Understanding Governance, Risk, and Compliance

So what you're going to see here is the, this is how I see governance risk and compliance working, and this is how 27001 sits into that governance risk and compliance framework. So when we're doing a 27001 implementation, normally people are going to be doing it because they've been driven by a commercial requirement. We'll come back to that as well. So what they want to understand is how does fit. What we have when we develop a governance risk and compliance framework is we're doing it more generally. So we are going to implement specifics in for 27001, but we are going to try and put something in that's a little bit more general. I'll do that so I can see you. It'd be awkward when you record it because it's going to be recording you, recording me, recording you, but anyway. So yeah, so we're going to put in something that's a little bit more general. So this will apply no matter what. standard you're implementing and you know technically it would apply if you were doing a data protection implementation you know you're going to be doing 9001 PCI DSS SOC 1 SOC 2 whatever it is it's going to be so what all of the standards and all of the frameworks are looking for is that senior management buy-in so what we have is at the top level we've got senior management and senior management needs to set the direction of the organization there are things that we can do we'll talk about role in a little while but there are things that we can do to help to evidence that but what you're hoping for is that when you go into an organization there is a culture of top-down leadership that there is top-down buy-in you are going to struggle in any organization where your engagement is either c level or even below so if the demand or the requirement is coming from like a product manager a development manager a network manager and even head of ops you know on his own or her own then you are going to struggle with it and and it's mainly around politics it's going to be around budget it's around getting buy-in and resources to do what it is that needs to be done so in very very practical terms you need that senior management buy-in and leadership from the top if i'm engaging on a project i want at least one of those senior members sitting in in my management meetings and we'll talk about them as well as goes from it So senior management sets the direction. Underneath that, we're going to implement the concept of a management review team. Now, some companies have this already. This terminology will come up time and time again. Depending on the size of it, there may be an existing structure that you can hijack and that you can jump off of the back of. Even in those environments, even in larger organisations, I'm still minded to create what I call a management review team. Okay. So what the management review team is, is it ensures that things get done. Now, when I build a management review team, I'm going to share with you all of the templates and documents as we go through. When I set up a management review team, I want on that management review team a representative of each area of the business, ideally. So I'm looking for somebody from HR. I'm looking for that one senior leadership manager that's going to buy in. I'm looking for representation from I. uh if i've got a software development function i want somebody from software development call center ops whatever it is so the size of the organization now in a smaller organization it might only be two of you and that's fine too right but we just got to have this we've got to have this structure now the standard is going to call to that as well so it's going to say right i i need you to demonstrate certain things i need you to demonstrate clearly buying and this is one ways that the ways that we do it We want to demonstrate in communication. We want you to demonstrate things like continual improvement. So there are a number of things that need to happen that this management review team is going to satisfy. And again, we haven't even really got to a standard yet in those in those principles. So we've got this management review team. So what do they do? So they oversee and they approve policies and procedures at the end of the day. That is. on the left hand side of this cycle that is what that management review team is doing depending on the size of the organization they may be doing the doing so they may be writing it and then they may be improving it that's fine that's fine but there's a conceptual separation that the management review team oversees and approves policies and procedures in our world or in my world from a practical perspective i separate out for client policy and procedure a policy is a statement of what we do. A procedure is a statement of how we do it. And I separate those. Now, what you find when you go on a client is you're going to find a mix. So if they try to do it themselves or depending on where they're coming from, you might have some that's policy statement mixed in with some process statement and it can be a little bit messy. OK, a couple of reasons why I want to do that. The policies about what we do, if you think about it from a hierarchical point of view, is going to be set by the leadership, right? The management, they say, what do we do? Oh, we do antivirus on every machine. Antivirus reports up to central management. Antivirus is set to auto disinfect. We want anti-manic. We want decentralized managed antivirus. so it's a statement of what we do it doesn't say we use Symantec we log on we download definition files every 24 hours we set auto scan to run at 7 30 in the morning if an alert comes it goes to Bob in I at this email address Bob in I then does this and raises a ticket with it so complete separation out what that allows us to do is to say is we can give Bob the sorry the framework for him to record what he does And we can give the managers the framework to record a high level what we do. Bob is doing how we do it. What you're also going to find is that pretty much every client that your client engages with wants policies. So what they're going to say to your client is I want a data protection policy. I want a clear desk policy. I want a working from home, bring your own device, change management, software development policy. So what we want to be able to do is we're going to build our policy suite in such a way that. It makes their life easier, right? It'll kind of make clients'life a little bit easier, but it's all about making the requester's life easier. So if they say, have you got a software development policy? Of course we have. Here you go, bang. And it's written in a way that looks like a software development policy. They can understand it and they can respond to it. So we've got these policies that say what we do. What we haven't then included in it is all this personal information, right? There's all Bob's email addresses in there. Yeah, we've got... business continuity policy and it said all right this is our emergency call tree in the policy i can't share that as part of a due diligence onboarding with a third party so we've got these policies what we do we've got procedures within our organization about how we go about doing it and when we've got policies and procedures we apply those to staff and third parties on the left hand side so we can't expect staff employees you human beings to do the right thing if we don't tell them what it is that we expect them to do. Yeah. So it's part of that communication framework. So it's this governance, risk and compliance. So we've got our policies and we're going to apply them to staff and staff and third parties are going to operate them. And hopefully everything is going hunky dory. Now, our policies and procedures, good for your knowledge, with your knowledge, are based on risk. So policies and procedures are based on risk. We're going to take a step back for a moment. When it comes to implementing a standard, there are typically two approaches, risk-based and rule-based. 27,001 is a risk-based model, and I like it for that reason. So what 27,001 says is when it comes to... controls, you are going to operate the controls that are appropriate to your business based on your business's risk to a level that is appropriate to your business and your business's risk appetite. So it could be the situation that you don't have certain controls in your organization. It could be that you have controls in your organization that other people would deem to be not sufficient. So I'll give you an example. 27001 as one of its controls says you have a password management system. It doesn't say what that password management system is, you define it. So you could say our password management system is one character long, we never change it. It's our risk, it's our risk, we deemed it, it's our risk. Now I can show you how you would have to manage and report that and how you'd have to control that but the theory stands. You also have rule-based systems. right rule-based systems are cyber essentials pci dss uh to some extent sock what a rule-based system says is you will have this control to this level and if you don't you will fail there is no no ifs no buts no no nothing around it right so it is within the realms of possibility in a risk-based system to have quite a weak control framework uh and still certify and pass you Whereas in a rule-based system, you're going to be governed by whatever the rule is. It's yes or no, black or white, tick or fail. But either way, I say our policies and procedures are based on risk. So what it is that we do as a business is based on our business's risk appetite and how we do it is going to be based on risk as well. When we have policies and procedures, they are subject to audit. They're going to get checked and they're going to get checked a lot. So as a function. We have to perform internal audits on our organisation at least annually. When we deep dive into some of these areas, you'll see some of the caveats, but I'll touch on it now. If an auditor asks you a question, how have you devised