EP#79 - Ryan Mackie & Danny Manimbo - What Does the New ISO 27002 Update Mean for You?

After years, ISO 27002 is finally here.

What does that mean for your business?

Luckily, the transition should be pretty seamless…

But if you’re worried, have no fear because in today’s episode I’m joined by Danny Manimbo and Ryan Mackie, Company Principals at Schellman, who helped design the new standard.

Join us as we discuss:

What’s new with ISO 27002
What has stayed the same
The reasoning behind the update to the standard
The grace period for getting certified

To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.

Listening on a desktop & can’t see the links? Just search for The Virtual CISO Podcast in your favorite podcast player

You’re listening to the Virtual CISO Podcast, a frank discussion providing the best information security advice and insights for security, IT, and business leaders. If you’re looking for no-BS answers to your biggest security questions, or simply want to informed and proactive, welcome to the show.

So this is where I usually say, “Hey there, and welcome to… ” But instead today, I’m going to say, I’m sorry. I am sorry that the quality of the podcast that you’re going to listen to is a little bit lower than our normal, relatively high standard is. And that is because we experienced some significant technical difficulties, and unfortunately this subject is so important, the transition to 27002:2022, that we tried to reschedule it, couldn’t get back on people’s calendars, and did not want to delay this getting to your ears. So apologies. Please hang in there. I will promise you that the folks that we had on, Ryan for the short period of time that he was on before he could no longer connect, he brought some good information, and Danny you’ll find out is a very, very smart gentleman and gave us some great information with regards to ISO 27002 and 27001 and where this is all going. So again, thanks guys.

Hey there, and welcome to yet another episode of the Virtual CISO Podcast. With you as always John Verry, your host. And with me today, I’ve got a double header. I’ve got Ryan Mackie and Danny Manimbo. I hope I said that right, Danny, from Schellman. How are you guys today?

No worries, man. I’m excited by this podcast, right? I’m a geek guy. So 27001 guy. I live, breathe and eat the standard. I love it. And we’ve got to change, right? First time in eight years. So this is going to be fun. And it’s exciting because you guys have been working on the teams that have been talking about this. You’ve been integral to the development. We’re probably pretty damn close to release. We have a pretty good idea exactly what it’s going to encompass. This is going to be a big change for a lot of people, so having you guys on to talk about what that change is going to be is going to be awesome.

As anyone who listens to the podcast knows, I usually ask at this question a question, tell me what you do and how you do it every day? I’m not going to do it for Ryan. Anyone who wants to know what Ryan does can go back and listen to another podcast. But I will tell you personally, Ryan is the smartest person in America on ISO 27001 as far as I’m concerned. You know I’m pompous and I think I know everything, and I think I’m one of the most smart people in the US on it, and when I don’t know what something means, I call Ryan, right? I have like the bat phone. I’m a special person. He gives me the bat phone number. So I’m just going to ask Danny this question. Danny, tell us a little bit about who you are and what it is that you do every day?

And thanks again, John, for the invite. And I need to get that bat phone so I can hopefully get in touch with Ryan a little quicker. But no, yeah, I’m Danny Manimbo. I’m a principal here at Schellman & Company. I’m based in Denver, Colorado. We’re getting some nice, nice snow in this afternoon.

I’m not happy with you, Danny. I’m not happy. I’m a skier and I’m not getting any snow and I’m far away from a good mountain.

Come on out whenever you’re ready. We got plenty of options out here. That’s actually why I moved out from South Florida about eight or nine years ago. But yeah, my main role at the firm is I co-lead the ISO practice with Ryan and I’m involved with [inaudible 00:03:20] at the station services, so things like SOC and HIPAA for our Mountain and West Coast regions.

All right. So I’m going to derail this a second. I’m good at derailing conversations. I’m a skier heading out west soon again. I’ve been out once this year already. Vail is taking a beating. Epic is taking a beating. You saw Vail put out the… I’m a Vail/Beaver Creek guy in Colorado. That’s typically where I’ve gone. I like this smallness of Beaver Creek. I like, of course, the bigness of Vail. Is it as bad as some of the press that I’ve seen out there in terms of the crowds?

Yeah. I migrated away from, I guess, their Epic Pass, right? Vail and Beaver and then Keystone and the such. I’ve been doing Ikon, getting out to Steamboat Springs. My sister actually got a place out there. So I like it out there. It’s a little bit more removed. I find it’ll be a bit less touristy because it’s three hours away from Denver as opposed to within that two-hour proximity of Vail and Breck and all of the big mountains. So I don’t have much feedback there. And I haven’t been doing as much skiing as I’d like to past couple years. We have three-year-old twins, so they have-

And now’s the time to get… Have you been watching the Olympics? Every damn one of those kids has been on skis at age like two. You’re a year behind. Your kids are not making the Olympics at this point, Danny.

I know. This year’s their year now. So they’re getting ready. Like, yeah, I haven’t seen it out there, but yeah, we’re getting the same negative press out here with how things are going, which is unfortunate, right, since that’s one of our main attractions out here this time.

Oh yeah, yeah, yeah. I agree completely. And it is. You live in God’s country, so I’m happy for you. Before we get down to business, we have a tradition. We always ask what’s your drink of choice?

So drink of choice. If we’re talking work, I’m definitely one to abuse cold brew, but we’re talking happy hour, I am in Colorado so we take our craft beer pretty seriously. Probably should have grabbed a beer myself just like you for this. But yeah, I mean in terms of the actual beer, it’s hard to narrow it down to one. I’m a bit seasonal. Like I said, right now it’s snowing. So in the winter months I tend to gravitate more towards the darker stuff, the porters and stouts. Actually named my son Porter. My wife didn’t want me to name him. I’m like, “Yeah, here you go.”

