EP#24 – Ryan Mackie – Everything You Need to Know About ISO 27001 Audits

Prepping for an ISO 27001 audit can be a nerve-wracking process. 

But it doesn’t have to be. 

You just need to know what you’re getting into. 

And Ryan Mackie, as Principal and ISO Practice Director at Schellman & Company, is the perfect person to guide you through an audit. 

In today’s episode, he covers:

• Both stages of the ISO 27001 audit process
• What to expect on the day of the audit
• What to look for in a registrar (and what to avoid)

To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.

If you don’t use Apple Podcasts, you can find all our episodes here.

Time-Stamped Transcript

This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.

Narrator (00:06):

You’re listening to the Virtual CISO Podcast, a frank discussion providing the best information security advice and insights for security, IT, and business leaders. If you’re looking for no BS answers to your biggest security questions, or simply want to stay informed and proactive, welcome to the show.

John Verry (00:29):

Hey there, and welcome to another episode of the Virtual CISO Podcast. I’m your host, John Verry. And with me, as always, the Louise to my Thelma, Jeremy Sporn. Hey, Jer.

Jeremy Sporn (00:42):

Hey, John. How you doing today?

John Verry (00:44):

I was doing better before I was referred to as … Am I Thelma? To my Thelma, yeah.

Jeremy Sporn (00:48):

Does it matter?

John Verry (00:49):

Yeah, it’s true. I don’t know if I find either … I mean, basically, should people get the idea that this podcast is careening off a cliff? Is that … which is really not far from accurate, right, at this particular moment. It’s not far from accurate. So before we do go fully of the cliff, what did you think of my conversation with Ryan?

Jeremy Sporn (01:10):

You said, right at the beginning of your discussion with Ryan, if there’s anyone who knows more about ISO 27001 than you, it’s Ryan Mackie. And I think he flexed his knowledge quite well. He is such an experienced guy in this world. He has so many little tidbits of helpful information, those details in the cracks to really help people who are looking to become ISO 27001 certified, just a really cool conversation. 

John Verry (01:37):

Yeah. When I grow up, I want to be as smart as Ryan Mackie. 

Jeremy Sporn (01:41):

When you grow up, that’s a long time from now. Anyway-

John Verry (01:45):

Exactly.

Jeremy Sporn (01:46):

But Schellman & Company has a great reputation in the ISO 27001 auditing space, and Ryan definitely represented them well. 

John Verry (01:53):

Yeah. Yeah, I think it would be fair to say that they’re one of the top auditor assurance firms in the U.S. In fact, in addition to the fact that we work with a number of the same companies, they’re actually our ISO 27001 registrar. So, yeah, he’s good, and I think they’re good as well. 

Jeremy Sporn (02:11):

Awesome. Schellman and Co. has a great reputation like we’ve said, in the ISO 27001 auditing space. If you’re thinking about going for ISO 27001 certification or on your way, you will find this very, very helpful. Ryan gives you a loon into that perspective of an auditor, which is really super helpful the understand when they’re the ones you need to convince that you have implemented ISO 27001 correctly. 

John Verry (02:39):

Absolutely. Okay, let’s get to the show.

Ryan, how are you, sir?

Ryan Mackie (02:44):

I’m good, John. Good to see you. 

John Verry (02:47):

Same here. I hope you’ll forgive me. We booked this podcast before I realized I was going to be trying to spend a family vacation, which we took at the last minute, so hopefully, the noise won’t be too bad. And hopefully, I won’t make you too jealous sitting here, although it’s 103 degrees right now. 

Ryan Mackie (03:03):

Well, you know, not jealous. Yeah. Well, in St. Pete, we get our fair share of warm weather but nice view. I mean, at least I get a nice view. You’re looking at me. 

John Verry (03:15):

Yeah, which is really not quite that nice a view.

Ryan Mackie (03:19):

I’ll try to make that better. 

John Verry (03:21):

Yeah, yeah, yeah. So if anyone hasn’t figured out, Ryan and I know each other pretty well. And actually, all kidding aside, I like to think that I know a lot about ISO 27001. I’m pompous that way, but Ryan’s the guy that I call when I don’t know the answer to something. 

Ryan Mackie (03:35):

Thank you. 

John Verry (03:35):

That’s about the nicest endorsement I can make. Let’s start easy. Tell us a little bit about who you are and what it is that you do. 

Ryan Mackie (03:42):

Sure. Well, Ryan Mackie, I think you’ve already mentioned that. I am a principal with Schellman & Company. We are a CPA firm based out of Tampa, Florida, and one of the only providers under one entity that can do SOC, ISO, HITRUST, PCI, FedRAMP, etc. I joined the firm about 15 years ago, just a little over 15 years ago, actually, and obviously worked my way through the ranks. About 10 years ago is when we started our ISO practice, and so we went through the process to get accredited, and we did with ANAB 10 years ago. That was just for 27001. Since then, we do have dual accreditation with UCAS as well. And then we do ISO 9001, 22301, and then 20000-1 as well. So-

John Verry (04:32):

You left off 27701, one of my favorites.

Ryan Mackie (04:35):

Oh, yeah, and 27701.

John Verry (04:37):

I’m going to tell Debbie on you. She’s not going to like it. 

Ryan Mackie (04:41):

I mean, 10 years ago. John, to get accredited, you have to find a candidate so that the accreditation body can witness you do an audit, and get comfort that you actually know what you’re doing. We had a heck of a time trying to find somebody 10 years ago to explain to them what 27001 was, and say, “This is why it’s important, and you should do it.” Much different environment right now. 

John Verry (05:07):

Yeah. It’s funny you should say it because I’m actually a 27001 certified lead auditor, and it’s the same thing. Right? They have to observe. In order to get your certificate, you had to pass the exam, have [inaudible 00:05:18] $500.00. But they also had to observe you working with a client on 27001, and-

Ryan Mackie (05:07):

Did they?

John Verry (05:23):

Oh, yeah. And it was the same thing. It was like, “Okay.” We got lucky, and this was 2006 or 2007, which is the first project we did. And it was an entity that happened to be in New Jersey, one of the first ones in the U.S. to achieve it. So I actually, literally, I called them up, and I knew a guy there and said, “Can I come in and help you?” And he said, “No, we don’t need any staffing.” I’m like, “No, I’ll come in and work for free.” He said, “What are you doing that for?” I said, “Because I need to be observed for a day.” So I went in and actually worked with them for three or four days, and the guy observed me for about a day and a half of it. So yeah, I hear where you’re coming from.

Ryan Mackie (05:23):

What was the feedback?

John Verry (05:56):

It was just that they wanted to ensure … One of the things that I like about-

Ryan Mackie (05:59):

No, I mean, if there was anything negative on the observation. 

