ISO-27701 is an exciting new standard. But it comes with a learning curve for all of us — clients, consultants, and auditors.
In this episode, we’ll discuss some of the lessons we’ve learned in our initial audits so you can, hopefully, benefit from our teething pains.
That’s why I invited today’s guests, Andrew Frost, GRC Consultant, and Aurore Watts, GRC and Privacy Consultant, here at Pivot Point Security, who have been working on the front lines of the auditing process.
To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can find all our episodes here.
This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.
Narrator (Intro/Outro) (00:06):
You’re listening to The Virtual CISO Podcast, a frank discussion providing the best information security advice and insights for security, IT and business leaders. If you’re looking for no BS answers to your biggest security questions, or simply want to stay informed and proactive, welcome to the show.
John Verry (00:26):
Miss Watts, Mr. Frost, good afternoon.
Andrew Frost (00:30):
Aurore Watts (00:31):
John Verry (00:32):
How are you this lovely Friday? Just the fact that you were so slow tells me it’s just like waiting to get done with this job so we can get-
Andrew Frost (00:42):
Ready for the weekend, John.
John Verry (00:46):
All right. Real quick for both of you, I’m going to ask this question just to start simple. Aurore, tell us a little bit about who you are and what is it you do every day?
Aurore Watts (00:58):
Yeah. I’m a GRC consultant and privacy. I’ve been at PPS for three years now, but I’ve been dealing with the IT compliance world for 10 years. I either audit company against their framework or I implement the framework for other companies.
John Verry (01:20):
Excellent. Andrew, same question.
Andrew Frost (01:22):
Mine’s going to sound pretty similar. I do exactly what Aurore does.
John Verry (01:25):
That’s fine. There you go. All right. Thank you, Andrew. That was highly informative.
Andrew Frost (01:32):
I mean honestly, I’ve been here for almost three years too, so been here almost the same amount of time and we do the same work. Aurore does a little more privacy than I do. But previous to working at PPS, I actually worked for a customer of PPS, which was where I got into ISMS and learned all that fun stuff.
John Verry (01:53):
Cool stuff. We also always ask the question, what’s your drink of choice? Now with Andrew, I happen to know it’s bourbon, so I won’t ask him that question. Although, do you happen to have a bourbon within hand reach, Andrew?
Andrew Frost (02:06):
I do not.
John Verry (02:07):
All right. I have a beer within hand reach, Andrew. I’m surprised. Aurore?
Andrew Frost (02:12):
John Verry (02:13):
You’re French, so I assume that wine is your drink of choice.
Aurore Watts (02:18):
Yeah, it is that. Definitely influenced by the fact that I’m French. But the one that right now I would want to go for is rosé, in France. I’m from the south of France, so I would definitely go for that on a Friday afternoon.
John Verry (02:36):
Yeah. And summertime, as we get into the warmer … Session is being recorded as we’re just starting to get warmer. Yeah. The rosés get popular in the summer, and my wife likes to drink this one called [Manyen 00:02:43] or something of that nature from France that is quite good as well.
John Verry (02:47):
All right, cool. Let’s get down to business, right? What we’re here to talk about today is ISO 27701. It is definitely new, and I think it personally … I have odd choices, odd tastes though. I think it’s an exciting standard. But like any standard, there’s some learning curve for all of us. That’s our clients, that’s us as consultants, and auditors as well. The idea behind today was I wanted to chat with you guys a little bit to talk about some of the lessons that we’ve learned so that others can benefit from the hour as we have in our [inaudible 00:03:19]. Make sense?
Aurore Watts (03:21):
Andrew Frost (03:22):
John Verry (03:23):
All right. Let’s start it, again easy. What is ISO 27701 and why do you think it’s important?
Aurore Watts (03:30):
Yeah. The ISO 27701 is an extension to the most, the more famous 27001, that is more information security. The extension allows to add privacy principle into that framework. Definitely, I think it’s important because it allows you to make those governance decision with privacy, which is a little bit more than other privacy framework we looked at before.
John Verry (04:03):
Andrew, any other thoughts on that?
Andrew Frost (04:05):
No. I mean, like what Aurore said, it’s basically an add-on to 27001 to give you a governing privacy program that you follow to implement your privacy program.