your internal audit plan? The answer is always based on risk. Now, the reality may not be that. And again, we'll touch on that later. But what they want to see in an internal audit plan is that the things that are the most risky. to your business are being audited probably more than once okay right so you're going to audit based on risk if i know you know i don't know if i'm in a high transaction environment for financial services you know and what could be capacity management maybe you know was an issue then that might be an area that i order every month just to keep an eye on it and make sure that all the controls are working so we've got policies got procedures based on risk risk is defined the level that we're going to implement them and then we're going to audit them We're going to internally audit them. You can internally audit with your own staff, with your own self. Like the head of I could internally audit it. It's got limited value to it. What we would say is part of our implementation is ideally you want somebody with a level of independence, either somebody in the business whose job it isn't normally, like to operate that process and procedure, but in our best case scenario, bringing in a consultant like us. When we've got these policies and procedures that staff are operating in the middle, what you can see is they've got incidents. Now what is an incident? An incident is a deviation from a policy or a procedure. So in like the audit terms call it a non-conformity right, so what do I mean by an incident? It could be that a policy says what we do and actually we found not to do it, or a procedure says something and we've not followed the steps within the procedure. So typical incidents, right? People leaving a laptop on a train, that's an incident. You know, an outage of your system for 30 minutes, that's an incident. You know, it's a deviation from the norm. I had a call yesterday with a client. They had outsourced account provisioning to a support company, an I support company, and they discovered that the I support company had been cloning. rather than creating IDs from scratch. And they've been cloning senior managers'IDs and allocating them to new starters. And new starters, therefore, had all the access rights of the senior manager. And this has been going on for some time, deviation from the norm, right? So we've got things will go wrong. And that's fine. We expect that, right? There's always going to be things that go wrong. So I can find, I'm going to perform my risk assessment. I'm going to do my internal audit and incidents that things are going to go wrong. That bit in the middle leads into your continual improvement. So we're going to drive a process now of continual improvement. So 27001 doesn't necessarily expect you to have everything right day one. And actually baked into it is a process of continually improving. And we can look further down the line at the benchmark of what would be expected for a certification, even though it could be quite low. but the concept is we've got continual improvement. So a continual improvement is reported to and managed by the management review team. And again, I'll show you the templates that make that up. So what do I mean by that? So if I've gone through my risk identification and I've highlighted that there is a risk, you know, there could be, we're going to open a new office, there's no reception in the office, and there's no entry controls. So I've identified a new risk. So I've got to do something about it. So through risk management and risk treatment, I'm either going to accept the risk. I'm going to reduce it, mitigate it, offset it. So I'm going to do something with that risk. But the body that makes that decision is the management review team. The management review team is the one that reports it. So it is the one that oversees it. When I go through my internal audit and I go against the controls and I find that something is wrong or is not operating effectively, then I'm going to have to make a recommendation and something's going to have to happen. that goes into the management review team an incident occurs it could be a one-off or it may require something and that something could be people it could require time it might be people need training or educating i might need tooling i might need technology you know there's a whatever it is there's going to be something that needs a decision to be made and it's the management review team that would approve that so through the process is that I'll show you and the reporting and all the templates and how it works. Ultimately, it's the management review team that says, yes, you can have the resource to do whatever it is that you need to do. We'll plan it, we'll track it, we'll manage it or we accept the risk. And again, we've got different levels of authority on who can approve what levels of risk. But that's roughly the structure of how it works. So you've got this cycle, this continual round and round. update your policies update your procedures then audit them didn't quite work continue to improve them update them roll them out audit them again audit them again audit them again on and on and on it goes when it comes to your audits one of the first things is when we come off of this is i'll talk you through the process of how 27001 works but you are going to get externally audited now external audits for clients happen in a number of different ways all right they can happen as part of a certification process they can happen as part of a onboarding a new customer so typically you're going to see questionnaires requests for certificates but they can also come and audit you and review you and obviously worst case scenario than a regular is going to come in and audit you as well but you know hopefully you never get to that point So let's look at the framework. So that's how the management of it all hangs together. So if I look at what does the governance framework, the top two remain the same. You think of it as an inverted pyramid in effect, but I like to work bottom up, top down, but you see where we're going. So the top two remain the same. Management is still setting the direction. The management review team is still ensuring it gets done. What we're looking at now is where does 27001 logically fit within this structure? And for me and. through my experiences 27001 forms the foundation it is the base level management system as an organization that i would be encouraging any client to go for first so there's some debate in you know out there i've got clients that come to me and they go oh i want to do SOP2 right we want to do SOP2 first again we can have that discussion but i would always discourage that and say let's go 27001 first if 27001 is on your roadmap let's do it first then build on it because pretty much every other standard that you've got that's out there builds on 27001 as a framework so your bolt-ons when we build our structure you're going to be able to bolt on gdpr pci dss sock and the way that we're going to do that and the way that we would encourage to do that is to build these common modules I want to create a risk management approach template structure that is sufficient to support GDPR and to support PCI and actually support the wider business. And, you know, many engagements I go on, business will say, actually, your risk register is better than the one we use for the company. Let's take that and apply that to the wider business. So we want to build supplier management in a way that it satisfies all requirements, policies, operating procedures, etc. What I mean by the bolt-on section is, and again for knowledge really, is that if something like 27001 says you need a password management system based on risk, it could be one character long, it could be no characters long, it doesn't care. PCI comes along and says, oh by the way, your password management system will be 28 billion characters long with all of this level of complexity in it. You know what, that's okay, right? It's just like... tweak to whatever an ad setting on a group whatever you know but we're building upon that we're building upon that foundation gdpr as well so we will have a look at where that fits but the principle six maintain adequate security 27001 satisfies a lot of that but there may be some additional steps that we want to take just to enhance it a little bit for special category data or whatever it is that the gdpr is uh but is driving is down So that's kind of high level how it hangs together. And that's high level where the 27001 fits in within that structure. Is it all things you already knew? Any questions that you'd like to cover? No questions at all make sense. perfect perfect so hopefully that's just recorded me and you now which is fine so in terms of today let's talk about standards let's talk about if you were advising client okay client says i want stop two we can do more deep dives into the top two as well further down the line and but they say in general right i'm looking at doing i'm looking at doing this top two pci so let's understand where these frameworks fit fit within that structure 27001 as we say international standard for information security management an international standard driven by the bsi the british standards institute an iso standard that is aligned from a management perspective with things like 9001, 22301, business continuity. So the management structure actually side of it you're going to see on more than one occasion if you go into a more complex client. You know if I go into one that's doing 9001 I'm like well you'll be already having a management structure, you've already got continual improvement. These things that we can bolt on together. It is a say it's the baseline right, it's the minimum level risk-based system minimum level. The main requirement and driver for it tends to be out of the UK from my experience. So it's very UK, European centric. If your client is operating within Europe, 27,000 is probably the one they're going to be pushed for. As you start to move across the more into the Americas, the Americas would be driven more by a requirement for SOC. And it is typically a SOC 2 requirement that they have. and you get that out of Australia as well. Depending on the size of the organisation that's requesting it, they're probably going to ask for both. So I've got clients in financial services, you know, you start working with the large banks before they're asking for both just straight out the bat. So let's look at orders of magnitude. Yes, both standards can operate to any organisation. I deal a lot though with startups. 