John Verry (06:02):

Oh, okay. Well, besides the fact that I’m a loudmouth know-it-all, he said, “No, it went pretty good.” But isn’t that what auditors-

[crosstalk 00:06:09] That’s one of the things you look for in an auditor, right? 

Ryan Mackie (06:11):

Continual improvement, you know? 

John Verry (06:14):

Except for ourselves. Alright, so let’s assume for the purpose of this conversation, we’re back 10 years ago. 

Ryan Mackie (06:21):

Okay. 

John Verry (06:21):

And I’m chatting with some people that are perhaps a little bit less knowledgeable in this and get them knowledged up, so let’s easy. What’s an ISO 27001 certification audit, and who is it that performs it?

Ryan Mackie (06:32):

An ISO certification audit for 27001 is specifically with regards to making sure that the management system for the organization meets the requirements. Right? And so what we do is, it goes not only from a design perspective, but to get certified, we have to make sure that the organization processes, controls, everything else is operating effectively as well, not only in conformance with the requirements but also to make sure that they’re meeting their own internal policies and procedures. Right?

The certification is performed by a certification body, an accredited certification body, and so you have to be a certification body to actually go out there, perform the audits, and then issue the cert with that mark on it. 

John Verry (07:15):

Gotcha. And then, so a certification body, now, you’re a certification body, and I often refer to you guys as a registrar. Right, an ISO registrar?

Ryan Mackie (07:23):

Sure, yep. 

John Verry (07:25):

Who validates you?

Ryan Mackie (07:27):

Yeah, so as a registrar certification body, it’s one and the same, so we are accredited with ANNB and UCAS. Right? So there’s accreditation bodies out there. Their job is to make sure that we meet our own requirements, but also extended standards within ISO. Right? What they have to do is they have to do an annual office assessment, pull reports and projects, and everything else, to ensure that we’re doing what we should be doing with regard to the standards we have to conform to. 

And then they also do annual witness audits, much fun, especially in the time of COVID because before, they would sit in the room, and it’s uncomfortable having somebody just sit there and watching you. And they can’t interact at all. 

John Verry (08:14):

Now they’re doing it virtually? That’s got to be bad.

Ryan Mackie (08:15):

Oh, and they just turn the camera off, and so you don’t even know what they’re doing, what they’re looking at, what they’re eating. But the whole idea is to make sure that as a certified registrar, or certification body, that we’re conducting the audits the way that we’re supposed to. Right?

John Verry (08:33):

Gotcha. And then there’s also a requirement that … Talk a little bit about the requirement to have an ISO 27001 certified leader and that stuff, the second part of that equation. 

Ryan Mackie (08:42):

Yeah, absolutely. And so with that, so the standards that we have to conform to and specifically with regards to 27001, auditors have to be 27001 lead auditor trained. Right? You cannot do an audit, or you can do an audit. I’m not going to get into the weeds of it. But you can’t apply audit time, which is the minimum of what we have to apply to make sure that we can go ahead and get the cert issued. We have to have lead auditors, trained lead auditors to be able to go out and actually do those audits. And it’s with regards to any standard, but specifically for 27001, they have to be 27001 lead auditor trained. 

John Verry (09:24):

Right. I actually have that certification, and I know you do as well. 

Ryan Mackie (09:27):

Yeah. 

John Verry (09:28):

It’s not an easy certification to get because they do really enforce, I think the number is 250 or 500 hours of 27001 audit. And then, when I got it, which was in 2006-ish, they actually used to do witnessing of you working with a client. 

Ryan Mackie (09:41):

Yeah, yeah. 

John Verry (09:42):

Same things still now?

Ryan Mackie (09:43):

Yeah. 

John Verry (09:44):

Yeah. 

Ryan Mackie (09:45):

I don’t know if they still do that. I think we’ve gotten to a point now where I think the return on actually witnessing the amount of 27001 of lead auditors out there is-

John Verry (09:55):

It’s thousands.

Ryan Mackie (09:56):

Yeah. But that in itself, again, for the standards we have to conform to. 

John Verry (10:02):

Gotcha. 

Ryan Mackie (10:03):

We are required to make sure that our team is competent, and so not only with regards to 27001 lead auditing or lead auditor training, but you have to do evaluations on your team. And this is for any certification body to make sure that they’re still competent, and they can still go out there and do the audits. 

John Verry (10:21):

Gotcha. We’re going to have our certification audit. We’re going to engage a registrar. That registrar is going to have an ISO 27001 certified lead auditor that works for them or is a third party to them, and then they’re going to come in and conduct this audit. And they do that in a stage one and a stage two. Can you explain what stage one and stage two is? And it will be helpful when you do that if you differentiate the concept of the ISO 27001 clauses versus the Annex A controls. 

Ryan Mackie (10:50):

Yeah, absolutely. So the whole objective of the stage one is to make sure that the management system is ready for stage two, so that just as basic as you can get. And when I say that, so 27000 is, again, a unique standard with regards to management systems as, John, as you had mentioned. They have management system requirements, and then they have Annex A, which is a list of 114 control activities that support that management system to mitigate that information security risk. Other management system standards like 9001, 22301, they don’t have a control list like that. 

And so when we come in and we do a stage one review, we’re specifically looking to make sure that the organization has designed the processes, people, policies, et cetera, to be able to demonstrate that, from a design perspective, they meet the management system requirements. Right? And that’s clauses four through 10 if you’re familiar with the standard. So we come in, and I don’t want to say kick the tires, but we just get comfort that, okay, can the management system itself undergo a stage two review?

Stage two review is a completely different story, right? And from that perspective, we have to make sure that the management system is in full conformance with the requirements, all the controls in place that they’ve identified as being applicable based off of the risk assessment are in place and effective, and that they’re meeting their own internal policies and procedures, so it’s a much, much deeper dive, right, compared to the stage one. 

The stage one is just making sure from a doc review, “Okay, can you undertake a stage two review.” And then we get to the stage two, and then that’s where we … It’s a full system audit and a lot of testing. 

John Verry (12:38):

Yeah, it’s funny, and they often refer to stage one as a tabletop review for that same reason. 

Ryan Mackie (12:43):

Yeah. 

John Verry (12:43):

You’re sitting in a conference room, and you’re looking at documents largely. 

Ryan Mackie (12:46):

Yeah. 

John Verry (12:48):

I picked up on a couple of things you said. I love the way that you said managing information security risk, which is something I always refer to ISO as a risk management framework. 

Ryan Mackie (12:57):

Sure. 

John Verry (12:57):

An information security risk management framework, so I love the way that you said that. And then, the other thing which is interesting is how … I think most people are very comfortable with the stage two because it’s the type of audit they’ve gone through before. But if you’ve never gone through a stage one, that first one is odd because you guys are sitting on the opposite side of the table. The meaningful part of 27001 is what, 10, 11 pages?

[crosstalk 00:13:24] Right?