And then, yeah, I mean, hazy IPAs, I guess you call them New England style are great for any time of the year.

Oh, that’s pretty cool. Any local, like, let’s see, from that area, what have I drank? Shaker, right? Isn’t that out of Boulder. They do a chocolate stout, if I recall correctly, that’s interesting.

… Greeley, Colorado. They’re about, yeah, 45 minutes north of me. They make a really good, it’s called Juicy Bits IPA. So if you’re looking for something new, you should check out your store.

Yeah, the locals, the local breweries… I like we are in such God… If you’re a beer drinker, we are in heaven, right, with all the microbrews. You could drink a great microbrew every day from now until the time you die and never re-drink the same one, and all of them would be damn good.

You’re absolutely right, yeah. Try to force myself to pick up something new every time I’m at the store.

You’re cut out of the same cloth as I am. All right, so let’s get down to business, right? So we talked about the big news is ISO 27002:2022. Are they still going to call it 21? What are you guys thinking?

So ISO 27002:22. And like I said, I know you guys were involved in the development. I’m curious, what was the process like, and are you happy with where you guys landed, where it’s going to be landing?

Yeah. And I can jump in here. John, as you know, we do belong to the ISO committee that is all things 27000. And they started this process about four to five years ago, and it was, been a long process. And so I want to applaud all the people on those ISO committees. A lot of time and effort went into building out this new control set for 27002. A lot of debates, a lot of discussions. How it works is that it is… They include what they call experts like myself, like Danny, others around the world, and then there’s individual country delegations that have to-

Yeah, no, you actually got to go through a process. Sorry, John. Yeah. Well, it would… Anyway-

So the experts come in and review and provide feedback, and then it’s the delegations that review that and then vote. And then it goes through a circulation draft to what they call the DIS. I think you guys are familiar with that. That came out I think in February of 2021, the Draft International Standard. And then that moves to FDIS. Personally, I really like what they’ve done with 27002. I think the construct of it, it’s logical. I think it’s going to be a lot easier for organizations to manage. I think the difference, and we’ll probably talk to this in a little bit. The difference of going from a control domain focus to an attribute focus is going to be hard. I think that’s going to be a more of a challenging transition to rethink the approach to these control sets, but the end result is going to be great. And it is going to be 2022. It’s actually supposed to be issued this week, and so I’ve been monitoring.

I’ve been refreshing. As a matter of fact, I got my ISO tab open right now. It could be today.

That would be crazy. That would be crazy if you’re recording and it actually happened.

No, I would say definitely big news. You know that these came out early last year, so about this time last year, and I felt bad that we’ve been almost stringing along our clients in a way of, there’s a lot of wait and see last year because we weren’t giving a whole lot of clarity around when this thing was going to get published, right? The draft was in circulation. Things with ISO can take long with them getting through the voting and the approvals and ultimately getting published. So we did a series of quarterly webinars and some of our webinars were… We didn’t have much to update as opposed to here’s when that timeline will be. We were thinking it was going to be Q4 of last year and we were preparing our clients as such, and we didn’t know if there was going to be a transition period. So we were basically erring on the side of, “Hey, maybe there won’t be.” So this let’s all be ready, which is a bit nerveracking when you don’t know when something’s getting published and there might not be potentially a transition period, but… And we can talk more about it certainly today, but we do have more clarity now on when that publication date may be and what that transition period may look like.

And now you guys gave us a lot of work. I mean, we got to update every blog to say, instead of 27002:21, we got to go in and change the one to a two. Damn you guys.

All right. So let’s start with the basics, right? You alluded to this very interesting change that I’m really curious about, right? So we go from 14 clauses to what you’re calling four themes. Those are people, organizational, technological, and physical, and we’re using those for grouping controls. So couple questions. What the heck is a theme, why did you make such a notable structural change, and is sort of an alignment with HIPAA in any way related? I thought it was interesting you got the physical, administrative, and technical safeguards’ concept within HIPAA. And the first time I read this I immediately thought, “Seems a little HIP-ish.” So tell me how you guys arrived at that, right? Why make such a major change?

And I think, Ryan, I’ll take this, and feel free to jump in. I think the main objective of the change was really to make the controls more modernized, simplified, and versatile, and really just making it more user friendly and generally more useful, which is where things like those attributes and the associated views come into play, which we can talk about in a bit. But again, when you have the 14 domains which everybody knows is A.5 through A.18 scattered across the 114 controls, it can get a bit cumbersome. So getting down to those themes was more of a simplified approach to where now you’re just looking at four main buckets, right? You’ve got people in clause 6, which is now eight controls. You’ve got physical, clause 7, which is now 14 controls. So not a whole lot between those two, whereas the meat and potatoes of the standard is really in the technological controls of clause 8, which is going to be 34 controls. And everything else other than that falls into organizational controls, which is clause 5. So that’s 37 controls there. So it’s getting away from that control objective format that everybody’s used to in terms of clause 9 with access controls, got four control objectives that sit under it with the associated controls all rolling up to achieve that control objective, to where now, it’s a pivot away from that in a more simplified approach with those themes.

So a question for you there. One of the things which is always weird about it is something like monitoring and access control lives across lots of the different other controls, right? There’s this hierarchy and relationship between controls. So as part of that, is that logically when I think about this as organizational, technological, and physical, while there’s still going to be some overlap, this makes them a little bit more cleanly grouped? Where I think when you’d separate them by domains, the level of overlap if we looked at this as Venn diagrams, they’re just all stacked on top of each other, right?