27,001 you can implement pretty well for a startup, SOC 2 would be a little bit more complex. So if I look at what does SOC 2 do, SOC 2 is driven from an accounting practice, right? So it's an accounting structural framework, really, and it actually sits within a broader audit, accounting audit process. When it comes to SOC, there are two types. there's a SOC 1 audit and a SOC 2 audit and we'll cover this again don't worry but it's just conceptually so the client's saying to you I want to SOC 2 audit well what does that mean so you've got an accounting standard with an accounting audit that goes at the back of it that can do one of two things a SOC 1 or a SOC 2 to start with a SOC 1 audit typically is of an organization that does something that can materially or fundamentally impact the financial reporting of that organization fundamentally It's going to impact on the accounting reporting of that organization. SOC 2 is usually applied to businesses as a general control set. It's just a general set of controls. You then have within SOC 2 types of audit. 27001 is a point in time audit. So when we do our audit, it just looks at basically the information that it can see at the time. A SOC one, two, but type one audit is a point in time audit. So if you get a point in time audit, you're good to go. A SOC two audit is a continual audit for a defined period of time. Typically, your client is going to take 12 months. So what that means is when they audit it, they can say, right, show me evidence that it worked in January, in February, in March, in April, give me a sample from November. The rigor that's associated with it just absolutely goes through the roof. So differences between different audits, point-in-time audit, point-in-time audit, and or a continuing audit. 27,001 is a structured framework. It's got 114 controls in it, dropping to 90-whatever, dependent when it comes out in its next iteration. SOC is not a defined framework, allegedly. So what the SOC... requires you to do is for you to define your controls and then they will audit you against the controls that you've defined typically It's not quite actually the real world, right? Because what happens is when you engage with these third-party audit companies, they've got their own portals and tools and they ask you for documentation and it's all the standard stuff, right? So there is some work to do to define controls, but ultimately what they're looking at is the stuff that we look at day in, day out. But if I look at it conceptually to the client, I'm saying, look, you've got SOC 2 over here, it doesn't have a set of controls with it. You've got 27001 over here, it does. So let's implement 27001. 80% of what we're going to need is going to be delivered by 27001. And then we'll bolt on the extra that we need and the extra little bit of rigor if and when you want to do SOC 2, no issue. Okay. So that's the difference between those two. PCI DSS that fits in follows a very similar structure. It's about 344 controls depending on which level of business you are. You do self-assessment or you do your report on compliance. we can go through all of that but fundamentally pci dss is a control set and depending on what kind of business you are is what business which of those controls apply it's rule based yes or no pass or fail um and again that applies to anything that stores processes or transmits data uh sorry cardholder data yeah and so again the level of rigor that goes with that can be quite high start with 27001 build on what you want as you go through it if we look at costs Client says I want 27,001. 27,001 to certify, to get the certificate is going to range anywhere between maybe four to maybe 12 grand maybe. Again it depends on the size of the business right. So what will happen is when you go for your 27,001 certification they follow a structured format and it's a bit It's out a number of audit days at the end of it. Small organization like me, it was three days. I've got a small organization that are based out of Brazil that I'm taking through at the moment. There are six people, software development, no on-prem, all in the cloud, three-day audit. Tomorrow, I start a stage one audit for a large UK charity. It's a three-day stage one and a 12-day stage two. Massive, right? So there is variation in it, but you can get a feel for it that it's not really, technically it's not that expensive. So, you know, a couple of people in a room, if you were to go for it, you're probably going to be looking around about three and a half, four grand, something like that. If I go into the world of SOC, depending on what I'm doing, my SOC 1 audit can start at 18 grand just to take the test. And that's for a type 1. So again, I'm like client, right? You want to go for SOC 2, it's complicated. There's no controls. We're going to have to define them all. And it's going to cost you probably three times as much as a 27,001. Should we walk before we run, right? Let's go down this road and then we'll get to the SOC. To do a type 2 audit, you can be in tens of thousands of pounds. So I've got a UK-based financial company that's forced to do a SOC 2 type 2 at the moment. And for them just to take the test, it's £42,000 a year just to take the test. And they pay me less than that to do the work. But that's fine. So, you know, your your type two audits are ranging, you know, probably late 20s, early 30s, all the way up to 40s, mid 40s. Now, there are influences and factors on that. And again, we can discuss those. I can guide you through it, but I'm just giving you orders of magnitude. OK. When you get in a PCI DSS, clearly they'll charge what they want, right? Tens, again, 30, 40 grand just to take. So for me, my framework is 27,001 build upon and build upon of that. Let's look at how the 27,001 process works. Okay. So what we're going to need to do is we're going to need to be. getting our client an accredited certification many people out there that do certifications what you're looking for is an accredited body certification i'm not going to call out the ones that pretend that they are on or not but you've got to do your due diligence and find out who are the ones that can so if you look at it from the uk to get an accredited certification you're looking at uh british standards institute you've got sgs um bsi sgs cfa center for assessment uh bab british assessment bureau um the one that i use a lot and i can make you an introduction to is approachable right so the approachable guys um are absolutely spot on but i use approachable you can google it there are other ones out lrqa etc but they tend to be they tend to be the big ones if you were going to engage with client i always recommend to client even though i know they're going to go with approachable is get three quotes yeah make them do the work so you got this got the bsi probably got a cfa and then go to approachable and get three quotes back i can show you at some point the level of difference that comes back because it's not that standard either right so they're going to send back their fees and there's some confusion with you that you've got to work through that once you've seen a few of them you know what to look for like you can see what they're missing right and you know what's going to hit your client further down the line because it isn't straightforward as this is the price the way they cut it it can be confusing So we're going to go to the certification body and we're going to make sure that they're accredited. The accreditation body in the UK is UCAS. So it's a UCAS accredited certification body. And you can look on the UCAS website and it will tell you which ones are underneath that. Some of those bodies can issue certificates elsewhere. So I use Approachable, they do my Buenos Aires client, they do my America's client, and they do their Australia client. Okay. So at the end of the day, as long as it's an accredited certificate, it kind of doesn't matter. To help your client, if you end up with an international client, by using the UK as a rule, and especially using Approachable, it will be cheaper. Okay. So American auditors for £27,001 can be up to three times the price of the UK. like their day rates are huge they over egg it it's just like it just yeah it's crazy it's crazy so i would always say a client get three quotes definitely um and even if i was going to say if i was in america i'd say get to america in one one uk and then let's let's just compare it so that they can see it we're not telling them we're not in bed with anybody i just know what the answer is but i'm going to help you to come up with that answer yeah So I get my credit certification body. They then send out a letter to your client that says, right, how many staff have you got? How many offices have you got, et cetera? That is the thing that dictates the number of days. So they're trying to scope it. So if you have physical offices in scope, then they will physically visit those offices. It's going to cost you money. All right. The more staff you've got, again, I think because these guys have got 200, it's like 11 days. And even me, I'm going. but it doesn't make sense because the process is the process right it's irrelevant of how many people like we're just going to be sat filling our phones for 10 days anyway that's the story so then they're going to quote it and then they're going to come back on you things to look out for in quotes right there's going to be a um a stage one and a stage two audit that makes up the certification process the stage one audit is the one