John Verry (04:19):
Yeah. I think what I like about it is the fact that it allows you to manage security and privacy in a single construct, right? That ISMS committee that you’ve already built that’s going to manage infosec risk is now also addressing your privacy. It’s also interesting to me, it’s the first certifiable extension to ISO 27001, the idea where they actually changed the construct of the management system, where most of the other extensions just added some either additional Annex A controls or some clarifications to Annex A controls. So, definitely some cool stuff.
Andrew Frost (04:55):
Yeah. Like, 27018 was not certifiable, like you were saying.
John Verry (04:59):
Yeah, yeah. And that’s actually an interesting question too. It reminded me that maybe we want to touch on that as, is 27018 … Well, I’ll ask it now. Is 27018 still in play? Is there a reason why someone would still get 27018 verse … Or would they more likely just go straight to 27701? Thoughts?
Aurore Watts (05:19):
[inaudible 00:05:19] did because it is for cloud clients processor, so if you know your scope is limited to that, it might be interesting for you to do it.
John Verry (05:32):
Got you. Now, you used the term controller there.
Aurore Watts (05:36):
Yes. The great thing about ISO 27, it is like you said, something that is certifying privacy. Because before, we were working with our client around their privacy concern, but there was nothing to really show, “Here it is. You did it.” And now it’s the great thing with 701 is that they can actually show the certification.
John Verry (05:58):
Yeah, which is huge. You used the term controller. Just real quick, let’s define what is a processor and what is a controller? That way anyone that’s listening, if we do use those terms again they have an idea what the difference is.
Andrew Frost (06:14):
I mean basically, the bottom line is sometimes this concept is a little bit hard to figure out. But it’s who is collecting the PII. If you collect the PII, you control. You’re the controller. If someone else collects the PII, you process it, you do work to it, then you’re a processor. A good example I came up with was your HR department. They are a controller of the data that they get from your employees. But if you use a SaaS HRIS system, that company would be a processor.
John Verry (06:51):
By definition then, though, if you are a controller are you also a processor by definition if you’re using that data? Or is that not the case?
Andrew Frost (07:00):
You are, but you’re called the controller because you’re controlling the data. You’re processing the data, but-
John Verry (07:06):
Can you be a controller and a processor?
Andrew Frost (07:08):
Aurore Watts (07:09):
John Verry (07:10):
Okay. And how would that occur?
Aurore Watts (07:12):
Any company is usually both, because a data controller, you’re always a data controller of your information, vendor information, client information. That is usually the case. And then processor would be if you do additional activities on behalf of clients and vendors. But what is interesting … Yeah, go ahead.
John Verry (07:37):
What you’re saying is that you’d be the processor. You guys were both answering the same question slightly differently. On the same data, you’re just a controller. But in the example you gave, Aurore, you’re a controller for the data that you gathered yourself and then you’re a processor for the data that somebody handed to you. Is that right?
Aurore Watts (07:57):
Right. Mm-hmm (affirmative).
John Verry (07:59):
Okay. And the fact that there’s a processor and a controller, that’s important to somebody that’s listening because there were different requirements for a processor and a controller at different points in the different privacy requirements, standards, and within ISO 27701 as well?
Aurore Watts (08:13):
Yeah. Yeah. That’s why it’s really important at the beginning to really understand the scope and really understand if you are a data controller or data processor. Because based on that, you’re going to have a certain [inaudible 00:08:30] apply to you or not.
John Verry (08:33):
You talked about scope. And to me, scope in any information security initiative is the single most critical thing. We need to understand what it is that we’re trying to protect, why we’re trying to protect it. You get that defined, well, I use the analogy of getting a ladder against the right wall before we climb it. Let’s talk about scope. What have we learned there? Andrew, how does an ISO 27000 … If you’re getting ISO 27001 certified or you already are, how does your ISO 27001 scope and your ISO 27701 scope, how do they compare?
Andrew Frost (09:04):
This is one of the things we learned early on, and we’re talking about lessons learned here. This is a good topic for that. We originally thought that 27001 and 27701 would have to have the exact same scope. So, if it was included in 001 we would include it in 701, and that’s not the case. Basically 701 has to be a subset of the 001 scope. If you have anything in the 701 scope that’s not included, you have to basically add it to your 001 scope. That’s the key. Basically, everything has to be covered by security controls, which are the 001 scope.
John Verry (09:45):
Right. Just to make sure I’m clear there, as long as your 27701 scope is the equal to or a logical subset of your 27001 scope you’re okay, but the minute that something comes out of scope, like something is in your 27701 scope that is not in your 27001 scope, it either has to be excluded or you have to expand your 27701 scope?