100%. And that’s where a lot of going down in total count controls. There was a reduction in ’21 and we talk about the control set in more detail, but has helped with that. It’s reduced a lot of redundancies and it’s helped keep things just easier to group, right? So many of those redundant controls have been consolidated, so exactly. Keeping those buckets a little bit more segregated and easier to understand and use.

Ryan, anything else to add, like the very interesting transition from 14 clauses to four themes?

Well, I think it’s interesting because what they’re trying to do is, so it could be associated to those that are responsible for these controls within the organization. Organizational, more policy and procedure. You would assume maybe system ops, IT, physical could be those responsible for facilities, that sort of thing. So by responsibility. And I think that’s going to be a good approach when organization that approach to those controls. And I think if you think about it from a HIPAA perspective, it takes the same approach. Looking at organization, that’s very common, very similar. So I think getting away from the domains, if anything, avoid a lot of the duplication that we had in the current control set from 2013.

That’s interesting. So I hadn’t thought about that, and when I look at it that way, it makes it logical. So I think what you’re saying, right, is there’s three overarching boundaries and organizations, right? Organizational, administrative, technological, and physical. And then the people are the group that are responsible for conforming with all of these controls, so they live across all of those. Is that sort of the way you’re saying it?

Yeah, absolutely. And with people, again, when you look at the number of controls within a theme, it’s very few, and it specifically is for controls relevant to people. Awareness [crosstalk 00:14:20]-

I actually like that. That’s smart. Yeah. Now you have me more intrigued to dig in. I haven’t dug into each of the 94 controls individually. I just stayed at the meta level, but having that context now to revisit it is really cool. All right. So we got these 14 domains. Well, we used to have 14 domains and 114 controls. We now have these four themes with these 94 controls. So we no longer need to do 20 things, right? No, that’s not it. Right? I’m assuming that there’s some combination of you’ve consolidated controls. There’s some combination of maybe things disappearing, maybe not. And certainly there’s probably some new controls. I know that’s a lot to chew. Is it easy to give folks a summary of what happened?

Yes, I can definitely jump in and give a summary. So here’s the mile-high overview. And then we can jump into more detail on any of these if you want. So I think you noted it well, and sorry if you hear my three-year-old twins screaming [crosstalk 00:15:28].

Absolutely. So it’s even more fun on video. So there was a net drop in 21 controls, right? So we went from 114. I think it’s actually 93 controls spread across those four themes or domains that we spoke about.

And the concentration of controls is particularly interesting. I mentioned with the control breakdown between the organizational clause, clause 5 and clause A with technological, those two actually comprise over 75% of the control set. So as Ryan mentioned, people and physical pretty small when it relates to the whole pie. So to answer your question, yeah, 24 of the controls in the new 27002 standard include a consolidation of 56 controls in the 2013 version of the 27001 standard. So that means that basically, for each new DIS control of those 24, it has at least two, and sometimes up to four controls from the 2013 version of the 27001 standard consolidated. And I think a lot of people will applaud that because as you go through some of those domains with A.9, A.12, et cetera, A.14-

So that’s nice. Only one control from 2013 didn’t make it over in the mapping to the new version of 27002. And that was 11.2.5, which is removal of assets. And then, so the math isn’t adding up right now. So now it’s, there’s 11 net new controls. That’s what takes us to that, back up to 93, when you account for all those consolidations. And those net new controls, they’re primarily based on changes to the technological landscape since 2013, right? Lots of changes since then. We’re no longer using iPhone 5s. And a lot of that is with things like cloud services, ICT and business continuity readiness maybe as a result of the pandemic and everything we’re in now. So that’s the breakdown of some of the main changes.

So just out of curiosity, right, removal of assets is still an issue. People leave organizations with assets. Did we just eliminate that, or is that actually consolidated, or did they say, “That’s not a… ” I mean, to me that’s still a risk, right?

Oh, hundred percent. And there are still those physical security controls that have made it over to the new version of the standard. And then you’ve actually got new controls too around physical security monitoring and things like that. So I think the concept of physical security, and as I mentioned, they’ve got controls around ICT, and then folks working remotely. So I think those risks are certainly still covered. That particular control for whatever reason, maybe potentially the way it’s worded and how some of those new controls came in from a purgative standpoint, yeah, didn’t make it over.

So if I recall correctly, there’s an Annex B in the back that gives us the mapping. What you’re going to say is that one’s going to show no mapping.

Listen, I mean, I think you shook him. I gave him this big buildup and your answers have been better than his, to be frank. I mean, it’s kind of embarrassing. So I think that if we do another co-podcast, I’m going to introduce you as the smartest guy in America on ISO 27000.

And you’re going to have to wrangle that bat phone for me. He protects it close to him, but we’ll figure that out.

So you mentioned new controls. So new controls is a really interesting idea, right? And the reason I say that is that the way… Controls are mechanisms that reduce risk. So if you need new controls, logically there’s been a change, right? There’s context. I mean, if you follow the logic of ISO, context is changed, right? Scope, context, laws and regulations, all that fun stuff, right? Threat agents, right? Vulnerabilities have changed in order for there to be a necessity for a new control. Right? If it’s a “brand new” control. So when we look at those 11 new controls that you mentioned, how would you characterize them? Is it due to this change in context? Is it that they’ve regrouped them a little bit? Eight years ago the world was a very different place. I mean, the level of cloud utilization as an example was radically different today than it was eight years ago. So explain how did we end up with these 11 new controls? Tell me a little bit about them.