that's one or two days it's the smaller of the two audits the stage one audit looks at do you have documentation in place primarily is the information security management system evidence has been implemented operating effectively and does it look like you've done some documentation on your annex a controls but it's predominantly looking at the information security management system the stage two audit is pretty much fundamentally a walk through the annex a controls with a show me the auditor can only ever audit what we tell them right so when we're going to go through our process over the coming weeks and we say about documenting procedures we always tell client document what you do not what you think i want to hear right document you the reality of your world right now because what the audit is going to do is go show me that piece of paper and then they're going to read it and go it says here that you get to work at nine o'clock and then you go yeah i'm only getting at 10 you go right well you failed like why why did you write down you're getting at nine when you don't you know you don't come in until 10 why didn't you put that you come in at 10 so that's what they're going to do in stage two they're going to go through line by line what it is that you say you do so that you can evidence some approval So they're going to quote you for your certificate on your stage one and your stage two. When we do our certificate, it goes on this three year cycle. So we have an annual cost now with the certification body to do a continuing assessment. audit, a CAV or a continuing audit. What that means is that every year they're going to come back and do a subset of those controls. For a small organisation, typically a day, a day and a half, two days, you know, if I had a six-day audit, I'd probably expect my CAV to be around about two days in reality. And they're going to choose the controls that they audit based on risk. That's what they're going to tell you. But they haven't. They've got a standard template and it'll be whatever it is that they're going to audit in that year. So they'll just do a kicking of the tires and making sure that things are running. But they're going to charge you for it. Right. So the fees that you're looking out for are what are my continuing audit fees. Some certification bodies won't tell you that when you sign up to take the certificate. They'll say, oh, we'll let you know when you've got your certificate. But not here. Right. because then they've got you over about you're in then so you want to know transparency is what is my annual ongoing audit fee once you know that you've got a good grasp then pretty much of where you're going to be landing for your client some of them will include that some of them will exclude that some of them will add services that you don't need the bsi horrendous for it oh we're going to give you access to this portal and this system and we're going to do this management and we're going to charge you a 10 project fee and we're getting you like whoa by the time you you know we're telling you've gone through it again you're in that 15 grand mark for what i can get through approachable for probably six seven eight i mean it's layering on what you need though you need the stage one stage two certification audit and you need the cav and then you're asking them and you're looking out for hidden fees when we engage with a third party to do the 27001 audit it can take up to 12 weeks but really are just at the mercy of their availability so they've got auditors their availability is going to dictate it if like me you end up in a good relationship with the certification body of your choice then you're going to be in a position then where eventually that things will be a little bit easier so you get if you get cancellation can i go to the top of the list you know work well with these people then they'll work well back with you it isn't about like getting any special favours but it's just about smoothing the wheels a little bit. So sometimes you can fast track your client a little bit through if you're a bit more flexible with it. But if set the expectation, client is always like how long is it going to get, how long is it going to take me? And say again well it's going to depend on the certification body, then it's going to depend on your ability to implement and evidence the Annex A controls. Let's say three months, let's set three months as a realistic timeline to do that. If client then comes back and says, can we do it in 10 days? Can we do it in a month? We go, yes, we can. But once we start to look at what is involved in it, it's dependent on them to write all these procedures down and evidence that they're doing what they're doing. So I can do my bit, no problem, but you've got to be able to keep up with them. So we've got that certification process. The certificate won't, again, it depends on how lazy they are. You know, you might not get the certificate back for maybe four or six weeks after you've taken the last audit. so again clients expectation in january i'm going to have a bit of paper by the end of january not going to happen even if it's march before we do the certificate to do this two stages of audit could be april before we even get the piece of paper so that's worth knowing what i do if a client is say normally if you have a conversation so client says we need it go back to the person that's requesting it and say if i get an engagement letter from the certification body that shows that I've paid my upfront bill and I show you my commitment dates and I explain to you that I brought in high table or whoever and show you I'm on the journey, will that be enough? And nine times out of ten it will, right? Most, if a customer is engaging with your client, normally it's because they want their services. So if they can show that they're going in the right direction, they can show they've got the dates, they've got a letter headed letter from the certification body, everything's booked in. They can see, yep, you spent money on consultants. We can see you're doing the right thing. Then they might let it slide and say, OK, we can wait till April for a bit of paper because we can see that you're on that journey. Yeah. So, again, that's just based on experience, really. You can feedback to people and let them know. yeah i mean i've done like i do a lot of work with the hsc here which is the equivalent of the nhs part of my job is is reviewing it security questionnaires yeah we always get you know yeah we are on the road to iso certification it's like okay show me yeah because i know i've got long blonde hair a six yeah yeah ferrari but no you do you do the you do the right thing and again we can stuff that you already know but again it's worth tuning the fact like indicators at this at this point i'm looking at it as being an advocate of my client i can flip it to the other side because again i externally audit people and then you can go these are the key red flags and then as we go through the process you can see how to counter the key red flags to be the advocate of your customer It is, you know, it is what it is, right? That's how it depends. It depends where you want to fit. So in terms of today, I want to overload with knowledge, right? So what have we gone through? We've gone through, this is, again, just some base principles. This is how a governance risk and compliance framework looks like. Some of the reasoning about why we need the management buy-in, the structure that would sit under it, and then that role of continual improvement. We've touched on the types of different standards. that are out there and the different approaches that they take point in time audit continual audit risk based audit versus rule based order and we've touched on the process and the engagement of how we will deliver 27001 certification for client from the certification point of view we had a look at the difference between uk and non-uk costs and timelines three quotes as an approach and now you've got the if you haven't spoken to them before approaching brother or my go-to um you've got that as well in terms of some practical things that you could do if you ever got to the point where you were going to certify out of everything we've covered today is there anything else is there anything that's come up as question or no it all makes sense you know the government's framework it makes sense um It's really handy to know in terms of the timeline stuff is really handy to know the costs stuff is really handy to know. You know, I haven't come across approachable, but, you know, I've come across BSI in terms of them. Some of that quotations for data protection stuff here. It's over the top, right? Yeah, it's over the top. So what? Yeah, I mean, it's over the top. And to be fair, when you get into SOC 2, I have some conversation with SOC 2 audit, which is supply and demand. And I'm like, what is it that you're going to do? They come to me. Right. So my client every year, 10 days of audit, 10 days of audit, that's audit, audit. And then it's pre-audit that happens before that. And I'm like, OK, so what are you going to do? Can you upload all this document into a portal? I'm like, OK, but what are you going to do? I know what you're going to do. Why are you charging my client £40,000? Right. For what is at best five days work at best. yeah and the answer is because we can and you go well that's fine too so if you look at the stretch of it i mean we're going off on a little bit of a deviate deviation i think i would probably spend a little bit of time with it on your on the next call really which is what is your role right so what is what are the roles that are at play in fact let's pick that up next time what are the roles that are at play in terms of an engagement and an audit and then what is everybody's perspective and then what is the reality reality of what is going on and then how do you manage that so let's have a look at we'll have a look at that next time i'll give you because you know anyway but it'll give you some insights into that super