Andrew Frost (10:08):
John Verry (10:09):
Got you. Got you. And I would imagine, and I think Aurore, you and I had talked about this once before, that that was the issue with the GDPR compliance, right?
Aurore Watts (10:19):
Yeah. Because when we started with ISO 27701, all we knew was GDPR, CCPA. And for those, we really have to look at any personal data. And that was the mistake we did when we approached 701, is we were wondering, talk to me about all your personal data. We want to know where are they, and therefore we were focused on too large of a scope. A lot of data certified under 27001 do not have [inaudible 00:10:54]. There is no reason to talk about, for example, those employee data as part of the scope for privacy.
John Verry (11:02):
Yeah. And that leads to the next question. I was going to ask, does being 27701 certified definitely mean you’re GDPR compliant or CCPA compliant? But that would be a perfect example where, in many cases, you might not be. Because if you didn’t include your own human resource function into the scope of your 27701, then logically that would not yet be GDPR compliant, right? You’d be GDPR compliant in the processing of a third party’s data, like your clients’ data, but not your own data. Correct?
Aurore Watts (11:37):
Yeah. And ISO 27701 is really about providing a framework for privacy principles. So, you’re going to have some controls that are specific to those local privacy law that you’re going to have to plug to the different control so you can pretend on top of the scope to be also compliant to the different privacy laws. Sometimes, our clients say, “I want to be 701 certified so I can pretend to be GDPR compliant, or CCPA.” That’s when we have to let them know actually, there is a difference. If you want to be all those different privacy law, we will have to look at adding and making the scope much bigger, and also adding more controls.
John Verry (12:29):
Andrew, logically does that mean it’s sort of the same question that you would … Or the same way you would answer the question if somebody said, “Hey, if I’m 27001 certified, does that mean I’m PCI compliant?”
Andrew Frost (12:41):
Yeah, exactly. I mean basically, you’re setting up a framework and a management system that allows you to add other management systems or other requirements into it, but you’re not necessarily included all those requirements.
John Verry (12:55):
Got you. In other words, if we set up the management system, either one, with inclusion of the requirements from those more prescriptive standards, then logically at the end of that process, our certification would be also the equivalent of compliance with whatever standard that we were seeking to comply with.
Andrew Frost (13:15):
John Verry (13:16):
Okay. Makes total sense, at least to me. Hopefully to the people listening to this.
Andrew Frost (13:24):
I mean, I was going to also point out there’s a compliance portion to 27001. And in that portion, in those controls, you can actually say, “We’re required to be compliant with GDPR.” And then by virtue of following that control, you would add the other controls to be GDPR compliant.
John Verry (13:43):
Right. I mean technically, if you added your PCI requirement to your scope statement, then logically your internal audit and external process should validate that you’ve incorporated those requirements in. So, it sort of does become de facto the same thing, but it does rely on the fact that you’ve actually brought that regulation into the scope of the management system, correct?
Andrew Frost (14:06):
John Verry (14:07):
Okay. Makes sense to me. Here’s a good question for you. Now we get into the idea of prescriptivity. And we talk about ISO 27001 not being a true, a very prescriptive framework. If I asked you, “Andrew, how many characters long do my passwords need to be in order to be ISO 27001 certified?”
Andrew Frost (14:29):
Whatever you want them to be. Whatever your risk determines they need to be.
John Verry (14:33):
Exactly. And the answer … I always joke around with people. If an ISO auditor ever asks you a question, you know what the answer is. Say, “It’s because of what the risk assessment said.” And if you want to be even a little more formal, “It’s what the risk assessment scope statement told me to say.” Because I mean at the end of the day, it’s the context and the risk is going to define that, because the context will say, “Hey, I have a regulation that needs to apply,” and the risk will say, “I’ve got a risk that needs to be treated down to a level that’s acceptable.” So, 27001 is not highly prescriptive. How prescriptive is 27701?
Aurore Watts (15:06):
It will be the same approach, but instead of saying it’s because the risk assessment told me to, you will add, “Because the privacy impact assessment also told me.”
John Verry (15:19):
That’s going to be a mouthful.
Aurore Watts (15:22):
John Verry (15:24):
Okay. So, you would say it’s like an analog.
Aurore Watts (15:26):
Mm-hmm (affirmative). Yeah. You would be looking at your risk, your possibility of impact. But then from there, because we are looking at legal laws that could be subject to fines, then it’s how much you are wanting to pay or not.