Ryan Mackie (12:57):

Yeah. 

John Verry (13:26):

And you’re literally going clause by clause, and we might be sitting there for 12 hours. Right? 

Ryan Mackie (13:31):

Yeah, sure. Yeah. 

John Verry (13:32):

So you’ll literally go a page at a time, and you’re asking questions like, “Demonstrate that the information security management system considers the impact confidentiality, integrity, and availability as impact criteria. Go.”

Ryan Mackie (13:44):

Yeah. Well, and as you know, though, when you talk about other audits, and we’re talking about if it’s SOC, PCI, anything else. You’re so right on that the stage two is going to be more familiar to an organization that undergoes other audits only because it’s heavy on the control testing part. What’s unique about 27001 is the management system. There’s really no other standard out there that has those same requirements. And so, for that reason, maybe that’s why we go clause by clause to make sure that the organization actually understands, “Okay, what do I need to do for a management system?” Because they’ve got the controls down. 

John Verry (14:27):

And that what makes me a fan of ISO 27001 is the fact that it has the management system, and it’s the process by which you rationalize the actual implementation of the controls. So, as an auditor, you can look at that and say, “If I can trust the management system, I should, in theory, be able to trust the controls, so let me sample them appropriately to make sure.” Yeah. And listen, you and I are both fans of the whole framework. So one of the things which is interesting to me, talk a little bit about … because I see some differences here, which I don’t think we should, between registrars. How do you determine, as an auditor, how much time to scope, how much time you should be spending auditing an ISMS?

Ryan Mackie (15:11):

Yeah. And again, I’ll bring up other standards. For SOC, they don’t … For those that are familiar with the AICPA requirements, there’s really no determination of how much time you have to apply to a SOC audit. Okay? But the CPA firm is issuing an opinion, and with that, carries a lot of weight. And so if there’s some failure there, that CPA firm is on the hook. Right?

With ISO, we issue a cert, and unfortunately, that’s the only deliverable that a company’s customers are going to see is just basically full conformance. So what ISO did to make sure that they can level the playing field amongst all registers is that they came out with, it’s 27006, specifically. And so within that standard, they have identified how much audit time, at a minimum, that we have to apply to a scope. And unfortunately, the only thing that they had to go off of is the number of persons in the scope. Right? And again, maybe there’s another way to do it, but this was the best effort that they had at that time. 

So they’ve got different ranges, different buckets. If you’ve got 10 people, it’s going to take six days. If you’ve got 200 people, it’s going to take 14 days. Right? And again, this is why we’re policed from the accreditation bodies is because we have to make sure that we can demonstrate that we applied that audit time to 27001 audit based off of 27006. Right? So you do have the opportunity to modify that audit time up to a certain extent based off of things like the might be a very simple scope. It might be maybe a few people in scope that basically do the same thing. 

So a law firm, for example, a law firm may have 1,000 people within scope, but 900 of those are attorneys. So it’s really who owns that risk within a law firm is going to be the IT function in compliance. Right? So you do have the ability to modify that audit time, but you still have to make sure you meet the objectives of what the audit is, and getting comfort that the organization can demonstrate that they have a management system that’s in place. It’s effective, and that we’re comfortable getting a cert out there with our name on it. 

John Verry (17:48):

Yeah. Listen, I’d like ANAB or UCAS, or whoever is above them, I think you mentioned it before. Who is above them? AFR, is that what it was or something? You mentioned another one.

Ryan Mackie (17:56):

Yeah, IAF. Yeah, yeah.

John Verry (17:58):

IAF, I would love them to tighten 27006 because you see ranges that are too high, and you have some, I’ll call them less quality ISO 27001 registrars that will low ball things. 

Ryan Mackie (17:58):

Sure. 

John Verry (18:15):

And they’ll use people and scope based on the number of people that are actually in the information security department that are actually working on the ISMS. 

Ryan Mackie (18:22):

Right. 

John Verry (18:23):

And then somebody else is coming in and doing it, I think, properly looking at IS, IT, anyone involved in the construct management, information security management committee, all of that kind of stuff. And you get someone who’s looking at it with 30 people in scope, and you’ve got somebody who’s looking at it with three people in scope. And now you end up with, I mean, honestly, occasionally, some half-ass audits. 

Ryan Mackie (18:41):

Yeah.

John Verry (18:41):

I mean, let’s do our … I had one the other day with-

[crosstalk 00:18:45] We were like, “Why are you guys charging so much for the internal audit, excuse me, for external audit support?” “What do you mean?” I said, “You got a couple of days.” “Oh, no, no. They’re going to do stage one in like three hours remotely.” I’m like, “What?”

Ryan Mackie (18:59):

Yeah, yeah. Yeah. 

John Verry (19:00):

I don’t explain that. 

Ryan Mackie (19:03):

And, John, I mean, it comes up all the time. I can’t tell you. And hopefully, I’m not saying the wrong thing here, but we’ll have prospects come in that maybe talk to other certification bodies, and we get an identification of what their scope is. And they say they’ve got 10 people in scope, but from their scope statement, it’s the entire organization. And I know that there’s more than 10 people that work for that organization. And so I’m trying to walk through, basically, what the organization has to identify. You dictate the time based off of where your risk points are. And those 200 people that work for their organization all are risk points. 

I mean, somebody doesn’t know what they’re supposed to do, and it’s a confidential document, and they just leave it hanging around an office. You have to make sure that the number of persons that you’re including within scope are those that you want to ensure that understand security awareness. They’re part of the risk assessment process. Everything that they’re supporting from a control or process perspective, they know what to do, how to do it. There’s policy and procedures there, and so that number goes up. It’s not just 10 people.

John Verry (20:19):

Yeah, right. And look, I mean, at the end of the day, with any framework, it’s the same, so it’s not an ISO issue. You’ve got some people that get a framework, or an attestation, a certification, a SOC 2, type II service orders report because they have to. And then you get other people that do it because they want to effectively manage risk. And if you’re trying to effectively manage risk and you get a low ball quote, that’s not going to help you manage risk because that external audit is a mechanism by which you validate the operation of the ISMS, that does effectively manage risk.

Ryan Mackie (20:50):

Yeah, yeah. 

John Verry (20:50):

Just be aware of that if you’re listening to this. You can get a low ball price, but the auditors all roughly charge a similar amount per day. So really, the difference is, ask the auditor how many days. If you want to normalize it, how many days are you doing, and then pick an auditor based on … Make sure that you’re doing an appropriate number of days to end up with the result that you’re looking for. 

Ryan Mackie (21:10):

Yeah, yeah. And, I mean, just to go off that in a different perspective, those organizations that really appreciate 27001 and do it right, when we come in and do the audit, we basically validate the management system is in place and effective. It’s your internal audit that is going to beat them up. That’s the beauty of an effective management system is that if it’s working the way it’s supposed to,-

John Verry (21:38):

It’s balancing.