What we have when we develop a governance risk and compliance framework is we're doing it more generally. So we are going to implement specifics in for 27001, but we are going to try and put something in that's a little bit more general. I'll do that so I can see you. It'd be awkward when you record it because it's going to be recording you, recording me, recording you, but anyway. So yeah, so we're going to put in something that's a little bit more general.

So this will apply no matter what. standard you're implementing and you know technically it would apply if you were doing a data protection implementation you know you're going to be doing 9001 PCI DSS SOC 1 SOC 2 whatever it is it's going to be so what all of the standards and all of the frameworks are looking for is that senior management buy-in so what we have is at the top level we've got senior management and senior management needs to set the direction of the organization there are things that we can do we'll talk about role in a little while but there are things that we can do to help to evidence that but what you're hoping for is that when you go into an organization there is a culture of top-down leadership that there is top-down buy-in you are going to struggle in any organization where your engagement is either c level or even below so if the demand or the requirement is coming from like a product manager a development manager a network manager and even head of ops you know on his own or her own then you are going to struggle with it and and it's mainly around politics it's going to be around budget it's around getting buy-in and resources to do what it is that needs to be done so in very very practical terms you need that senior management buy-in and leadership from the top if i'm engaging on a project i want at least one of those senior members sitting in in my management meetings and we'll talk about them as well as goes from it So senior management sets the direction. Underneath that, we're going to implement the concept of a management review team.

Now, some companies have this already. This terminology will come up time and time again. Depending on the size of it, there may be an existing structure that you can hijack and that you can jump off of the back of.

Even in those environments, even in larger organisations, I'm still minded to create what I call a management review team. Okay. So what the management review team is, is it ensures that things get done. Now, when I build a management review team, I'm going to share with you all of the templates and documents as we go through.

When I set up a management review team, I want on that management review team a representative of each area of the business, ideally. So I'm looking for somebody from HR. I'm looking for that one senior leadership manager that's going to buy in. I'm looking for representation from I.

uh if i've got a software development function i want somebody from software development call center ops whatever it is so the size of the organization now in a smaller organization it might only be two of you and that's fine too right but we just got to have this we've got to have this structure now the standard is going to call to that as well so it's going to say right i i need you to demonstrate certain things i need you to demonstrate clearly buying and this is one ways that the ways that we do it We want to demonstrate in communication. We want you to demonstrate things like continual improvement. So there are a number of things that need to happen that this management review team is going to satisfy.

And again, we haven't even really got to a standard yet in those in those principles. So we've got this management review team. So what do they do?

So they oversee and they approve policies and procedures at the end of the day. That is. on the left hand side of this cycle that is what that management review team is doing depending on the size of the organization they may be doing the doing so they may be writing it and then they may be improving it that's fine that's fine but there's a conceptual separation that the management review team oversees and approves policies and procedures in our world or in my world from a practical perspective i separate out for client policy and procedure a policy is a statement of what we do. A procedure is a statement of how we do it. And I separate those.

Now, what you find when you go on a client is you're going to find a mix. So if they try to do it themselves or depending on where they're coming from, you might have some that's policy statement mixed in with some process statement and it can be a little bit messy. OK, a couple of reasons why I want to do that.

The policies about what we do, if you think about it from a hierarchical point of view, is going to be set by the leadership, right? The management, they say, what do we do? Oh, we do antivirus on every machine. Antivirus reports up to central management. Antivirus is set to auto disinfect.

We want anti-manic. We want decentralized managed antivirus. so it's a statement of what we do it doesn't say we use Symantec we log on we download definition files every 24 hours we set auto scan to run at 7 30 in the morning if an alert comes it goes to Bob in I at this email address Bob in I then does this and raises a ticket with it so complete separation out what that allows us to do is to say is we can give Bob the sorry the framework for him to record what he does And we can give the managers the framework to record a high level what we do.

Bob is doing how we do it. What you're also going to find is that pretty much every client that your client engages with wants policies. So what they're going to say to your client is I want a data protection policy.

I want a clear desk policy. I want a working from home, bring your own device, change management, software development policy. So what we want to be able to do is we're going to build our policy suite in such a way that.

It makes their life easier, right? It'll kind of make clients'life a little bit easier, but it's all about making the requester's life easier. So if they say, have you got a software development policy? Of course we have.

Here you go, bang. And it's written in a way that looks like a software development policy. They can understand it and they can respond to it.

So we've got these policies that say what we do. What we haven't then included in it is all this personal information, right? There's all Bob's email addresses in there. Yeah, we've got...

business continuity policy and it said all right this is our emergency call tree in the policy i can't share that as part of a due diligence onboarding with a third party so we've got these policies what we do we've got procedures within our organization about how we go about doing it and when we've got policies and procedures we apply those to staff and third parties on the left hand side so we can't expect staff employees you human beings to do the right thing if we don't tell them what it is that we expect them to do. Yeah. So it's part of that communication framework. So it's this governance, risk and compliance.

So we've got our policies and we're going to apply them to staff and staff and third parties are going to operate them. And hopefully everything is going hunky dory. Now, our policies and procedures, good for your knowledge, with your knowledge, are based on risk. So policies and procedures are based on risk.

We're going to take a step back for a moment. When it comes to implementing a standard, there are typically two approaches, risk-based and rule-based. 27,001 is a risk-based model, and I like it for that reason. So what 27,001 says is when it comes to... controls, you are going to operate the controls that are appropriate to your business based on your business's risk to a level that is appropriate to your business and your business's risk appetite.

So it could be the situation that you don't have certain controls in your organization. It could be that you have controls in your organization that other people would deem to be not sufficient. So I'll give you an example.

27001 as one of its controls says you have a password management system. It doesn't say what that password management system is, you define it. So you could say our password management system is one character long, we never change it. It's our risk, it's our risk, we deemed it, it's our risk.

Now I can show you how you would have to manage and report that and how you'd have to control that but the theory stands. You also have rule-based systems. right rule-based systems are cyber essentials pci dss uh to some extent sock what a rule-based system says is you will have this control to this level and if you don't you will fail there is no no ifs no buts no no nothing around it right so it is within the realms of possibility in a risk-based system to have quite a weak control framework uh and still certify and pass you Whereas in a rule-based system, you're going to be governed by whatever the rule is.

It's yes or no, black or white, tick or fail. But either way, I say our policies and procedures are based on risk. So what it is that we do as a business is based on our business's risk appetite and how we do it is going to be based on risk as well. When we have policies and procedures, they are subject to audit.

They're going to get checked and they're going to get checked a lot. So as a function. We have to perform internal audits on our organisation at least annually. When we deep dive into some of these areas, you'll see some of the caveats, but I'll touch on it now. If an auditor asks you a question, how have you devised your internal audit plan?

The answer is always based on risk. Now, the reality may not be that. And again, we'll touch on that later.

But what they want to see in an internal audit plan is that the things that are the most risky. to your business are being audited probably more than once okay right so you're going to audit based on risk if i know you know i don't know if i'm in a high transaction environment for financial services you know and what could be capacity management maybe you know was an issue then that might be an area that i order every month just to keep an eye on it and make sure that all the controls are working so we've got policies got procedures based on risk risk is defined the level that we're going to implement them and then we're going to audit them We're going to internally audit them. You can internally audit with your own staff, with your own self. Like the head of I could internally audit it. It's got limited value to it.