It’s interesting to me, and when I read over them, I had a couple theories. One, we’re still not quite sure what’s happening. We can talk about it in a bit too. What’s happening with the extension standards on top of 27000?

So 2700:17 cloud services, 2018, okay, process and PII in the cloud. What’s going on there? We don’t

I mean, IT/OT infrastructure, right? There’s a ton of implication to what we’re doing here.

And so if you look at these new controls, I don’t know all of them by heart. I probably should, but-

… you’re talking about threat intelligence, data leakage prevention, security and cloud services. So you’re almost grabbing controls that are within those realms of those extension standards. So maybe they’re even doing a further consolidation of some of those extension standards into 27002, so we make it more all encompassing. Because things like GDPR has come about significantly. There’s a lot more eyes on privacy and certainly cloud security. So those things are some of those, and the remote work environment, and were companies really ready to transition to during that pandemic? Some were pleasantly surprised. Others were pleasantly unsurprised, I’m sure. So now they’ve got controls around that. So I think a lot of those new controls are as a result of some of those changes in the technological landscape either over the last 10 years or even more currently since spring of 2020 with the onset of COVID.

That was a really good answer because your answer was intriguing. Intriguing to me in terms of I hadn’t thought about that component. I thought of this translation of 27002 to 27002. Right? But when you logically think about it, these other standards that you referenced, they’re use case extensions. And at the time that they were produced 27017, the level of use case of cloud wasn’t sufficient that you needed to incorporate it into 27002 privacy, right? 27018. Again, we didn’t have GDPR eight years ago. We didn’t have APAC. We didn’t have CCPA. So that’s really a very interesting question is, when do we collapse those requirements into the standard? Or should they not be because they’re going to be use cases where an organization wants to leverage the 27002 control set but isn’t beholden to privacy, right? They’re not processing private information. So that’s a really interesting… I’d love to have… And I’m not enough of an expert as you pointed out, Danny. I mean, thank you very much.

I’m not enough of an expert to participate in these conversations, but it would be really interesting to be a fly on the wall in those conversations that… Was that discussed in those meetings?

Yeah. There’s a couple interesting things there. So 27017, that version’s on 2015, right, as you mentioned. What’s that? Seven years ago. So cloud certainly changed a lot since then. That one is actually currently undergoing a revision, right, because those things get revised every seven or eight years. So we’ll see what happens there. But like I said, there have been some of those types of themes brought into this 27002 control set. And it’s only seven extended controls as it is. So I’d be curious to see what they do with that. And 27018 is an interesting one because you know what happened in [crosstalk 00:23:05].

Exactly. Because that basically made that control set obsolete, because if you look at the mapping of Annex B or Annex A and Annex B in 27701, obviously 27018 is specific to processors. And they actually have a mapping within 27701 in one of annexes which shows I think it’s all but two or three, maybe even more, of those 25 extended controls from 27018 are covered through 27701. And organizations are getting more value out of that standard because it’s a management system standard. It’s a framework. It’s something that has a little bit more meat and potatoes to it than just an extended control set. So you’re wondering, what is the future of 27018? Do we even need it anymore? So those are some of the unknowns and interesting questions that are starting to get talked about in some of these committee meetings that Ryan and I are attending, so we’ll see. That one’s on version 2019, so the way ISO works, that they’ll probably not start a revision for that for a bit. But again, with the popularity that 27701 has had, it’ll be interesting to see what happens.

So one side of me says, “We don’t need 27018 anymore,” right? It covers process for end controller. It’s aligned with GDPR, APAC, all of the major frameworks, right? It’s in the testable standard, right, so we end up with a certification, which is a huge marketing value, huge third-party attestation value. The only thing which is interesting to me about 27018 where I think it could provide value is if my business, as a business, I wanted to demonstrate that I had a reasonable privacy program, but I didn’t want to go to the additional cost of a 27701 certification. Right? So I do think that there’s a point where it might provide some value, but I think these are fascinating conversations to have as somebody who lives in the ISO 27000 family.

So let’s talk about something else that was entirely new, and this was really interesting to me, attributes. And when I looked at that, there was one particular attribute that immediately caught my eye, and that was cybersecurity concepts. And the reason that it did was because of that direct alignment with the NIST Cybersecurity Framework IPDRR model, which stands for identify, protect, detect, recover, and… No. Recovery and react. React and recovery?

I forget. The two RS are do something about it and then recover. Right? So how do you think organizations are going to think about using these themes? And I know there’s an interesting guidance in Annex A that I think at first blush, I think most people are going to struggle with.

Potentially. I mean, it’s a lot of information. Right? You look at the table, there’s several columns for each control, and they’ve got all these attributes, and what am I supposed to do with these? But I think if you break them down in silos, you can determine how they might work for you. And the key thing, I mean, a bit of an ISO nerd and probably why I’m on this podcast, but I mean, these are actually my favorite part of the new 27002 standard because they’re generic enough to be used by anybody. You can customize them, but by no means are they… They are meant to be tools to assist with what are you using the controls for, right? You’re using them to mitigate risks identified through your risk assessment process. You’re using them through your risk treatment process. You’re new to ISO. You’re using them to assist with the controls implementation process if you have a new management system. So this now breaks it down to where you can filter, sort, present these controls in different audiences to make them make sense to what you’re doing.