John Verry (15:46):
So, most of the folks that would be seeking 27701, probably one of the reasons they’re doing that is they would like to be compliant with, let’s say GDPR or CCPA, or maybe they want to be compliant with both. How prescriptive are GDPR and CCPA? And how similar or different are they? Are they close enough that by inputting them and doing core set of things that were almost going to be there for both of them? Or were they sufficiently disparate that I’m going to have a lot of work to do both versus one?
Aurore Watts (16:17):
I think there is a lot of similarities, but it’s interesting to know what the differences are. And because there are some differences, you will have additional work to do from one to another in order to achieve both. To give you an example, GDPR will ask that you justify with legal grounds that … They have six of them to justify that you can process personal data. So, you have to pretty much give prior consent. While, CCPA is all about providing the opt-outs, do not sell my data. So, just different approach.
Aurore Watts (16:58):
But then if you want to be GDPR compliant, you will make sure you have those legal grounds. But also, that do not sell my data option available to California residents.
John Verry (17:12):
Got you. I know that one of the questions I get asked a lot is about the concept of a DPL. Are they both consistent on the idea? And is their prescriptive guidance consistent with what 27701 says about that data privacy function?
Aurore Watts (17:29):
The problem with GDPR is that it’s going to require more work because you are looking at different countries. GDPR is for all those members countries, but they still have specific requirement based on that member country. So, when you talk about something like a data protection officer, you’re going to have additional requirement based on which country you are processing data from. But in general, GDPR requires really to have that job definition to match their article, which has one of them is the independence. Your DPU needs to be independent from the decision making, which is pretty difficult to achieve within a company where 701, ISO 27701, we just have to make sure that the privacy responsibilities are a sign, doesn’t have to talk about independence.
John Verry (18:33):
And I think that lends to the next point, right. Andrew, I’ve heard you say to a client that it’s important that they have their legal client, that they have legal counsel involved in when we’re dealing with privacy. Why is that?
Andrew Frost (18:48):
Because basically, most of the stuff you’re doing with privacy is contract. I mean, a lot of things you’re doing is writing into contract saying that you have to allow your clients to do the PII principles, like the right to be forgotten or basically how to contact you to get the PII that you have stored on them. And it’s basically, a lot of it is contract learning which-
John Verry (19:20):
Yeah. The other thing which I struggle with, and I don’t know if you guys struggle with … The power of separation for someone listening is Andrew or the people that are actually doing the work. Very often, I’m talking to a client ahead of time about the work that needs to be done. And I get asked a lot of questions that I look at as being interpretation, or legal interpretation. Like a client will say to me okay, well this law requires explicit consent. If somebody gives me a business card at a conference, is that explicit consent? Or do I need to then send an email with an opt-out clause? Those types of interpretations. I think that’s the other side, at least to me. I don’t know if you guys agree. Is that I look at so many of the questions that you get asked are, it depends, and your legal counsel should look at this, and perhaps you need to consult with the DPA, the Data Protection Agency specific to the type of data that you have, or the EU countries’ data that you have. Do you guys agree with that?
Aurore Watts (20:22):
Yeah. I mean, your legal counsel, definitely your lawyer should be involved in the documentation of all those tracts, and kind of making the decision of where the company wants to go. And our job as consultant is definitely to have a lot of interaction with that jurisdiction or that legal person appointed to the firm to understand really what they want, the language to say, and what they want the company to say, basically, to their client and the rest of the world, because they will be anyone coming to their website.
John Verry (21:02):
Yeah. And I think you brought up two things. We’re talking about this legal interpretation. I mean, it’s really three reasons, right, that having somebody who’s a reasonable privacy expert is critical. We’ve got, as Andrew brought up, the legal client contracts, that side of the equation. We’ve got these interpretations of the laws and regulations, and all of the clarifications that come out constantly. I mean, the clarifications are largely in the laws to start with, half the time.
John Verry (21:28):
And then you’ve got the third thing is that you mentioned the DPO. Now, DPO has, you mentioned the independence. There’s also some language in there about not being sanctioned or under the control of executive management. They can’t get in trouble for doing something. And then they also have a role in interacting with the data protection agencies as well. I mean, correct me if I’m wrong, that’s one of the main reasons that we’ve recently moving towards a relationship with a third-party DPO provider organization, because we’re finding, what? A lot of our clients don’t have that skillset available to them?