Ryan Mackie (21:40):

… you’ve already identified all the issues. We just come in and make sure the management system is working. 

John Verry (21:45):

Yeah, and make sure we’re working. 

Ryan Mackie (21:45):

Yeah. 

John Verry (21:49):

Right? I mean, honestly, right?

Ryan Mackie (21:50):

Yeah, absolutely. 

John Verry (21:51):

I mean, part of your job is to give management assurance that the internal audit process is working, but you say, “Did Pivot Point, or your own internal team, whoever did your internal audit, did they know what the heck they were doing?”

Ryan Mackie (22:02):

Yeah. Yeah, absolutely. Yeah, I mean, I can’t tell you how much I appreciate when I come in and see an internal audit that’s just full of findings. That’s a good thing. That’s a good thing. 

John Verry (22:14):

And people don’t understand, and I always say to people, “No, you want some findings on your internal audit.” And you’re like, “Why would you want findings on my internal audit?” ” Because they’ve exercised the information security management system.”

Ryan Mackie (22:22):

That’s right. That’s right. 

John Verry (22:23):

“We know the corrective action planning process works. We know that the ISMS committee understands its obligations. We know that top management is involved in reviewing and validating the collective action plans.” Right?

Ryan Mackie (22:33):

Yeah. 

John Verry (22:33):

I mean, it’s exercising the ISMS, and you want to exercise an ISMS the same way you want to exercise an instant response plan. 

Ryan Mackie (22:40):

Yeah. Yeah, and so our job isn’t to come in and find issues. Our job is to make sure that the management system is working. 

John Verry (22:47):

Yeah, and that’s a very interesting way to look at it, right? ISO says that the internal audit program, the security metrics, or the mechanism by which management validates the effectiveness of the ISMS could come in to validate that. 

Ryan Mackie (23:03):

That’s right. That’s right, yeah. 

John Verry (23:04):

Yeah, it’s actually really cool. So to that end, so now you’re coming in to validate, how deep a dive? In my mind, when you look at SOC 2, because they don’t have the management system to rely on, they do a deeper dive into the technical control. So if somebody has been prepping for an ISO audit, what is it that you’re going to do? Are you focused on the design of controls? Are you focused on evidence of operation, evidence of effectiveness? Is there a sampling frequency? Hey, if we got 80 people, we’re going to select three. Tell me a little bit about the construct of the audit. 

Ryan Mackie (23:36):

Yeah. And so if we’re talking about controls, there’s a couple of ways to go about it. Typically, what we do is we start with policy. We understand what the directive from management is with regards to whatever that control is, DR, logical access, operation security, whatever. Then we move to the procedures, and then looking at those procedures and understanding okay, so here’s the directive from management, here’s the procedure that was documented to make sure that the organization or whoever is responsible for that knows what they’re supposed to do. 

And then, we interview the control owners not knowing that, obviously, we’ve already looked at the policy and procedure. We want to make sure that they understand if we say, “Okay, so what are you supposed to do in this event?” They should know that, and that should match the policy and procedure. 

John Verry (24:28):

Right. 

Ryan Mackie (24:29):

We have to make sure that there’s an effective process there. Now, from a control sampling perspective, so say if we’re looking at access reviews. For ISO, you’re totally right. I mean, one access review may be completely sufficient for us to get comfort, but we’re also making sure that the policy and the procedure, and then the control owner who’s responsible for that process, that all lines up because that, to me, demonstrates that the management system is working. I don’t need to see four access reviews on a quarterly basis because then I’m just validating the control. 

I want to make sure that the organization understands as a whole what needs to be done, who needs to do it, when it needs to be done, everything else. And so it’s really a different approach to make sure that we can get comfort that the controls are in place and effective. To your point, though, we’re certifying a management system. We’re not certifying controls. This is not a SOC audit. 

If you have a very mature management system, risk assessment, internal audit, monitoring and measurement, everything that goes along with that, I’m going to do less control testing or sampling of those controls because I’m comfortable that your organization is already going to find those issues.

John Verry (25:45):

Right. 

Ryan Mackie (25:46):

You know?

John Verry (25:47):

Yeah, that’s one of the things which I always try to help people understand the difference between how you audit, so you just said that in an elegant way. We actually had another podcast where we covered that, but I thought you just did a great job explaining the difference. 

Ryan Mackie (26:00):

Yeah, I mean, and it goes both ways. I mean, if we start testing the management system and it’s just not that mature, we’re going to do more control testing. Because again, if we’re going to issue a cert with our name on it, we want to make sure that we’re comfortable that things are going to be working the way they’re supposed to. 

John Verry (26:18):

Gotcha. And then, if you’re not comfortable with the management system, we’re going to see a number of NCs, nonconformity issues.

Ryan Mackie (26:26):

Sure, yeah. 

John Verry (26:27):

Which is going to make you comfortable, right? Because you’re going to force them to … So that’s a good question. I don’t know if we actually had it in our agenda, so that’s a good question. In that management system review or that stage one, if you do have concerns about the management system, what happens?

Ryan Mackie (26:43):

Yeah. Well, we issue nonconformities. I mean, this is probably going to be maybe too much information, but the standards, they don’t require the certification body to issue nonconformities as part of stage one. We do. And the reason we do is because, first of all, the organization is required to provide a corrective action plan and correction for whatever we identify. So we know that they’re on the hook for fixing anything that we find, but also, it’s good practice because there’s a very good likelihood that when we get to stage two, we’re going to find nonconformities. 

So they’ve already gone through the effort of, “Okay, this is what I have to do with the nonconformity report, everything else that goes along with that.” It happens where, and it’s not too often, we’ll come in, and we’ll see a management system in stage one that’s just not ready for stage two. And in those cases, it’s most likes that we’re going to come in and do another stage one. We’re just going to say, “Here’s everything you need to fix. Let us know when you’re going to be ready.”

But by the time we get to stage one, the organization, they’re pretty smart, so they know that they’re under audit and that they’ve done their best to make sure everything is there. So it’s very possible things are going to fall out, and we’ll say … You brought it up before, confidentiality, integrity, and availability. Maybe it wasn’t included in the risk assessment as it should have been. Issue a nonconformity, they fix it. We come back in the stage two, we validate that they fixed it, and then we move on. 

John Verry (28:15):

You know what? I didn’t know that, which is funny for doing this as long as I have. I didn’t know that you weren’t required because the standard code of practice that I see happen is that, generally speaking, good registrars are going to issue nonconformities in a stage one and not proceed to stage two until they’ve reviewed and accepted the corrective actions plans-

Ryan Mackie (28:15):

Correct, correct.

John Verry (28:33):

… and in some cases, made sure the corrective action plans were already implemented, correct?