So for example, you look at the different, I think there’s five attribute types. You have control types, you have information security properties, you’ve got cybersecurity properties, which you just mentioned, operational capabilities, and the last one is security domain. So the first three we can probably spend a minute talking about, but control types is cool because if you look at that one, it breaks it down into whether a control is preventative, detective, or corrective. Right? Pretty straightforward. But I mean, it takes the guess work out of in terms of when you’re going through, especially if you’re new to ISO and you’re going through that risk mitigation process, okay, it keeps you honest. It’s okay, do we only have detective controls here, or do I need to evaluate and determine, okay, are there any preventative controls or those corrective controls that we need to add to this process as well? So it really does keep you honest in terms of ensuring when you’re looking at that inventory of control that you have, are they versatile enough to accomplish the task, which is mitigating that risk sufficient, right? So that one’s nice.

I mean, information security properties, I mean, that takes you back to CIA, right? I mean, that’s one of the requirements of clause 6.1.2, that we can have challenging conversations with clients sometimes because, hey, of course, we’re assessing confidentiality, integrity, and availability risk as part of our risk assessment process. And when it gets to demonstrating that, there’s a little bit of a disconnect to where now you don’t have to do the guesswork of each of the controls. It’s done the work for you. This is a control around availability. This one will protect against confidentiality. This is the combination of all those. Again, it just, I think, makes things more streamlined and easy to follow and understand when you’re going through the risk assessment process.

That was a good perspective. And I can’t remember what you call, what is it, decahedron, is like a hexagon in a cube form, right?

Deca, deca? Something like that. But you know what? If anybody who’s listening can actually correct me, go right ahead. Right? That’s one of those ones most people are not going to remember. I’m an engineer. I should remember it, but it was a long time ago. I mean, I’ve been out of college at least eight years at this point.

So is it sort of like a, my cybersecurity program is a six-sided cube… Well, it’s no longer a cube. Decahedron, and I’m actually able to rotate the cube and look at my program from these different, where we’re referring to them as attributes. Right? If I want to understand from a… As a business person, I really like the IDPRR model. I like the idea from a CIA perspective, right, that I understand this control. If I’m worried about data leakage or if I’m worried about the confidentiality of the data that, hey, these controls help that. Right? And do I have enough of them? And then I can spin the cube again, and I can say, “Okay, from, oh, in this particular domain, right, I have a great ability to detect that somebody’s in Salesforce that shouldn’t be, but I have nothing, but I have no ability to prevent someone from coming in, and I have no ability… ” You know what I mean? Is that really almost what the value prop is of these attributes?

I think so. And I think one of the big takeaways from this new 27002 standard is that it’s important for folks to understand that it’s so much more than just in controls, right? Tools like these attributes that use and some of the other qualities and additional information and tools that you get are really a holistic toolset to really optimize your ISMS. Right? And if your ISMS has been staying up to date with technological trends, with changes in regulations, and things like GDPR that we spoke about before, I mean, it should be well positioned to absorb this change. But I think it’s really going to benefit, not just newer folks, but folks who are transitioning too, because it’s done, it’s got the mappings, it’s got the additional visibilities and qualities of each control that you can really take a deeper look at your ISMS in terms of, “Okay, we stood this up and we’ve been certified, but can we make improvements?” You know what I mean? “Are we missing things, that we’ve been certified, but how do we do better, right?” The continual improvement, right? I mean, everybody’s doing that with clause 10 with their ISMS, but this gives you some additional insights that are there. And like I said, take out the guesswork, which I think is nice, because ISO’s already done that heavy lifting for you.

Thank you. I mean that sincerely. That gave me a much better perspective on what we’re trying to accomplish with those attributes, and I feel like I learned something there, so I appreciate it. And I also do like that, I’m assuming it was part of the reason, and I do think it brings great value, especially for anyone in the critical infrastructure, that having IPDRR overlaying so that anyone that’s using the NCSF, right, NIST Cybersecurity Framework, that they can look at the controls they’ve implemented there. And those are grouped by that IPDRR, and I can look at my ISO with the same thing. It makes it easier for me to conform with NIST Cybersecurity Framework as an ISO 27001 certified company.

Correct. Yeah, you can see the overlaps between those two, how ISMS relates there, and yeah, again, just making sure you’re keeping yourself honest with how those two relate.

And with the presidential executive order and with CISA, the Critical Infrastructure Systems Agency taking on such a more prominent role, and I think the government taking a more prominent role, I think that’s going to provide a lot of value to a lot of people. So that was well done.

So it was also interesting that these attributes are actually hashtags. So is that so I can tweet about my information security controls, or is there some… Which I don’t think is going to be very popular, by the way. “We implemented… “

“Our DLP, #DLP, is awesome, but… ” Or is there some other secret mission that you guys are planning for these hashtags?

You were… See, you know what? I was. I was. I guess you weren’t on that expert list.

You know what? I guess it was like the Venn diagram. You’re the expert on ISO. I fit into the expert on ISO and social media because I’m such a social media darling. So that explains it. I don’t want you to feel as insulted as I felt earlier, Danny. I mean…

I’m not even on Twitter, so I’m not that cool. But no, I think they’re trying to follow the Twitter model of just keeping these things searchable. But any type of conspiracy theories beyond that, I’m not priv to.

I’m on Twitter a lot but I’m what they call a lurker. I don’t think I’ve ever sent a tweet, but I love Twitter as an information source, but yeah.

All right. And so you led on to this. Ryan actually, before he decided to… I think he went for a beer.

