John Verry (35:19):

That’s from the, and that’s the Big Bang theory, right? Yeah.

Andrew Frost (35:22):

Okay. So to be different, I decided to ask chat. G p t

John Verry (35:26):


Andrew Frost (35:26):

<Laugh> chat. G P T came back with Sherlock Holmes on the first try.

John Verry (35:32):

You, you know, somebody else, somebody else has said Sherlock Holmes before. Oh, that’s right. So that’s interesting that chat, G p T so did chat g p t give you a reason why?

Andrew Frost (35:41):

Oh my God, I don’t have it in front of me, but it was a book. It was, it was very descriptive

John Verry (35:47):


Andrew Frost (35:49):

But then, but then I a I asked it again and it, the second time it picked Tony Stark

John Verry (35:54):

<Laugh>, somebody’s given Ironman before as well. I, I think, you know what, I think this is all kidding aside, I wonder because chat G P t I don’t know if you’ve have, how much have you used chat G P T?

Andrew Frost (36:05):

I’ve been using it a lot.

John Verry (36:06):

It’s me too.

Andrew Frost (36:07):

It’s really helpful. Like,

John Verry (36:08):

It’s crazy, but it’s it, but it, it is what’s shoot, why am I drawing a blank on the word? When you use somebody’s works directly

Andrew Frost (36:18):


John Verry (36:19):

Plagiarism, <laugh>. Like sorry about that. The, that’s okay. The, it, it plagiarizes like, I mean like, you know, it, you can find the same exact language that it gives you in its responses directly off of people’s websites. And I’m really curious, I’m really curious, the fact that you asked it twice and both times it gave an answer that it could find on our website.

Andrew Frost (36:43):

Oh, now I have to, now I have to compare the description to our website.

John Verry (36:47):

Right. It would be really interesting to see whether or not its rationale was some of the rationale that the individual gave. I I think it’s really interesting, like, you know, AI is crazy stuff and it’s amazing that it’s able to interpret what you’re doing, but I do wonder how much, how much it’s directly using the the, the materials that it’s trained on.

Andrew Frost (37:13):

Yeah. Well, yeah, it’s, it’s really neat though.

John Verry (37:19):

Have you have you talked to Rory at all about, about the way he uses it? Cuz he does this thing where he gets it into a conversation. You can enter something called prompt mode and you, you tell it that you want to enter prompt mode and then it prompts you to help you create better and better prompts. Like it, it becomes the prompter.

Andrew Frost (37:44):


John Verry (37:45):

And, and, and it’ll, it’ll, it’ll create a prompt and then it’ll give you suggestions about how to improve that prompt. And then you tell it which of those suggestions would help you. And then it, and then it iterates the prompt again.

Andrew Frost (37:58):

Oh, that’s cool.

John Verry (37:59):

He did something that was nutty where he laid out like a, like a professional development program for achieving a, a particular certification. And what would be, what would be the best way to do that? What materials would he study? What? And it, it, it gave him like this amazing plan and he did it through this, this prompt mode. Yeah. Ping him and, and get the prompt mode. I, I can’t really explain it because he’s smarter than me. But I will tell you it was pretty damn cool and I haven’t figured out how to use it yet.

Andrew Frost (38:29):

<Laugh> the last thing I had to tell you that I, that I did was chat u p t is I asked it if Sheldon would be a great ciso and it said no <laugh>

John Verry (38:37):

What did, now here’s the question. Did you say Sheldon would be a good or a bad CISO when you on the podcast? I said, oh, so may so,

Andrew Frost (38:44):

So chatty.

John Verry (38:44):

So chat smarter than Chatty PEs smarter than you, is what you’re saying? Yes. Yeah.

Andrew Frost (38:48):

<Laugh> <laugh>.

John Verry (38:50):

All right, man. <Laugh> if if someone wants to get in contact with you

Andrew Frost (38:56):

Well Andrew Frost at Pivot Point Security or LinkedIn Andrew R. Frost is my slash or whatever you call it, <laugh>, my LinkedIn handle.

John Verry (39:09):

This has been fun as always, sir. Have yourself an awesome weekend.

Andrew Frost (39:13):

I will. You too. Thanks so much.