Ryan Mackie (28:37):

Yeah, yeah. Yeah, so with nonconformities, the requirement is that if it’s a minor nonconformity, we need to have, at a minimum, the corrective action plan in correction. Right? So they have to correct it. Remediation is something that might take a little longer. And if it’s a minor enough conformity, well we’ve got comfort that, for the most part, the management system is still meeting its objectives. We’ll just follow up with remediation in the subsequent review. Major is a different issue, though. 

John Verry (29:08):

Okay. Yeah. Well, majors are another whole story. 

Ryan Mackie (29:14):

Yeah. 

John Verry (29:14):

We’ll have a separate podcast on that. So we’ve covered a lot about that, so I think the registrar is an incredibly important part of the ISO process. What are some guidance, some tips for choosing a registrar? What are the key considerations that people should be thinking about? Because I don’t think it’s quite as easy as, “Oh, I like that guy.” Or, “That price was best.” Right? What are some of the areas that you would suggest people consider?

Ryan Mackie (29:43):

You know, it’s really hard because sometimes you just can’t get to the heads of the people who do make decisions. But the things you need to look for, obviously, is the maturity of that registrar. How long have they been around? How many audits have they undergone? Who is on their team, and how many audits have those team members performed? It’s really important to make sure that, because with ISO, as you probably know, when we go out there and do these audits, usually, it’s maybe one person from the registrar who’s actually going out there doing the stage one, doing the stage two. 

And so if your decision is solely pinned to one person getting comfort that either you meet the requirements or you don’t, you want to make sure that person, they know what they’re doing. They’ve been around the block a few times, right? In addition to that, obviously cost comes into play. I mean, you brought it up before. If we have an opportunity and cost is that much of a deciding factor, probably not a client that we want. You know what I mean? And I hate to say that, but their objectives are different. 

John Verry (30:53):

I agree with that completely

Ryan Mackie (30:54):

You know what I mean? They look at that as it’s not a benefit to the organization. It’s basically a budgeted item. And that’s not what we want, so we make ourselves available to our clients year-round. And part of that is to making sure that we have open communication, helping them out if they’ve got questions, sounding board. Obviously, certification bodies or registrars, they can’t do any sort of consulting work. I mean, it’s in the standards. It’s just not allowed at all, but we can act as a sounding board. We can say … As a matter of fact, I sit on the joint technical committee for ISO SE27, which is responsible for the 27001 family of standards. 27002 is coming out with a revision. Right?

John Verry (31:40):

When is that?

Ryan Mackie (31:40):

It may be later this year or beginning in 2021, and it’s going to be a big one. 

John Verry (31:45):

Really?

Ryan Mackie (31:46):

Yeah, yeah. It’s very interesting, very interesting. 

John Verry (31:49):

I did not know that. 

Ryan Mackie (31:50):

And, John, this could be another podcast. So making that information available is not only helpful for us but-

John Verry (31:59):

You haven’t don’t that good a job in this podcast to do another one or any. 

Ryan Mackie (32:03):

Oh, shoot. 

John Verry (32:04):

If we get enough five-star reviews, if we get comments that say, “That Ryan Mackie was not only smart, but he was damn good looking.” 

Ryan Mackie (32:10):

Oh, boy.

John Verry (32:11):

If we get those kind of reviews, maybe you come back. But other than that, man, no way. 

Ryan Mackie (32:14):

Fair enough. Right. I’ll just give the information to Debbie, and you can have her on.

John Verry (32:20):

All kidding aside, we got a lot of really positive comments on Debbie’s podcast. 

Ryan Mackie (32:24):

That’s great. 

John Verry (32:25):

Yeah. I had one client that was smitten with her. He was like, “Oh, my God. That woman was charming and smart. Is she going to be on any more podcasts?”

Ryan Mackie (32:36):

It doesn’t matter what the topic is, right?

John Verry (32:39):

No, he wouldn’t have cared. 

Ryan Mackie (32:41):

Yeah, yeah. But I mean, it’s information sharing. It’s the relationship. It’s a big decision, you know what I mean, selecting a registrar. Yeah?

John Verry (32:53):

Yeah, I was going to ask you a couple of things, though, because it’s funny. I’m always intrigued, and I always wonder, I’m probably not as smart as I think I am. When I ask someone a question that I think I have a great answer to, and their answer is different than mine. Right? Because then, I’m thinking … And I know how smart you are. I’m like, “Crap.” So I have a couple of questions now for you. 

Ryan Mackie (33:14):

Yeah, okay. 

John Verry (33:14):

These are things that I say to people. 

Ryan Mackie (33:17):

Sure. 

John Verry (33:17):

One thing I always say to people is, “Are you just getting an ISO 27001 certificate, or where are you going?” Because I think that there’s huge value to consolidated audit, right?

Ryan Mackie (33:17):

Okay, sure. 

John Verry (33:28):

So if someone wants 27001, 27701, SOC 2, HITRUST, FedRAMP, and a C3PAO audit, and I can go to one auditor versus going to six auditors or how many that the standards spouted off, to me, I think that’s a huge value proposition. 

Ryan Mackie (33:44):

No doubt. I’m not going to disagree with you on that one. We’ve designed our services to be able to meet that, so we’ve got cross-trained team members for ISO, SOC, FedRAMP, PCI, everything else. Because, especially with 27001, when we do have the control set in play, there’s so much commonality between just the basics there. And so if we can use somebody doing a SOC audit that’s ISO trained, all the testing that they do for SOC we can apply to ISO. 

John Verry (34:18):

Right. And again, I always tell people, “It may not save you a ton of money, maybe a little bit.” But it’s going to save them a lot of time, right? Because-

Ryan Mackie (34:24):

Yeah, absolutely. 

John Verry (34:25):

Even if you’re … I’ve been involved in audits where your group has sent in two others because there’s enough disparate nature. But what you’re doing is you’re interviewing the same person at the same time. The common stuff is being asked all at once. They’re both using that, and then, just the separate thing. Again, you’re still being so much more respective of their time and effort. So instead of having their guys involved in five audits, their guys are involved in one audit. It’s a little bit more than if it was just one standard, but it’s still so much easier for them. 

Ryan Mackie (34:55):

Oh, yeah. And you brought up a great point in that. There’s that cost reduction that’s not just huge. 

John Verry (35:02):

[crosstalk 00:35:02] if nothing else.

Ryan Mackie (35:02):

But you have to look at everything and the amount of prep time. If you’re preparing for one external audit, that’s going to cover everything, the amount of time that you take away from your control and process owners, the reporting, a consolidated findings document. You know what I mean? And so it’s so much easier to have that, and I hate to say it, that one neck to choke. 

John Verry (35:30):

No, no, no.

Ryan Mackie (35:31):

[crosstalk 00:35:31]really bad. 