So we already talked about that we think we’re going to see 27022, if not today, next week. And by the way, we’re recording this on February 11th for anyone that’s listening. So you already touched on this as well, but I’m curious if you do know anything. Do you have any idea when we’re going to start to see updates the other docs in the 27000 family? And I think the most important one, right, I think we would agree, are you going to be able to be ISO 27001 certified with… Because you broke Annex A.

Now anyone who’s in ISO already knows, technically you don’t need to use Annex A controls anyway, but everyone does. Right? I think we can agree to that. So what’s going to happen? Do you expect that 27001’s going to be updated pretty quickly and then they’ll figure out the other 27000 family?

So this is probably the most important piece that we were missing last year when we were broadcasting out these updates and starting our communication campaign of letting folks know what was going on. So what it looks like, as you mentioned, we thought 27002 could have been updated or published by today. It hasn’t been. So let’s say-

But you’re not on Twitter, right? So technically, I mean, I would know before you would, right? We can agree to that because-

I’m doing it old school for a slash on the ISO page. So what’s going to happen next is important, right? And this is what we didn’t know before. So even when the 27002 standard gets published, people aren’t certified against 27002, right? They’re certified against 27001, right? So what’ll happen next is, there’s a couple unknowns, but 27001 will be updated. Whether that’s going to be an amendment to version 2013 of 27001 or a whole new version of being 27001 now 2022 instead of 2013 remains to be seen. But that timeline is likely as early as April and I think as late as June. So you’ve got about a three-month window there of when things will be updated based on voting and approvals, et cetera. Again, you know the rate at which ISO moves. So that’s important because we didn’t know when that was going to happen, and we also didn’t know if there was going to be a transition period. What we’re hearing is that the IAF is currently drafted what looks to be a two-year transition period.

Yes, and it’s important that any shorter than that really shortchanges a lot of folks, and I’ll talk about it [crosstalk 00:35:53]-

100%. But that transition period will start when 27001 is either updated or published. [crosstalk 00:36:03]-

So more likely than not, we’re looking at… That’s going to be interest… One of the cool things about that is that, and you probably have the same problem, right? We have a problem where, because of the October date of the last one, September, August, July, we are jammed with internal audits, right, and you’re jammed I know from September, October, November, December with audits. Right? So at least that might start spacing them out a little bit, but then we’ll probably end up with a jam up in that timeframe.

But one of the good, good things for people who are listening to this that are ISO certified, what it would be good would be to do that a little bit earlier and do it in a timeframe that you’re not going to be stuck in that, because I know that we charge a premium for audits during that timeframe because we just don’t have enough bandwidth. And I know that a lot of the registrars do as well. So hint, if you want to save a few bucks, you’re probably better off trying to align your transition not to be aligned with the actual deadline.

Correct. And why that two-year window is important. And again, that’s just what it’s currently been drafted as. I don’t think it’ll be anything less than that. Because let’s say for example, this thing goes live. 27001 gets published June 1st of this year, 2022. You have 12 months. Unless your audit’s happening in the month of June or July, I mean, you really probably are forced to do the new version of the standard because otherwise let’s say your audits in Q4, it’s in December, and you, “Okay, I’ll take advantage of the transition window. I’ll do it under the 2013 version.” Well, guess what? By 5/31 of the next year you have to be transitioned to the new version of the standard because that’s already 12 months. So now you’re doing two audits in six months. You know what I mean?

Oh, you would lose… Oh, hold on a second. You would… Oh, I didn’t understand that.

Oh my gosh. I didn’t know that that’s the way it worked. So you’re saying that you would actually… I thought what would happen is if I decided not to transition, I’d get effectively an extra six months. What you’re saying is that if my certificate is dated in the middle of that period, my certificate becomes invalid.

Well, I guess what I’m saying is… So if it gets published June 1st, you have until 5/31 of 2023 to be certified under that new version of the standard. So like I said, depending on what time of year your audit falls… If you’re Q3 of 2022, you’re probably in good shape and could do the 2013 version and maybe do your audit a couple months earlier the next year. So you’re doing that, your second audit in maybe May or something along those lines to get your certificate under the new version of standard. But if your audit’s in Q4 or Q3, or a Q1 of 2023, you have no transition effectively because you’re not going to do two audits in six months. You know what I mean? In the new version.

So yeah, it’s based on whenever that 27001 goes live, that’s when that transition period starts. So that’s why it’s nice that it’s two years because now everybody in their first audit following the publication of the 27001 can take advantage of doing the 2013 version still, if they want, kind of doing the status quo working on the background on their transition. And then their next audit, assuming it’s before 5/31… Again, this is a made up date, but 5/31 of 2024, go ahead and transition then.

Is there a weird circumstance where… What happens if my certificate, my 27001:2013 certificate expires, right? I’m at the end of my three-year cycle. So you can’t… I would assume you can’t renew. Can you still re… So let’s say, so June 1st it goes into effect. And now my certificate ends, and I’m due for a new certification audit in August. Are you able to come in and still issue a 2013 certificate at that point? Or because it’s a new certificate, does it have to be issued? Do I end up in a tough spot that way?

Yeah. So we’ve heard rumors around that of if you’re a new certificate or if you’re in a re-cert year after the standard’s published, you have to do the new version of the standard. I haven’t heard that validated yet. Again, we’re just hear in the transition period. So I think you’re still in the same bucket of-

Logically, you should still be in the same bucket, but it’s weird then because that would mean that you would be issuing a certificate, a new certificate for a standard which has not quite expired, but it’s no longer current. That’s interesting.

Correct. On it’s way out. Right. So you’d have to do another audit [crosstalk 00:40:27]-

I think you’re going to have to. I don’t think they’re going to allow that to happen because just by luck of the draw, if my certificate expires on June 2nd, you couldn’t issue me… You know what I mean? I couldn’t possibly have made the transition by that point. All right.