What we would say is part of our implementation is ideally you want somebody with a level of independence, either somebody in the business whose job it isn't normally, like to operate that process and procedure, but in our best case scenario, bringing in a consultant like us. When we've got these policies and procedures that staff are operating in the middle, what you can see is they've got incidents. Now what is an incident? An incident is a deviation from a policy or a procedure. So in like the audit terms call it a non-conformity right, so what do I mean by an incident?

It could be that a policy says what we do and actually we found not to do it, or a procedure says something and we've not followed the steps within the procedure. So typical incidents, right? People leaving a laptop on a train, that's an incident.

You know, an outage of your system for 30 minutes, that's an incident. You know, it's a deviation from the norm. I had a call yesterday with a client.

They had outsourced account provisioning to a support company, an I support company, and they discovered that the I support company had been cloning. rather than creating IDs from scratch. And they've been cloning senior managers'IDs and allocating them to new starters. And new starters, therefore, had all the access rights of the senior manager. And this has been going on for some time, deviation from the norm, right?

So we've got things will go wrong. And that's fine. We expect that, right? There's always going to be things that go wrong.

So I can find, I'm going to perform my risk assessment. I'm going to do my internal audit and incidents that things are going to go wrong. That bit in the middle leads into your continual improvement.

So we're going to drive a process now of continual improvement. So 27001 doesn't necessarily expect you to have everything right day one. And actually baked into it is a process of continually improving. And we can look further down the line at the benchmark of what would be expected for a certification, even though it could be quite low. but the concept is we've got continual improvement.

So a continual improvement is reported to and managed by the management review team. And again, I'll show you the templates that make that up. So what do I mean by that? So if I've gone through my risk identification and I've highlighted that there is a risk, you know, there could be, we're going to open a new office, there's no reception in the office, and there's no entry controls. So I've identified a new risk.

So I've got to do something about it. So through risk management and risk treatment, I'm either going to accept the risk. I'm going to reduce it, mitigate it, offset it.

So I'm going to do something with that risk. But the body that makes that decision is the management review team. The management review team is the one that reports it. So it is the one that oversees it.

When I go through my internal audit and I go against the controls and I find that something is wrong or is not operating effectively, then I'm going to have to make a recommendation and something's going to have to happen. that goes into the management review team an incident occurs it could be a one-off or it may require something and that something could be people it could require time it might be people need training or educating i might need tooling i might need technology you know there's a whatever it is there's going to be something that needs a decision to be made and it's the management review team that would approve that so through the process is that I'll show you and the reporting and all the templates and how it works. Ultimately, it's the management review team that says, yes, you can have the resource to do whatever it is that you need to do. We'll plan it, we'll track it, we'll manage it or we accept the risk.

And again, we've got different levels of authority on who can approve what levels of risk. But that's roughly the structure of how it works. So you've got this cycle, this continual round and round. update your policies update your procedures then audit them didn't quite work continue to improve them update them roll them out audit them again audit them again audit them again on and on and on it goes when it comes to your audits one of the first things is when we come off of this is i'll talk you through the process of how 27001 works but you are going to get externally audited now external audits for clients happen in a number of different ways all right they can happen as part of a certification process they can happen as part of a onboarding a new customer so typically you're going to see questionnaires requests for certificates but they can also come and audit you and review you and obviously worst case scenario than a regular is going to come in and audit you as well but you know hopefully you never get to that point So let's look at the framework. So that's how the management of it all hangs together.

So if I look at what does the governance framework, the top two remain the same. You think of it as an inverted pyramid in effect, but I like to work bottom up, top down, but you see where we're going. So the top two remain the same.

Management is still setting the direction. The management review team is still ensuring it gets done. What we're looking at now is where does 27001 logically fit within this structure? And for me and. through my experiences 27001 forms the foundation it is the base level management system as an organization that i would be encouraging any client to go for first so there's some debate in you know out there i've got clients that come to me and they go oh i want to do SOP2 right we want to do SOP2 first again we can have that discussion but i would always discourage that and say let's go 27001 first if 27001 is on your roadmap let's do it first then build on it because pretty much every other standard that you've got that's out there builds on 27001 as a framework so your bolt-ons when we build our structure you're going to be able to bolt on gdpr pci dss sock and the way that we're going to do that and the way that we would encourage to do that is to build these common modules I want to create a risk management approach template structure that is sufficient to support GDPR and to support PCI and actually support the wider business.

And, you know, many engagements I go on, business will say, actually, your risk register is better than the one we use for the company. Let's take that and apply that to the wider business. So we want to build supplier management in a way that it satisfies all requirements, policies, operating procedures, etc.

What I mean by the bolt-on section is, and again for knowledge really, is that if something like 27001 says you need a password management system based on risk, it could be one character long, it could be no characters long, it doesn't care. PCI comes along and says, oh by the way, your password management system will be 28 billion characters long with all of this level of complexity in it. You know what, that's okay, right? It's just like... tweak to whatever an ad setting on a group whatever you know but we're building upon that we're building upon that foundation gdpr as well so we will have a look at where that fits but the principle six maintain adequate security 27001 satisfies a lot of that but there may be some additional steps that we want to take just to enhance it a little bit for special category data or whatever it is that the gdpr is uh but is driving is down So that's kind of high level how it hangs together.

And that's high level where the 27001 fits in within that structure. Is it all things you already knew? Any questions that you'd like to cover?

No questions at all make sense. perfect perfect so hopefully that's just recorded me and you now which is fine so in terms of today let's talk about standards let's talk about if you were advising client okay client says i want stop two we can do more deep dives into the top two as well further down the line and but they say in general right i'm looking at doing i'm looking at doing this top two pci so let's understand where these frameworks fit fit within that structure 27001 as we say international standard for information security management an international standard driven by the bsi the british standards institute an iso standard that is aligned from a management perspective with things like 9001, 22301, business continuity. So the management structure actually side of it you're going to see on more than one occasion if you go into a more complex client. You know if I go into one that's doing 9001 I'm like well you'll be already having a management structure, you've already got continual improvement. These things that we can bolt on together.

It is a say it's the baseline right, it's the minimum level risk-based system minimum level. The main requirement and driver for it tends to be out of the UK from my experience. So it's very UK, European centric. If your client is operating within Europe, 27,000 is probably the one they're going to be pushed for. As you start to move across the more into the Americas, the Americas would be driven more by a requirement for SOC.

And it is typically a SOC 2 requirement that they have. and you get that out of Australia as well. Depending on the size of the organisation that's requesting it, they're probably going to ask for both. So I've got clients in financial services, you know, you start working with the large banks before they're asking for both just straight out the bat.

So let's look at orders of magnitude. Yes, both standards can operate to any organisation. I deal a lot though with startups. 27,001 you can implement pretty well for a startup, SOC 2 would be a little bit more complex.