Aurore Watts (22:05):
Yeah, definitely. And this partnership is really interesting because they will be competing, providing like a general offer to our clients that come to us and say, “Yes, I would like to have a privacy framework, I would like to be privacy complaint,” but don’t have anyone currently in privacy or legal privacy attorney that could help. So, we can do the piece about making sure that all the privacy documentation is ready, but those external facing and that DPO function is something that a company, like a virtual DPO, is really a great option for them.
John Verry (22:50):
Yeah. I always joke around with people, “I’m not an attorney but I sometimes play one on sales calls.” And I guess you guys feel the same sometimes, sitting in some of those scoping conversations where clients ask you that question. Like, “This is the way I’m interpreting it, guys, but I’m always going to defer to legal counsel.” In talking about that, we talked about scope being so critical. And I look at an ISO 27001 scope, the pure equivalent to that would be data mapping, from a privacy perspective. Andrew, let’s talk a little bit about what is data mapping? And what lessons have we learned there?
Andrew Frost (23:31):
Well, data mapping is basically figuring out where all the PII lives and where it’s processed, and a lot of people don’t know that and it’s really hard to nail them down and figure out where it actually is. What we usually do is start with talking to someone about what their tools are or what software they use, and drill down into what that software does. Some of the lessons learned, I think, are where people don’t think about where data is. Or places like temporary files, or even Contact Us pages on a website, for example, is a good place where we start where people sometimes just don’t know where that data is going. An email comes into the company and people just send it all over the place, and that’s PII. So, we have to track that down and figure out where that’s going to end up living. Which sometimes takes a lot longer than you think it should.
John Verry (24:27):
It takes a lot longer than you think it should. Now, you mentioned temporary files. That gets really interesting, right, because if you look at something like Oracle as an example, it stores multiple forms of temporary files. Like, redo logs as example. Because that way it can roll back transactions, you could reload data, do things of that nature. So, you’re saying that if you’ve got a database that has PII in it, any of those Oracle temporary files, are also in scope, and that’s got to be something that we manage as part of this?
Andrew Frost (24:56):
Yeah. There’s actually specific controls in 27701 for temporary files that show that you’re supposed to make sure that if they have PII, that you’re cleaning them up on a regular basis.
John Verry (25:08):
Got you. Aurore, any lessons you’ve learned in that data mapping area?
Aurore Watts (25:13):
Yeah. I mean, when we start the conversation we have maybe few names that we know we’re going to have to talk to. But really, we end up with talking to much more people because, like Andrew says, it’s really much of an investigation and oh, they go here as well, so we need to talk to this person now. It’s really looking for where are those PII, what do you do with it, who do you transfer it to? It does become a lot of conversation, and something that some clients have been wanting to just with questionnaire. How about you send your questionnaire with many question and I send that to the different persons so you can have a better idea? We find out that this is not working because of all those follow-up conversation that are needed.
John Verry (26:11):
Yeah. I’ve never been a fan. Because if you think about, since GRC solutions started reading their heads, what? 10 years ago? There’s always this opportunity to do a [inaudible 00:26:22] assessment or a control maturity assessment through questionnaires as well, web-based surveys. Now, I think the challenge there is that very often, people might not understand or fully understand the question. And that idea of sitting across the table from you, I think they get some sense of clarity. Or that clarification that you’re seeking is very inefficient to get through a survey, questionnaire-style approach. I would tell the story of, we tried using surveys to be more efficient and to be able to offer lower-price services at one point. And we had asked the guy a question about IDS, meaning network IDS. And his answer came back as he was talking about their burglar alarm system, it being ADT. And it was just a great clarification why it’s probably not the best way to actually do that. That interviews definitely trump it. And then-
Andrew Frost (27:07):
There’s always a follow-up question for any question, any answer usually, too.
John Verry (27:11):
Exactly. And for somebody listening, we use that term data map quite a bit. Is a data map analogous to a record of processing activities or a ROPA? Because you hear that term as well.
Aurore Watts (27:26):
Yeah. We called it ROPA for ISO 27701, record of processing activity. So, yeah. That’s the same.
John Verry (27:36):
Okay. And ROPA is record of processing activities?
Aurore Watts (27:38):
John Verry (27:39):
Is that the same thing as, what do they call it? GDPR [inaudible 00:27:44]?