All right, so two years makes sense. I can see all the messiness that it would cause. I think most people would try to do it in the first year if they can anyway, but it gives-

And maybe someone needs to budget more money for the transition. Maybe they need to rewrite policies. Maybe they need… Maybe we figure out that you need new technology to manage cloud infrastructure. You got to move to CASB or something like that is usually the best way to implement a particular control and you don’t have the money yet in your budget.

And we’d advise it anyways. And the other interesting thing for us CB’s, and I guess downstream effect to our clients, is if it is a change to the standard where it’s republished as 27001:2022 or we’re accredited by an ANAB and UKAS, we’re going to have to get credited now under that new version of 27001. Just like we have when 2013 came around versus being accredited for 2005 version, we had to get accredited for 2013 versus just an amendment. We can move forward as we normally would. But that would mean until we get accredited for the new version of the standard, and every accredited certification body would be in the same boat, we can’t issue certs against the new version of the standard. So that’s the big unknown there, is it an amendment to 2013 of 27001 or is it a change to 2022, 27001?

So that’s going to be an interesting question. So there’s a lot of implication to that, right?

I don’t think they’re going to want to go to a 2022, right, because usually they don’t revise them for seven or eight years. I think they’re more likely to extend it. And the reason I think that as well is they worked hard to align the management systems across different standards, and changing the management system of 27000… I think they’re going to want to align. So as an example, what is it, 2018 or 2015? I can’t remember when they did it. They realigned the ISO 9001 to match up with 27001.

Which for anyone that’s doing both, has been really a lot of help. So I don’t think they’re going to want to break that alignment. So my guess is that you’re going to see the management systems fall in line with each other so that way we’re not penalizing people that hold multiple standards, right? If you’re on 20000 and 27001 or 9001 and 27001, it would be unfair to break that alignment.

Agreed. And that’s the other thing about this that makes it… We talked about it being a pretty achievable transition, assuming your ISMS is up to date, et cetera, because it’s really just a controls change. It’s just Annex A. It’s a lift and shift, right? They’re taking the A.5 through A.18, kicking it out the door, and bringing in the new four themes that we spoke about. Nothing’s changing to the clauses. So that’s what makes this a pretty manageable thing. Had they been blown away the controls and starting fresh with clauses 4 through 10, which, like you said, they’re not, that would’ve made this a pretty daunting thing. But because the clauses are staying the same and the controls, mostly a consolidation and a slight modernization, I think that’s what makes this a pretty achievable thing.

Yeah, I agree with you. I think we beat this up pretty good. Anything you think we missed?

No. I just suppose for potentially your listener out there who might be a little bit nervous about the transition, there’s always some nerves that come with the transition, but if you’ve been listening to what we’ve talked about, about the tools that have been provided through 27002, about the fact that nothing in the actual framework clauses of 4 through 10 is changing, and some of the other, the timelines in the transition period’s mappings, I wouldn’t be that nervous. It seems like you are going to be well positioned. If you haven’t obtained a copy of the standard, certainly do so once it comes out. But once you read through it, I think you’ll be pleasantly surprised. I mean, once you can sort everything out, and hopefully this podcast will help you do that, of, okay, this is a pretty achievable thing.

I mean, what takes the longest during when something is updated? The mappings, right? Every firms might have a slight nuance on their own and you got to try to figure that out for yourself. But now that it’s done, it’s, “Okay, now I just got to maybe re-code.” I mean, it’s going to be some work, but still a very achievable thing. So I would tell them not to be too worried, and take advantage of the transition period certainly as much as they need to. But definitely, it’s not something to be scared of.

No, I don’t think it’s… I mean, look, it’s going to be work. It always is work when a framework changes. The good news is that I think if you look back to 2013 and the transition at that point from 2005 to 2013, there’s a lot more people that are using GRC platforms, right? That’ll simplify a little bit of the change, right, because the mapping’s built into the platform. As the GRC platform vendor adds that mapping in, when you look, you’ll have a new view of your old controls that’ll automatically be cross-referenced and make it a little bit simpler.

And then I think the second thing that people are going to have to is update their controls, excuse me, update their policies and procedures. There can be some challenges there. That’ll be a little bit of work. But I think we’re going to end up at a better place. I mean, I’m very optimistic about the framework. I think on review, and especially after this conversation, you guys did a great job. Or actually, technically Danny, you did a great job, on really explaining things. I think you’ve given people a really good perspective that this is not going to be too painful, so thank you.

All right. So Danny, you’ve done a great job. Did you prepare for the last question?

Did you prepare for the… Yeah. I wanted to ask you about that ENISA standard we were talking…

So for anyone who’s listening, I was busting chops on Danny early on in the conversation. I was going to pull up some arcane ENISA standard and make him look foolish. So what did you prepare for the amazing or horrible CISO question or should I skip it?

All right. All right. He’s in. He’s in. So what fictional character or real person do you think would make an amazing or horrible CISO and why?

You didn’t have to do both, so you’re going to get double bonus points if you have both.

Ryan told me who he picked, so I’m going to try to top him on this one. So for worst, let’s go back to early ’90s to Jurassic Park. I went with Dennis Nedry’s character in that one played by Wayne Knight. He’s the programmer who tries to steal the dinosaur [crosstalk 00:46:57]-

Dennis Nedry. Oh, the guy who… Newman. Yeah, you can’t just say, “Newman.” Newman! He’s great in that movie.

