September 14, 2020

Last Updated on January 15, 2024

Many organizations seeking ISO 27001 certification face other cybersecurity compliance audits as well, like SOC 2, ISO 27701, HITRUST, FedRAMP and/or CMMC.
If that applies to your company, consider the benefits of consolidating your cybersecurity audits so they happen at the same time with one registrar/audit firm.

Streamline your activities to save considerable time and money.

“If I can go to one auditor versus six auditors, I think that’s a huge value proposition,” said John Verry, Pivot Point Security’s CISO and Managing Partner, on a recent episode of The Virtual CISO Podcast. John’s guest was Ryan Mackie, Principal and ISO Practice Director at leading audit firm Schellman & Company. Both John and Ryan are certified ISO 27001 Lead Auditors.
“We’ve designed our services to be able to meet that, so we’ve got cross-trained team members for ISO 27001, SOC 2, FedRAMP, PCI and everything else,” notes Ryan. “Especially with ISO 27001, when we do have the control set in play, there’s so much commonality between just the basics there. So if we can use somebody doing a SOC 2 audit that’s ISO trained, all the testing that they do for SOC we can apply to ISO.”

John notes that he’s even seen two auditors from Schellman interview the same person at the same time and apply the conversation to two separate audits: “The common stuff is being asked all at once, and they’re both using that, and then asking the separate things. … Instead of having their guys involved in five audits, their guys are involved in one audit. It’s a little bit more than if it was just one standard, but it’s still so much easier for them.”

“If you’re preparing for one external audit that’s going to cover everything—the amount of time that you take away from your control and process owners, the reporting, a consolidated findings document…,” Ryan replies. “And so it’s so much easier to have that (and I hate to say it) one neck to choke.”
With third-party consultants, the time/cost benefits are similar. For example, Pivot Point Security frequently performs consolidated internal audits that cover ISO 27001 and SOC 2, or ISO 27001 and PCI, etc.
If your company is preparing for (or contemplating) an ISO 27001 audit, the episode of The Virtual CISO Podcast with Ryan Mackie will be of enormous value to you.
You can listen to the entire show here. If you don’t like using Apple Podcasts, click here.