John Verry (35:33):

We say it all the time. we say it all the time when someone will say to us, “Hey, we’re thinking about getting ISO 27001 along with SOC 2. Hey, do you want to do one of them?” And we’re like, “No, we’ll do both of them, and you want one throat to choke, right?”

Ryan Mackie (35:33):

That’s right. 

John Verry (35:46):

We want to cover that with one consolidated internal audit, so same argument. So that was one thing that I was curious about. Second thing is that, and I think you said it, but you said it differently than I do. You said, and I agree 1,000%, are you personally available year-round? But the only reason that you’re personally available year-round is that there’s two schools of thought, at least from my perspective, I see with registrars. Some employ full-time auditors on staff. And some use 1099s. 

So your ability to provide that year-round support is because you employ your own auditors. And there’s a continuity of audit, and there’s a continuity of availability where somebody else … It might be a lower cost audit, and that’s their value prop, right? Because they’re paying a 1099 for the one day or two days, three days, whatever it is that they’re there, but there’s no guarantee that 1099 guy is coming back the next year. Oh, and he’s definitely not going to be available til midyear when you have a question as to whether or not we’re moving towards this certification as well, should I do this or do this?

Ryan Mackie (36:45):

Yeah, yeah. And not only from the ability to have that continuity, really grow that relationship between the organization and maybe even the auditor. I mean, we’ve got auditors that have been doing the same audits for organizations for five, six years. But also, it’s the structured and unified approach from a methodology perspective. When you have a staff like we do to go out there and do audits, they’re all doing it with the same directive that we’ve got. They’ve all been trained. And we’ve got-

John Verry (37:23):

There’s a consistency. 

Ryan Mackie (37:23):

… monthly meetings. 

John Verry (37:24):

Right. 

Ryan Mackie (37:24):

And you lessen that risk that you’re going to have somebody come onsite that basically is … I’m not going to say that they’re going to wild west the thing, but you don’t know what you’re going to get. You know what I mean?

John Verry (37:40):

Listen, and this will sound self-serving. One of the reasons that I like Schellman as an auditor, and Schellman, for the record, is our internal auditor. And you mentioned the fact that we’ve had consistency. We’ve had Jay who was an audit manager on our account for four or five years, and [phonetic 00:37:57 Bahgrab], who’s one of your lead auditors, has been on our account for like three years. And it’s actually nice because he cycles in as somebody to support him on each audit, so you have the benefit of the consistency. He knows who we are. He knows where everything is. He knows what we’re doing. And then, he’s got somebody else there who pokes at different things so you have a different third-party’s perspective, which is also valuable.

Ryan Mackie (38:19):

Yeah, and the thing is, like I said, the real value proposition there is that familiarity. And I understand that there’s a risk there. People can say that “Well, there’s a familiarity risk.” But I can’t tell you how many times we’ve gone in and done an audit, and as we’re looking through things, we say, “Wait a second, two years ago-“

John Verry (38:34):

This wasn’t the way-

[crosstalk 00:38:36]

Ryan Mackie (38:35):

… “you had this GRC tool or the ticketing system. Where’s that?” “Oh, yeah.” Or, “We forgot to tell you we got a new system, and this is …” It’s really beneficial for the organization to have that relationship with that auditor. 

John Verry (38:53):

Right because change is risk, right?

Ryan Mackie (38:55):

Oh, sure. Oh, absolutely. 

John Verry (38:55):

When you architect a perfect information security management system, if nothing ever changed, your information in the security management system has never changed. When context changed, this clause four scope, when context changed, that’s when risk changes. So one of the advantages of having a consistent auditor is just they see a change. I don’t know if you guys do it this way or the way my brain works. If I see a change in the environment, I go to the risk assessment. 

Ryan Mackie (39:19):

Sure. 

John Verry (39:20):

Was that change accounted for on the risk assessment?

Ryan Mackie (39:22):

Yeah. 

John Verry (39:23):

Now, if it wasn’t accounted for on the risk assessment, your a value add right there because you can turn around and say, “A new auditor would not know that they’re not using the risk process well.” Right?

Ryan Mackie (39:32):

Yeah. 

John Verry (39:33):

So right there, you actually know that, so yeah, I agree with you. And I think we’re like-minded because we employ much the same way you guys have this option where you compete against registrars that use 1099s. We compete against consulting firms that use 1099s. And there’s pros and cons to both, I mean, I get that. 

Ryan Mackie (39:50):

Yeah. 

John Verry (39:51):

To your point on the third parties and wild, wild west, I’ve been involved in some wild west audits. I’ve lost clients over wild west audits because they’re flying people in from Brazil who don’t speak English and get adversarial, and management throws them out. I’m on the phone navigating with the … That being said, in fairness to those firms, some of the best audits I’ve had has been 1099s, so you can get a great audit from a third party that’s using 1099s. You just don’t know what you’re going to get. Where, with somebody like yourself who employs your auditors and has been doing this a long time, we get a better sense of, “Okay, there’s a consistency there. I know what I’m going to get.” The chances of it going wild, wild west are incredibly small where they’re small over here.

Ryan Mackie (40:42):

Yeah, absolutely. Yeah, absolutely. And there’s the skin in the game. I mean, from an auditor’s perspective, you get a 1099 auditor or a consultant, and hey, if it didn’t go well, that’s no big deal. They’re gone, right? We’re on the hook for delivery in the staff that we have out there, and so we have to make sure that they’re doing what they’re supposed to be doing, and client service is a big part of that. 

John Verry (41:09):

Right. So anyone who’s listening to this podcast by this point in time, knows that there’s a mutual respect between myself and Ryan, and between Pivot Point and Schellman. And we actually have a lot of the same clients, so a lot of our clients will use you as registrar that they’ve used us as consultant, and we might do their internal audits, things of that nature. So one of the questions I always get asked as a consulting firm is people will say to me, “Hey, is there a particular firm that you ‘work best’ with?” As if we have sway with the registrar like we can get them a certificate without doing all the right things. I’m curious. You probably hear the same thing. 

Ryan Mackie (41:49):

Oh, sure. 

John Verry (41:50):

So from your perspective, right, how does a registrar maintain an appropriate relationship with a consulting firm or a client to prevent that kind of, frankly, bullshit from happening?

Ryan Mackie (42:00):

I don’t know. I mean, I wish I had a good answer for you, John. I mean, I know what we do, I mean, obviously. The function that you guys provide is an extension of a client. You’re the client. You know what I mean? And so we’re treating you no different than we would treat the client. What you do is making sure that they can get certified, and you’re implementing a very effective management system and everything that goes along with that, no different than if the client would be doing that themselves. So from that perspective, it would be basically asking, “How can you have independence from a client if you’re going to go ahead and get certified or certify them?” 