Aurore Watts (27:44):
John Verry (27:46):
Okay. Okay, cool. And to a layman, would it be fair to say that a data map or record processing activities allows you to map or connect elements of personal information that you’re gathering, acquiring or processing, to the internal organizational processes that act on that data to the people, process, systems that actually store … While specifically, the applications and systems that store that data? And that you need that connection to be able to service a data subject access request?
Aurore Watts (28:25):
Yes. But there are a lot of question also regarding all the different processing activities that are really best answer in also that ROPA. And so normally, you do that mapping. But you also use some additional column, for example, to reply to some question. For example, what is the lawful basis of that processing? It’s a really great way to reply to that here because you do have all the processing activities listed. So, we use it to answer to a lot of different controls.
John Verry (29:01):
Got you. Would you also put the data source? Would that be something you would also list in a ROPA? The source of that data?
Aurore Watts (29:10):
I mean, if it’s a data controller, the source would be directly the person.
John Verry (29:15):
No, yeah. As a processor. As a processor, right?
Aurore Watts (29:15):
Yeah. As a processor, correct. Yes, we do have a column for that.
John Verry (29:21):
Okay. That makes sense to me. Cool. With ISO, we talked about scope and then we talked about risk assessment and understanding the gaps in our implementation or our controls. We had that analog with privacy, right? We’ve got the data mapping, which is akin to scoping. And then we’ve got instead of risk assessment, data privacy impact assessment. Andrew, if I asked you, is a DPIA different than a risk assessment?
Andrew Frost (29:51):
Yes and no. You don’t have to do a risk assessment. You don’t have to do a privacy impact assessment on every piece of PII that you gather. You actually do an analysis on how sensitive that data is before you even go further to determine whether or not you need to really dig into it. But then you go down a whole list of questions, basically, to determine if there’s any contract changes or any processing changes that you need to put into place for that specific processing activity.
John Verry (30:24):
Does it work largely analogous to a risk assessment? Do we have that concept of threat acting on vulnerability yielding impact, with some level of probability? Or is it a different beast?
Andrew Frost (30:36):
I think it’s a different beast. It works differently, in my eyes. Aurore might have a different thought on that. But I think it’s more thinking about the data and where it is, and subjective more than following a formula, kind of.
John Verry (30:56):
So, less about … More infosec control mitigation and more about process approach mitigation?
Andrew Frost (31:08):
Yes. It’s, I mean-
John Verry (31:09):
Aurore, thoughts? Oh sorry, Andrew, I didn’t mean to cut you off.
Andrew Frost (31:11):
No, I was going to say I’d like Aurore’s thoughts on it, though.
John Verry (31:15):
I guess we were perfectly aligned there, Andrew. Why did you have to chirp up then, when I had already asked Aurore for her input?
Aurore Watts (31:29):
Yeah. It’s definitely a different exercise, but risk assessment is needed even for privacy. What the auditor is going to look for us making sure that your risk assessment does include control privacy risk. So, you still need to cover there. Now, the DPIA is going to be more asking you key questions that are going to make you think differently about processing activities. Instead of looking at a threat, a vulnerability library, you’re going to look at processing activities that are risky. Like Andrew said, it’s not all that goes through there. And then you look at each of those ones and then you have a set of question.
Aurore Watts (32:10):
And what is interesting, talk again about ISO, we don’t have the list of question. It’s not something that was given by the standard. It’s what you believe will be interesting. So, we came up with lesson learned from different sources and what made sense to us with that list of question. And we came to a point where it was something that was validated by the researcher that we work with. [crosstalk 00:32:37].
John Verry (32:37):
I’ve just [crosstalk 00:32:39].
Aurore Watts (32:42):
But it does allow us to identify some pretty interesting treatments that the client can definitely implement to reduce their privacy impact.
John Verry (32:56):
Yeah. I mean this part of that whole, like you said, lessons learned. Even at the start when we started helping Aurore just get ISO 27701 certified, there was no lead implement or certifications. We were really running in the dark. I guess we got it right, because we got a number of clients that had their certificates, and it’s been a pretty good sale so you guys did a pretty good job of working in a world with a lot of unknowns. So, well done.
Andrew Frost (33:20):
And we did learn a lot from our registrar.
Aurore Watts (33:24):
Yeah. It doesn’t mean that we were right at the beginning. There were some guesses that happened to be maybe not that great. Maybe wrong. But we have great relationship with the different registrar, and peer conversation really helps. And it is a learning game for a lot of us, even registrar. So, those have been really great conversations.