So if I look at what does SOC 2 do, SOC 2 is driven from an accounting practice, right? So it's an accounting structural framework, really, and it actually sits within a broader audit, accounting audit process. When it comes to SOC, there are two types.

there's a SOC 1 audit and a SOC 2 audit and we'll cover this again don't worry but it's just conceptually so the client's saying to you I want to SOC 2 audit well what does that mean so you've got an accounting standard with an accounting audit that goes at the back of it that can do one of two things a SOC 1 or a SOC 2 to start with a SOC 1 audit typically is of an organization that does something that can materially or fundamentally impact the financial reporting of that organization fundamentally It's going to impact on the accounting reporting of that organization. SOC 2 is usually applied to businesses as a general control set. It's just a general set of controls. You then have within SOC 2 types of audit.

27001 is a point in time audit. So when we do our audit, it just looks at basically the information that it can see at the time. A SOC one, two, but type one audit is a point in time audit.

So if you get a point in time audit, you're good to go. A SOC two audit is a continual audit for a defined period of time. Typically, your client is going to take 12 months.

So what that means is when they audit it, they can say, right, show me evidence that it worked in January, in February, in March, in April, give me a sample from November. The rigor that's associated with it just absolutely goes through the roof. So differences between different audits, point-in-time audit, point-in-time audit, and or a continuing audit.

27,001 is a structured framework. It's got 114 controls in it, dropping to 90-whatever, dependent when it comes out in its next iteration. SOC is not a defined framework, allegedly.

So what the SOC... requires you to do is for you to define your controls and then they will audit you against the controls that you've defined typically It's not quite actually the real world, right? Because what happens is when you engage with these third-party audit companies, they've got their own portals and tools and they ask you for documentation and it's all the standard stuff, right?

So there is some work to do to define controls, but ultimately what they're looking at is the stuff that we look at day in, day out. But if I look at it conceptually to the client, I'm saying, look, you've got SOC 2 over here, it doesn't have a set of controls with it. You've got 27001 over here, it does. So let's implement 27001. 80% of what we're going to need is going to be delivered by 27001. And then we'll bolt on the extra that we need and the extra little bit of rigor if and when you want to do SOC 2, no issue.

Okay. So that's the difference between those two. PCI DSS that fits in follows a very similar structure. It's about 344 controls depending on which level of business you are. You do self-assessment or you do your report on compliance.

we can go through all of that but fundamentally pci dss is a control set and depending on what kind of business you are is what business which of those controls apply it's rule based yes or no pass or fail um and again that applies to anything that stores processes or transmits data uh sorry cardholder data yeah and so again the level of rigor that goes with that can be quite high start with 27001 build on what you want as you go through it if we look at costs Client says I want 27,001. 27,001 to certify, to get the certificate is going to range anywhere between maybe four to maybe 12 grand maybe. Again it depends on the size of the business right.

So what will happen is when you go for your 27,001 certification they follow a structured format and it's a bit It's out a number of audit days at the end of it. Small organization like me, it was three days. I've got a small organization that are based out of Brazil that I'm taking through at the moment. There are six people, software development, no on-prem, all in the cloud, three-day audit.

Tomorrow, I start a stage one audit for a large UK charity. It's a three-day stage one and a 12-day stage two. Massive, right?

So there is variation in it, but you can get a feel for it that it's not really, technically it's not that expensive. So, you know, a couple of people in a room, if you were to go for it, you're probably going to be looking around about three and a half, four grand, something like that. If I go into the world of SOC, depending on what I'm doing, my SOC 1 audit can start at 18 grand just to take the test.

And that's for a type 1. So again, I'm like client, right? You want to go for SOC 2, it's complicated. There's no controls. We're going to have to define them all. And it's going to cost you probably three times as much as a 27,001.

Should we walk before we run, right? Let's go down this road and then we'll get to the SOC. To do a type 2 audit, you can be in tens of thousands of pounds. So I've got a UK-based financial company that's forced to do a SOC 2 type 2 at the moment.

And for them just to take the test, it's £42,000 a year just to take the test. And they pay me less than that to do the work. But that's fine.

So, you know, your your type two audits are ranging, you know, probably late 20s, early 30s, all the way up to 40s, mid 40s. Now, there are influences and factors on that. And again, we can discuss those.

I can guide you through it, but I'm just giving you orders of magnitude. OK. When you get in a PCI DSS, clearly they'll charge what they want, right?

Tens, again, 30, 40 grand just to take. So for me, my framework is 27,001 build upon and build upon of that. Let's look at how the 27,001 process works.

Okay. So what we're going to need to do is we're going to need to be. getting our client an accredited certification many people out there that do certifications what you're looking for is an accredited body certification i'm not going to call out the ones that pretend that they are on or not but you've got to do your due diligence and find out who are the ones that can so if you look at it from the uk to get an accredited certification you're looking at uh british standards institute you've got sgs um bsi sgs cfa center for assessment uh bab british assessment bureau um the one that i use a lot and i can make you an introduction to is approachable right so the approachable guys um are absolutely spot on but i use approachable you can google it there are other ones out lrqa etc but they tend to be they tend to be the big ones if you were going to engage with client i always recommend to client even though i know they're going to go with approachable is get three quotes yeah make them do the work so you got this got the bsi probably got a cfa and then go to approachable and get three quotes back i can show you at some point the level of difference that comes back because it's not that standard either right so they're going to send back their fees and there's some confusion with you that you've got to work through that once you've seen a few of them you know what to look for like you can see what they're missing right and you know what's going to hit your client further down the line because it isn't straightforward as this is the price the way they cut it it can be confusing So we're going to go to the certification body and we're going to make sure that they're accredited. The accreditation body in the UK is UCAS. So it's a UCAS accredited certification body.

And you can look on the UCAS website and it will tell you which ones are underneath that. Some of those bodies can issue certificates elsewhere. So I use Approachable, they do my Buenos Aires client, they do my America's client, and they do their Australia client.

Okay. So at the end of the day, as long as it's an accredited certificate, it kind of doesn't matter. To help your client, if you end up with an international client, by using the UK as a rule, and especially using Approachable, it will be cheaper. Okay.

So American auditors for £27,001 can be up to three times the price of the UK. like their day rates are huge they over egg it it's just like it just yeah it's crazy it's crazy so i would always say a client get three quotes definitely um and even if i was going to say if i was in america i'd say get to america in one one uk and then let's let's just compare it so that they can see it we're not telling them we're not in bed with anybody i just know what the answer is but i'm going to help you to come up with that answer yeah So I get my credit certification body. They then send out a letter to your client that says, right, how many staff have you got?

How many offices have you got, et cetera? That is the thing that dictates the number of days. So they're trying to scope it. So if you have physical offices in scope, then they will physically visit those offices.

It's going to cost you money. All right. The more staff you've got, again, I think because these guys have got 200, it's like 11 days.