Like I said, we treat you as you are just an extension of what that client is. From an independent’s perspective, we are very, very strict with regards to not doing anything in the realm of management system consulting. We never want to be on that list. We ever want to hear anything about it, and so we’re very diligent to make sure that the communication externally is just we don’t do anything. We’re just the audit firm. We come in, and we do the audit. Yeah, and so for clients that may ask you what’s the easiest path to certification, I don’t know. 

John Verry (43:21):

No, there is one. 

Ryan Mackie (43:24):

I don’t know. 

John Verry (43:25):

I actually had a client say recently to me, “Hey, this registrar,” I won’t name a name, “they said they’ve worked with you guys before, and you’re pretty good. Does that … a little bit easier.” And I said, “No, it actually means it’s going to be harder.” And they’re like, “What do you mean? We thought they liked you.” Yeah, but when they know is good, right, you’re going to get their best game. You’re going to get their feedback because we help each other. People think that the registrar and consultant’s relationship is somehow … 

Realistically, when you have a good consultant and a good registrar, the standard allows us to have conversations as an extension of their team, right? And make sure that if we need guidance, if we need clarification of your audit program or what you’re going to do. And what I find with the best registrars, and you guys are definitely in that category for me, is I’ll get a phone call from you. It’ll get a phone call from one of the other partners. And you guys will say like, “Hey, on this particular engagement, this, you could have been improved.” Right?

Ryan Mackie (44:36):

Yeah, yeah. 

John Verry (44:36):

I honestly think you guys hold our feet to the fire a little bit harder because you know us, and honestly know that we want that. Right? I’ve got to be honest with you. We want to do the best possible job for our clients, and I’m one of those people, and you can ask Bahgrab. When he comes in for the internal audit, the first thing I say to him is, “I want every nonconformity you can find.” Right?

Ryan Mackie (44:56):

Yeah. Oh, absolutely. 

John Verry (44:57):

If there’s an OFI, write it up as a nonconformity. And he’s like, “Why?” I said, “Because if it’s OFI, we’ll probably ignore it.” Well, I can ignore it. “If it’s a nonconformity, you’re going to make me fix it.” And I tell them the same thing with our audit process, you know? I love when you guys are hard on us because it makes us better at our game. And if you’re not trying to get better at your game, if you’re not trying to continue to [inaudible 00:45:17], why you bothering? Why you doing this? You’re not being a service to the clients anyway, right?

Ryan Mackie (45:20):

Yeah, clause 10. Yeah. 

John Verry (45:22):

Yeah, exactly. Exactly. So I think we beat the hell out of this pretty good. Anything else missed, anything else you want to cover?

Ryan Mackie (45:30):

No. No, not at all. Like I said, it’s a great standard, so when using the standard, the growth has just been tremendous over the years.  And there’s always opportunity to improve. Even if you’re certified for four or five years, take advantage of the management system. Let it work for you. I mean, that’s what it’s there for. 

John Verry (45:56):

Yeah, sorry. Go ahead. 

Ryan Mackie (45:58):

No. 

John Verry (45:59):

I was going the say actually, I don’t think your management system really starts to improve-

Ryan Mackie (46:04):

Oh, I agree.

John Verry (46:05):

… until your third or fourth year. I mean, I got to be honest with you, and you would think we should know better. We’ve been certified now. This is our fourth year that we’ve gone through external audit. First year, we were like everybody else. We build the ISMS. We’re all excited. We’re ISO certified. And I’ve told this directly to clients, we sort of forgot about it for a year. And suddenly it’s like, “Oh, crap. Yeah.” We had some nonconformities on our first surveillance audit, and then you’re like, “Okay, we built a great management system, but we didn’t fully operationalize it.”

Ryan Mackie (46:05):

Yeah. 

John Verry (46:39):

So then we concentrate in year two on operationalizing it, and it got a lot better. And then we got to a point where, “Okay, now this is actually running pretty good.” And you start to get proud of it, and then you say, “But it’s not improving.”

Ryan Mackie (46:51):

That’s it.

John Verry (46:51):

When you’re really-

Ryan Mackie (46:52):

You’re totally right. 

[crosstalk 00:46:53]

John Verry (46:53):

So it really took us to about the third, fourth year, and I always pitch this to clients. I’m embarrassed. This is the cobbler’s children going shoeless. Is that, to me, the measure of a great management system is one where the objectives are being updated on an annual basis because that’s the plan. I can see the objectives reflected in the risk assessment, and I can see the objectives reflected in the security metrics. Right?

Ryan Mackie (46:53):

Yeah. 

John Verry (47:17):

So the risk assessment says we’re not doing a great job with third-party risk management. The objectives say we want to improve the third-party risk management program. The metrics say we want to get through 50% of the high vendors through our vendor risk management program. 

Ryan Mackie (47:31):

Yeah. 

John Verry (47:31):

That’s it. Unless you’re getting to that point, and I don’t see many people get there until that third, fourth year really. 

Ryan Mackie (47:38):

And we say the same thing. I mean, you’re so spot-on. And it’s such a relief, such an accomplishment to get certified. And then, it’s like reaction mode for the first two years where you have your checklist. 

John Verry (47:57):

You spent 11 months celebrating, smoking cigars and-

Ryan Mackie (47:59):

Oh, my gosh, what do we need to do? What do we need to do? And then, as you mentioned, once you operationalize it, it’s a process. It’s part of the organization, but you get to that point where you look in the mirror thinking, “We haven’t really done anything better than what we did yesterday.”

John Verry (48:18):

That’s exactly right.

Ryan Mackie (48:20):

I mean, we went through the same thing. I mean, like I said, we have a management system because we’re required to, and it was always going through the routine, going through the efforts, everything else. A couple of years ago, all of a sudden, it was the spotlight, and we said, “Hey, you know what? We can actually … Let’s put this in the risk assessment and then actually have it go through the process.” So you’re totally right. And clients that understand and appreciate that, and maybe they’re already there, know that and knows who may not be there. You got something to look forward to. 

John Verry (48:55):

Yeah, and I think the biggest thing that if you could jumpstart that process, it would be operationalizing the information security management system either right after or as you stand it up. And you can do that through a GOC tool. You can do it through a help desk ticketing system. You can do that through a project management tool. 

Really where we started to turn the corner is when we looked at our own clients, and we said, “We’re doing a crappy job. How do our better clients do it?” I mean, I hate to admit this, but we actually used our clients as consultants to say, “Hey, we’re not doing as good a job running our … We’re great at standing it up. We’re not so good at running it ourselves. How did you?”

And it’s funny because now that we’ve gotten better at running our ISMS, we’re better at helping our clients run their-

Ryan Mackie (49:38):

[crosstalk 00:49:38] Oh, totally. Absolutely. The familiarity that comes along with that, yeah, no doubt. Yeah. 

John Verry (49:43):

Yeah. Alright, so we always like to have a little fun before we last. So an amazing of horrible CISO, so give me a fictional character-

Ryan Mackie (49:51):

Yeah, sure. 