So he tries to steal the dinosaur embryos from the island, right? And we all know he’s taking advantage, certainly a technically savvy guy, takes advantage of his access, but we all know how it ended for him. So certainly-

Yeah, exactly. Certainly a guy with brains, but definitely lacked the integrity you’re looking for in a leader. And for best, I’m a University of Miami guy. Go ‘Canes. I mentioned I moved to Colorado from Miami back in 2014, I think it was. So I’ve got to go with Dwayne “The Rock” Johnson for the best. As far as-

You go back to, what was that class? 2000 is it? When you look at the picture of 2000, what’d they end up with? Like Warren Sapp and Mark Bavaro and didn’t they end up with five or eight Hall of Famers out of that one team?

And wasn’t Jimmy Johnson… And Jimmy Johnson’s in the Hall of Fame as well.

Well, Jimmy was the era before that in the early ’90s before he went to the Cowboys and still was having a ton of success there. But yeah, fun fact about DJ or The Rock is he actually gave my commencement speech for my graduation in 2009.

So yes, everybody knows how old I am now, but that guy, I mean, if you think about it, I mean, a lot of people look at him and, okay, great athletic career and movie star, but I mean, you don’t realize the following that guy has. And he started successful businesses. He’s got the Teremana tequila line, which is doing really well. He’s got an energy drink. I mean, every time I… The amount of followers are probably in the millions on social that he has. He’s just such a hardworking, inspirational guy that gets such… It’s hard to find somebody who’s like, “Oh, I can’t stand that guy.” You know what I mean? It’s just like, what’s not to like about him? I mean, he’s got the whole story of having seven bucks in his pocket. And I mean, he told that in our graduation. He’s told it probably a million times since, but to build himself into the success he is. And people of all backgrounds like him. I mean, that’s why he’s probably in conversations to be POTUS one day, which not to make this a political thing, but I mean, to even have your name in that conversation is pretty cool.

And I do some of our new manager trainings at the firm, and we talk about leadership a lot. And in my opinion, it’s different between being a manager and a leader, right? Being a leader, in my opinion, is taking people of different backgrounds, skillsets, motivations, and getting them to accomplish a mission or a task or an objective, right? I mean, that’s leadership. And with DJ, I mean, there’s not a lot of people who wouldn’t fly through a brick wall with that guy. So in my opinion [crosstalk 00:49:50]-

So you’re basically saying if DJ walked into my office and said, “Your passwords will be… ” That there’s very few people that would probably not-

But when you see… Have you ever seen… There’s a great clip on YouTube of him and Jack Black. I guess they were in a movie together. And the two of them sitting side by side, and it really gives you a perspective of how big Dwayne Johnson is. Yeah, he’s a scary man. Right?

But yes, he’s the right… An interesting way to say this is, right, he is almost the perfect combination of carrot and stick, right?

Or honey and vinegar. Like that old line, you attract more flies with honey than you do vinegar. Right? He is that perfect combination of those two where he’s charming so you want to follow him, but if you don’t, you know that you can’t run fast enough to get away from him, and if he catches you, he’s going to kill you.

All right, man. Well, listen, first off, I want to thank Ryan for deciding to leave our podcast for something else. Right? And I would also like to thank Danny who I now consider to be the smartest man in America on ISO 27001.

Ryan used to wear that crown, but clearly, you know what? I’m not thinking so anymore. So if I have questions about 27001 from this point forward, Ryan who? That’s all I’m going to say. All right. So we’re going to say our farewells. If folks want to get in touch with you or Schellman, Danny, what’s the best way to do it? And by the way, by the way, probably should’ve said this at the beginning, Schellman is a fantastic company. We have a ton of experience working with organizations that use Schellman as their attestation partner. I hold them in extremely high level of respect. We happen to work for many of the same companies, and all of the companies that we work for that work with Schellman are very happy with the people there. They’ve got some great people, Danny included. So thank you to you for coming on, and Schellman’s a great company if anyone’s looking for somebody.

No, no, thank you for that, John. And I appreciate it. This was a treat for me to be on here. Didn’t realize I was going to be doing it solo, but I’m glad it worked out the way it did.

Oh, so you’re saying, you’re glad Ryan wasn’t here too. That’s two of us. Ryan, you heard that, Ryan, right?

Yeah, thankfully. But if folks want to get in touch with the firm, I mean, certainly we’re on all the social platforms. Easiest way to get in touch with me, I suppose, is just LinkedIn. I mean, just I have Danny Manimbo and on there quite frequently. So very much a pleasure and-

Well, I will look you up next time I’m skiing out or I’m out in Denver on some business.

You’ve been listening to the Virtual CISO Podcast. As you probably figured out, we really enjoy information security. So if there’s a question we haven’t yet answered or you need some help, you can reach us at [email protected] And to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.

CMMC Preparation

ISO 27001

SOC 2 Readiness

Virtual CISO (vCISO)

IoT Security

Network Security

Application Security

Vendor Due Diligence

SaaS Security

Business Continuity

Blockchain Security

SCA

CMMC

NIST SP 800-218

CCPA

SOC 2

CIS CSC

PCI

FedRAMP

GLBA

NYDFS

GDPR

HIPAA

HITRUST

TISAX

Podcasts

Resources

Blog

About Us

Leadership

Jobs

Locations

Partner With Us

EP#79 – Ryan Mackie & Danny Manimbo – What Does the New ISO 27002 Update Mean for You?

What's Next?

What do you think? Is Digital Business Risk Management the Future of Attack Surface Management?

Search our Blogs