John Verry (33:49):
Yeah. Speaking of registrars, I know that at my level, and chatting with a lot of the registrars that we’ve worked with over the years, not a lot of them appear to be yet all that … What would be the right word? Conversational about 27701. What are you guys seeing? Are there a lot of good registrars out there for 27701? Is there consistency when we talk to them? Is there consistency if we’re audited by different registrars and what they’re looking for? What are you guys seeing?
Andrew Frost (34:16):
This is actually a point I was thinking about earlier. We’ve only dealt with one registrar so far in terms of actually going through the audit process. It’s going to be really interesting when we go through an audit with another registrar to see if they’re interpreting things the same as the one registrar that we’ve worked with.
John Verry (34:37):
Question for you. Has the registrar that will work with, have you worked with different lead auditors on audits? Or is it even the same lead auditor?
Aurore Watts (34:45):
No, they were different.
John Verry (34:45):
Okay. That’s good. That’s good.
Aurore Watts (34:48):
Yeah. And that’s what I’m-
John Verry (34:49):
Did you see a difference between the two lead auditors?
Aurore Watts (34:51):
Yes, definitely. We even seen that the same auditor came for two different clients, and changed in between. And I figure it’s just that learning, that learning curve as well. But yeah, we definitely seen within the same registrar, we’ve seen definitely different approach by the auditor.
John Verry (35:15):
And Andrew, you’ve been through, I don’t know, 150, 70, some big number of ISO audits. 27001 audits, right?
Andrew Frost (35:22):
John Verry (35:22):
And you imagine what would be interesting if for two different registrars, I would think that the biggest difference between audits is not the registrar, it’s the auditors themselves.
Andrew Frost (35:34):
It depends. It depends.
John Verry (35:36):
Okay. Do you see on 27001 side, you can tell based on the registrar something about the audit as well as the different lead auditors?
Andrew Frost (35:48):
John Verry (35:49):
Andrew Frost (35:50):
Well, I mean because some of the registrars, they’re using consultants. And some have on-staff employees where they’re trained in-house, so they learn the standards the same way. And also some of our registrars, they don’t have a portal or something, so they’re looking at evidence on the screen while they’re doing the audit. So, it flows a lot differently too. But they also interpret things differently. Like, everyone has their own interpretation of the standard and the same thing’s going to happen with 701.
John Verry (36:25):
Oh, of course. But that’s what I meant. I always think of the interpretation as being more tied to the order than to the registrar.
Andrew Frost (36:34):
Yeah. I still think it depends on the [inaudible 00:36:37].
John Verry (36:37):
Well, I want to follow-up with that but that’s interesting, because you probably know something I don’t know, which always makes me feel bad. So now, you know I’m picking up the phone as soon as we’re off the podcast and I’m like, “What the hell were you talking about on that podcast? You made me look bad, dude.”
Andrew Frost (36:54):
Sorry, no. You’re totally right.
John Verry (36:55):
Thank you. I knew it. Could you repeat that a little bit clearer, just in case someone in the audience didn’t hear? All right. I’m looking over our list, guys. We did a pretty good job of beating stuff up. Any last thoughts before we say goodbye?
Andrew Frost (37:16):
No, I think I-
Aurore Watts (37:17):
Yeah. I think the one thing about ISO 27001 is that it does require training from privacy training. And I think there is definitely great option out there for training. But I think we’ll have to look at different training per audience. Privacy doesn’t mean the same for someone who doesn’t touch PI, but maybe see, want to know, has to understand what they are. Compared to someone that does that on an everyday basis, or maybe the one that [inaudible 00:37:57] the option, the solution. Like for example, those developers. So, it’s definitely a lot here that will be interesting to be … We seen that maybe too generic, and maybe not adapted to those different audiences.
John Verry (38:16):
Are you suggesting … I’m trying to read into what you said. Is the idea that you’re saying that most organizations are going to have to generate some of their own, internal training materials to ensure that they’re successful in protecting this PI?
Aurore Watts (38:35):
Yeah. I think a generic one is definitely great for everyone to understand what personal data are. But there is some definitely specificities that exist for each company on what type of personal information, whether they are controller, processor. I think that’s something that is really going to be different company per company. And then on top of that, you have the job of developer is really going to be involved in that privacy by design that is trying to be achieved, and therefore there is going to be a better … Definitely needs to be better training for those type of roles.