And even me, I'm going. but it doesn't make sense because the process is the process right it's irrelevant of how many people like we're just going to be sat filling our phones for 10 days anyway that's the story so then they're going to quote it and then they're going to come back on you things to look out for in quotes right there's going to be a um a stage one and a stage two audit that makes up the certification process the stage one audit is the one that's one or two days it's the smaller of the two audits the stage one audit looks at do you have documentation in place primarily is the information security management system evidence has been implemented operating effectively and does it look like you've done some documentation on your annex a controls but it's predominantly looking at the information security management system the stage two audit is pretty much fundamentally a walk through the annex a controls with a show me the auditor can only ever audit what we tell them right so when we're going to go through our process over the coming weeks and we say about documenting procedures we always tell client document what you do not what you think i want to hear right document you the reality of your world right now because what the audit is going to do is go show me that piece of paper and then they're going to read it and go it says here that you get to work at nine o'clock and then you go yeah i'm only getting at 10 you go right well you failed like why why did you write down you're getting at nine when you don't you know you don't come in until 10 why didn't you put that you come in at 10 so that's what they're going to do in stage two they're going to go through line by line what it is that you say you do so that you can evidence some approval So they're going to quote you for your certificate on your stage one and your stage two. When we do our certificate, it goes on this three year cycle. So we have an annual cost now with the certification body to do a continuing assessment. audit, a CAV or a continuing audit.

What that means is that every year they're going to come back and do a subset of those controls. For a small organisation, typically a day, a day and a half, two days, you know, if I had a six-day audit, I'd probably expect my CAV to be around about two days in reality. And they're going to choose the controls that they audit based on risk. That's what they're going to tell you.

But they haven't. They've got a standard template and it'll be whatever it is that they're going to audit in that year. So they'll just do a kicking of the tires and making sure that things are running. But they're going to charge you for it. Right.

So the fees that you're looking out for are what are my continuing audit fees. Some certification bodies won't tell you that when you sign up to take the certificate. They'll say, oh, we'll let you know when you've got your certificate.

But not here. Right. because then they've got you over about you're in then so you want to know transparency is what is my annual ongoing audit fee once you know that you've got a good grasp then pretty much of where you're going to be landing for your client some of them will include that some of them will exclude that some of them will add services that you don't need the bsi horrendous for it oh we're going to give you access to this portal and this system and we're going to do this management and we're going to charge you a 10 project fee and we're getting you like whoa by the time you you know we're telling you've gone through it again you're in that 15 grand mark for what i can get through approachable for probably six seven eight i mean it's layering on what you need though you need the stage one stage two certification audit and you need the cav and then you're asking them and you're looking out for hidden fees when we engage with a third party to do the 27001 audit it can take up to 12 weeks but really are just at the mercy of their availability so they've got auditors their availability is going to dictate it if like me you end up in a good relationship with the certification body of your choice then you're going to be in a position then where eventually that things will be a little bit easier so you get if you get cancellation can i go to the top of the list you know work well with these people then they'll work well back with you it isn't about like getting any special favours but it's just about smoothing the wheels a little bit. So sometimes you can fast track your client a little bit through if you're a bit more flexible with it.

But if set the expectation, client is always like how long is it going to get, how long is it going to take me? And say again well it's going to depend on the certification body, then it's going to depend on your ability to implement and evidence the Annex A controls. Let's say three months, let's set three months as a realistic timeline to do that.

If client then comes back and says, can we do it in 10 days? Can we do it in a month? We go, yes, we can. But once we start to look at what is involved in it, it's dependent on them to write all these procedures down and evidence that they're doing what they're doing. So I can do my bit, no problem, but you've got to be able to keep up with them.

So we've got that certification process. The certificate won't, again, it depends on how lazy they are. You know, you might not get the certificate back for maybe four or six weeks after you've taken the last audit.

so again clients expectation in january i'm going to have a bit of paper by the end of january not going to happen even if it's march before we do the certificate to do this two stages of audit could be april before we even get the piece of paper so that's worth knowing what i do if a client is say normally if you have a conversation so client says we need it go back to the person that's requesting it and say if i get an engagement letter from the certification body that shows that I've paid my upfront bill and I show you my commitment dates and I explain to you that I brought in high table or whoever and show you I'm on the journey, will that be enough? And nine times out of ten it will, right? Most, if a customer is engaging with your client, normally it's because they want their services.

So if they can show that they're going in the right direction, they can show they've got the dates, they've got a letter headed letter from the certification body, everything's booked in. They can see, yep, you spent money on consultants. We can see you're doing the right thing.

Then they might let it slide and say, OK, we can wait till April for a bit of paper because we can see that you're on that journey. Yeah. So, again, that's just based on experience, really. You can feedback to people and let them know. yeah i mean i've done like i do a lot of work with the hsc here which is the equivalent of the nhs part of my job is is reviewing it security questionnaires yeah we always get you know yeah we are on the road to iso certification it's like okay show me yeah because i know i've got long blonde hair a six yeah yeah ferrari but no you do you do the you do the right thing and again we can stuff that you already know but again it's worth tuning the fact like indicators at this at this point i'm looking at it as being an advocate of my client i can flip it to the other side because again i externally audit people and then you can go these are the key red flags and then as we go through the process you can see how to counter the key red flags to be the advocate of your customer It is, you know, it is what it is, right?

That's how it depends. It depends where you want to fit. So in terms of today, I want to overload with knowledge, right?

So what have we gone through? We've gone through, this is, again, just some base principles. This is how a governance risk and compliance framework looks like.

Some of the reasoning about why we need the management buy-in, the structure that would sit under it, and then that role of continual improvement. We've touched on the types of different standards. that are out there and the different approaches that they take point in time audit continual audit risk based audit versus rule based order and we've touched on the process and the engagement of how we will deliver 27001 certification for client from the certification point of view we had a look at the difference between uk and non-uk costs and timelines three quotes as an approach and now you've got the if you haven't spoken to them before approaching brother or my go-to um you've got that as well in terms of some practical things that you could do if you ever got to the point where you were going to certify out of everything we've covered today is there anything else is there anything that's come up as question or no it all makes sense you know the government's framework it makes sense um It's really handy to know in terms of the timeline stuff is really handy to know the costs stuff is really handy to know.

You know, I haven't come across approachable, but, you know, I've come across BSI in terms of them. Some of that quotations for data protection stuff here. It's over the top, right? Yeah, it's over the top.

So what? Yeah, I mean, it's over the top. And to be fair, when you get into SOC 2, I have some conversation with SOC 2 audit, which is supply and demand.

And I'm like, what is it that you're going to do? They come to me. Right.

So my client every year, 10 days of audit, 10 days of audit, that's audit, audit. And then it's pre-audit that happens before that. And I'm like, OK, so what are you going to do?

Can you upload all this document into a portal? I'm like, OK, but what are you going to do? I know what you're going to do. Why are you charging my client £40,000? Right.

For what is at best five days work at best. yeah and the answer is because we can and you go well that's fine too so if you look at the stretch of it i mean we're going off on a little bit of a deviate deviation i think i would probably spend a little bit of time with it on your on the next call really which is what is your role right so what is what are the roles that are at play in fact let's pick that up next time what are the roles that are at play in terms of an engagement and an audit and then what is everybody's perspective and then what is the reality reality of what is going on and then how do you manage that so let's have a look at we'll have a look at that next time i'll give you because you know anyway but it'll give you some insights into that super

Transcript for:Understanding Governance, Risk, and Compliance

Transcript for:
Understanding Governance, Risk, and Compliance