John Verry (49:51):

… real character that you think would make either an amazing of horrible CISO running their ISO 27001 ISMS.

Ryan Mackie (49:56):

I put a lot of thought into this one, and so I’ve got two. I’ve got an amazing and then a horrible one. 

John Verry (50:03):

Okay. 

Ryan Mackie (50:04):

Amazing, personally, from my perspective, I think it would be Tim Tebow. 

John Verry (50:10):

I always love people’s answers. It’s so funny. I’m staying at somebody’s house. There’s a Tim Tebow book on the bookshelf, and I was like, “Somebody wrote a book on Tim Tebow.” Maybe I got to look and see if there’s anything-

[crosstalk 00:50:22]CISO in it. Okay, tell me why Tm Tebow would be a good success.

Ryan Mackie (50:26):

Well, he’s good in everything. He can do anything. I mean, all he needs is himself, and he’ll get it done. No, you know. And then horrible, you might now. It’s Bigfoot, or a Sasquatch,  or the Yeti. Anyone of those that you can reference is just never there. You just don’t know if the guy is there or not. I mean, there’s pictures of him. There was a picture of him one time walking in the woods. And then, is he real? Is he not real? What does he do? What’s he here for? To me, that would be just the worst CISO.

John Verry (51:03):

So I’m debating whether or not I should tell you this story, or I should make you go to the link on a website. No, no, no. 

Ryan Mackie (51:08):

Okay. 

John Verry (51:09):

I have a picture on our website of Bigfoot that I took. I think it’s Bigfoot. And I know that’s going to sound absolutely crazy. Years ago, I mean, this was 25 years ago. My wife was in Sacramento on a business trip, and I was a Ansel Adams fanatic. I did a lot of darkroom photography. I did a lot of black and white film. I had all the filters, I had all the lenses, I had everything. I love taking black and white photographs. Of course, I wanted to be Ansel Adams, and I looked on a map and saw she was right where Yosemite is, which is where El Capitan, and Moon Over Half Dome, and all his most famous pictures were taken. I jumped on a plane, flew out there, and for the weekend, we went out to … And I’m doing nothing but taking picture after picture. 

So we’re up in, I think it’s called Mariposa, which is like this area that’s all these giant Sequoias. I mean, big enough to drive a car through kind of thing. I’m on this dirt road, and it’s dusk, and it’s beautiful. There’s these beams of light coming through just holes in the forest lighting up these areas, and I’m taking picture after picture. I’m like, “Oh, my God. I’m going to be famous as a photographer, and I’m not going to be talking to Ryan 20 years from now.”

Ryan Mackie (52:19):

Right, yeah. 

John Verry (52:19):

So what happens is, we’re driving along, and my wife’s like, “It’s getting dark.” This is kind of like we’re deep here. We’re like in wilderness. There’s no one around. She goes, “Let’s get out of here.” I’m like, “Alright, one or two more pictures, one or two more pictures. Oh, this is so good. I’ve got to get this picture.”

So I open up the car door, and I step out. And something hit me like I’ve never been hit before, this just abject fear, and I jump back in the car and locked all the doors. And my wife looks at me, and she says, “What the hell is going on.” I’m like, “I don’t know.” She goes, “You’re scaring me. Let’s get out of here.” I’m like, “No, I’ve got to get this picture.” She goes, “You’re scaring me. Please, can we leave?”

So I’m like, “I really want this picture.” And I suck it up, and I climb out, and I take the picture that’s over the door like this. And I’m like, “Oh, I got my picture.” We drive away. So it’s like a week later, and I’ve done all the development. I had somebody do … I developed the negatives, but I had someone do bulk printing because just the printing part is a lot because I had hundreds of pictures. And I’m at my in-laws’ dinner table, and we’re looking through these pictures, and it’s pack after pack. And my father-in-law and my mother-in-law were, “Oh, this is nice. This is nice.” And I’m looking at the pictures, and I am an abject failure. These are horrific pictures. 

Ryan Mackie (53:32):

Sure, yeah. 

John Verry (53:33):

My dream of being Ansel Adams has been crushed, and I know it. And I’m just like, “Oh, my God. I don’t know a damn thing despite all the books I’ve read, all the studying I’ve done. So I go and lay on the couch, and I’m despondent. And all of a sudden, my father-in-law goes, “What the F is this?” And he goes, “Is this Bigfoot?” I come running into the kitchen, and there’s this picture of this thing walking across the road like this. And the road is … I calculated it out. It was 22 or 25 feet across based on the fact that we drove. You could see car tracks. I calculated it all out. And there’s something which is seven feet tall crossing the road, and it’s the classic picture with that weird stance that they’re in. 

And I’m like, “Holy …” But this was 25 years ago before there was an internet, before there was … And this is before you had a way to tell people, so I just tucked the pictures away, and it was just a great story I would tell when I got drunk somewhere, which was pretty often. And I lost them. And I was moving some boxes, and something fell out. And it was the negatives, so I went and got them redeveloped. 

Now, of course, they’ve degraded over the years, but I redeveloped it. And unfortunately, it’s degraded a little bit before, and it wasn’t that great a picture anyway. But it was good enough that I actually wrote a blog and put it on the website. 

Ryan Mackie (54:52):

No. Okay, yeah. 

John Verry (54:53):

So now I’m going to have to relabel the blog, the virtual CISO, this is Bigfoot, our virtual CISO. 

Ryan Mackie (54:58):

Right. That’s right. Yeah, yeah. Oh, man. 

[crosstalk 00:55:01] I got to check it out. Is it on the site?

John Verry (55:03):

So Jeremy and our editor, feel free to cut the whole story out. I’m sure very few people really want to hear my bullshit story. And definitely put the farewells above the bullshit story, so in case anyone wants to get in touch with Ryan. Ryan, if somebody wanted to get in touch with you or Schellman, wanted to get advice with 27001 or any of the other wonderful stuff you do, how would they do that?

Ryan Mackie (55:27):

Well, I mean, there’s our website, schellman.com. My email address is Ryan.Mackie, which is M-A-C-K-I-E @schellman.com. More than happy to help any way we can. 

John Verry (55:38):

Cool. Thank you, sir. 

Ryan Mackie (55:40):

Yeah. 

John Verry (55:41):

Always enjoy the opportunity to chat with you. 

Ryan Mackie (55:43):

Yeah. No, John, it was great. Really appreciate the opportunity to be included in this. Great conversation, definitely loved it. Yeah. 

John Verry (55:51):

Same here, man. 

Narrator (56:00):

You’ve been listening to the Virtual CISO Podcast. As you probably figured out, we really enjoy information security, so if there’s a question we haven’t yet answered, or you need some help, you can reach us at [email protected]. And to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.