May 22, 2019

Last Updated on January 19, 2024

I’m a football geek. This means two things:

View our free ISO 27001 downloadable resources »

  1. A significant portion of my Sundays throughout the year are completely booked; and
  2. Relating concepts to football is a sure-fire way to help me understand just about anything.

I recently jumped on a call with a potential client looking for help to achieve ISO 27001 certification. We spent the first 10 minutes talking about football, and then I started to explain the process of building an ISO 27001 certified Information Security Management System (ISMS). This is what came out…

ISO 27001 Scope/Risk/Gap = The NFL Offseason (Before Free Agency and The Draft)


The NFL offseason is all about figuring out what you have to work with in your organization: the people (players, coaches, scouts, staff) as well as skills, talents, strengths, and experience that make up your team. In the case of an ISMS, this is what we call Scope. What are the people, processes, technology, software, and assets that act on the information in your organization? It’s hard to know where to go if you don’t have an idea of where you are.


NFL GMs also need to understand the risks associated with any of these pieces of their team (anything in scope). This involves knowing what players are carrying over injuries from one season to the next, how much depth they have at each position, what players’ and coaches’ contracts need to be extended/modified/canceled, how much cap space is left on the books, etc. Managing risk is a central part of an NFL team as it is with managing an ISMS.
ISO 27001 requires you conduct a Risk Assessment inclusive of all the people, processes, and assets that are in scope. The output of the Risk Assessment details the risks identified, the significance of each risk, and whether those risks require additional treatment to reach an acceptable level. This allows you to understand where your risk exposure is greatest and create a plan to move forward.


The offseason is where GMs look at what they have (scope), where they are vulnerable (risk), and develop a plan or “roadmap” to get from where they are to where they want to be (gap). Information security runs the same way. In the 2017-2018 season, my Philadelphia Eagles showed how important the backup Quarterback position can be. Carson Wentz went down with a season ending injury in Week 14, but GM Howie Roseman had Nick Foles as his backup plan. We all know how that ended. Foles had just been signed as a Free Agent over the offseason (in what may have been when one of the best offseason moves made in Eagles history) as a risk mitigating factor to Carson Wentz’s injury history. Roseman recognized a high impact risk and put a plan in place to mitigate that risk.
You may not have a clear vision of your scope/risk/gap for your ISMS right now, but that’s what the ISO 27001 framework helps you develop. ISO 27001 guides you to create the vision and subsequent plan to reach your goals. When you understand what’s in scope, the risks you are exposed to, and the gaps between where you are and where you want to be, it’s time to execute.

ISO 27001 Execution – NFL Free Agency and Draft

The best run NFL teams are consistently “winning” the offseason game. This is where a clear understanding of risks and gaps proves valuable. Landing the right players in free agency and the draft, building an offensive and defensive playbook that caters to the strengths of the team, and constructing a coaching staff that brings the best out of each player means the team has executed on the plan that management has set forth to achieve their vision.
ISO 27001 execution is handled the exact same way. Executing the tasks outlined in the Risk Treatment Plan and Gap Assessment brings an ISMS from status quo to its desired state. As in football, an essential part of executing your plan is bringing in the right resources and expertise to make it happen.

ISO 27001 Internal Audit – Training Camp and Pre-Season

Before an NFL season begins, each team has a vetting period to determine how all their offseason moves (execution) have improved their team. Training camp and the pre-season is the chance for a team to test their players, coaches, playbooks, etc. to make sure they are prepared for prime time.
An ISO 27001 Internal Audit serves the same purpose. Before a registrar comes in for the certification audit, an objective third party with appropriate expertise (like Pivot Point Security) will assess your ISMS. Have you demonstrated Top Management’s commitment to ensuring the effectiveness of the ISMS? Have you accounted for all the risks associated with what is in scope? Are you positioned for a successful Certification Audit?” This is your chance to uncover any loose ends before each artifact really counts and achieving certification is on the line.

ISO 27001 Certification Audit(s) – The NFL Season

All the preparation in the offseason, training camp, OTAs, and pre-season has led to this point. It’s time to prove you prepared your team for success.
The ISO 27001 Certification Audit is the “put-up or shut-up” moment for your ISMS. Like the internal audit, you will need to demonstrate that you have done what you committed to and provide documentation.
Learn more: ISO 27001 Certification Audit vs. Internal Audit

ISO 27001 Maintenance and Continuous Improvement = The NFL Offseason (Again)

The real key to effectively running an NFL team is continuous improvement. How can we build off last year’s successes and remedy its failures? What do we need to keep, change, or scrap altogether?
You will ask yourself the same questions after you receive your ISO 27001 certificate. Running an ISO 27001 certified ISMS is an ongoing effort. Certification is a significant accomplishment on the journey to maintain your ISMS, but it is by no means “the destination.”
Like any NFL team, an ISMS is always changing. New vendors, new client contracts, new regulations, new products or services, etc. all play a role in adjusting your scope and needing to update your Risk Assessment. It’s your job to adapt to these changes, and that is exactly why an ISO 27001 certified ISMS is so valuable. It gives you the framework to manage these changes on an ongoing basis and provide proof that you’re doing so.
May is a rough month for an NFL fan, but I’m sure I’ll manage. If you need help achieving an ISO 27001 certified ISMS (or just want to talk some football), reach out! [email protected]

ISO 27001

ISO 27001 is manageable and not out of reach for anyone! It’s a process made up of things you already know – and things you may already be doing.
Get your ISO 27001 Roadmap – Downloaded over 4,000 times