John Verry (39:21):
Got you. Andrew, I think you could probably say the same thing for 27001 as well, right? The general purpose, you shouldn’t open emails, you should use strong passwords, I think works pretty well. But I think one of the areas of weakness, I would say in general with a lot of organizations that are 27001 certified, is that they really don’t train their employees as well as they should on really what about the infosec program specifically that they’re responsible for conforming with.
Andrew Frost (39:51):
Are you talking about in terms of the ISMS itself and knowing what the ISMS is?
John Verry (39:55):
Well, even more so, how many of your clients do you think have really good training about what the obligations are of a general person that works in the organization? I mean, do they know which types of information are being protected by 27001 in terms of data classification, data handling? I mean, are they giving them the training that’s really necessary to full execute the management system or their role in the management system to develop what they’re supposed to?
Andrew Frost (40:21):
No. I definitely think it falls off a little bit, especially when they give them, “Here’s all the policies for ISMS. Read all these, and acknowledge that you’ve read them.” Because that’s what happens a lot. If you don’t have a specific, “Okay, I want you to read this and I’m going to give you a test on it,” unless you wait to that level, there’s definitely going to be things you’re not going to pick up on. I think-
John Verry (40:47):
Yeah. What changes, right?
Andrew Frost (40:49):
A lot of the times, the best security awareness training is where it’s basically specifically geared towards that company’s-
John Verry (40:59):
Yeah. That’s exactly what I’m saying. And [inaudible 00:41:03]. We’re pretty transparent here, right? We had a finding on an opportunity for improvement, I think it was, on one of our internal audits or external audits. I can’t remember what it was. Where what we had a problem was that our data classification handling guidelines said that all documents, all the reports to clients should go out labeled as client confidential, because that’s our internal classification for that data. And they found audit reports that weren’t going out that way. We went down and talked to the auditor. We said, “Hey, how come these aren’t marked client confidential?” “I didn’t know I was supposed to.” And literally, it’s in the policy. And the person literally said, “Well, I did go through the training.” It was a relatively new employee. “It never got mentioned in the training.” And you’re like, “Yeah, we’re idiots.” That was what I was referring to there, so good point.
John Verry (41:56):
Now we’re going to find out if Andrew did his homework in preparation for this, or if he’s going to make us look bad. We always close with a fun question that we end up using a lot in our LinkedIn stuff. What fictional character or real person do you think would make an amazing or horrible CISA, or DPO if you prefer, and why?
Andrew Frost (42:16):
I thought of way too many that would be horrible, so I didn’t go down that road.
John Verry (42:21):
I wasn’t on the list of the horrible, was I?
Andrew Frost (42:24):
I’m not saying anything. Sheldon Cooper from The Big Bang Theory I thought would be an awesome CISA.
Aurore Watts (42:32):
John Verry (42:33):
Okay. Let’s hear it.
Andrew Frost (42:35):
He’s completely linear. He creates his own contracts for everything that he does and everyone he interacts with. He’s great at asset management by labeling every, single thing in his life. He creates security plans for the apartment, including escape routes and all kinds of stuff like that, and he develops disaster recovery plans by having emergency kits around his house that he can run out at any point in time.
John Verry (43:03):
So basically what you’re telling me is, last night you were drinking a bourbon. You were like, “I never got around to doing that thing I was supposed to do for the damn podcast tomorrow,” watching an episode of The Big Bang Theory, and it just came to you.
Andrew Frost (43:14):
I do watch Big Bang Theory probably every day. It’s just on all the time. I love that show.
John Verry (43:22):
I would have thought you would have gone Penny. Okay. That’s just me.
Andrew Frost (43:25):
She’d be a horrible CISA.
John Verry (43:28):
Dude, do you consider her in your horrible CISA list?
Andrew Frost (43:31):
John Verry (43:31):
All right. All right, we are done. Thank you, guys. Genuinely appreciate you coming on and genuinely enjoyed the conversation. If folks want to get in touch with you, easiest way of course is just email, I’m assuming?
Andrew Frost (43:44):
Aurore Watts (43:45):
John Verry (43:49):
Excellent. All right, guys. Thanks. Have an awesome weekend.
Narrator (Intro/Outro) (43:53):
You’ve been listening to The Virtual CISO Podcast. As you’ve probably figured out, we really enjoy information security. So, if there’s a question we haven’t yet answered or you need some help, you can reach us at Info@PivotPointSecurity.com. And to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.