In this episode of The Virtual Season Podcast, host John Verri talks with Andrew Foss and Leigh Ronczka about the ISO 27001:2022 transition. They cover:
- Key differences between ISO 27001:2013 and 2022
- How auditors are interpreting the new standard
- Updating key artifacts like the SOA and risk assessments
- Managing new controls, including threat intelligence and data loss prevention
- Tips for preparing for the ISO 27001:2022 audit
Tune in for insights on navigating the updated ISO 27001 standard!
So, hey there and welcome to yet another episode of the Virtual Season Podcast with you as always, John Verri, your host. And today is a two for one. We’ve got Mr. Andrew Foss and Ms. Lee Ronska. Hey guys.
Leigh Ronczka (00:34.647)
Hang on.
Andrew Frost (00:34.83)
Hello.
John Verry (00:36.244)
are you guys all doing today?
Leigh Ronczka (00:38.678)
You know, Eagles won last night, beat Dallas, it’s all good.
John Verry (00:42.348)
So we just lost a good percentage of the audience. Thank you for that.
Leigh Ronczka (00:46.35)
I’m going to go to bed.
Andrew Frost (00:46.865)
Including me.
John Verry (00:48.42)
Exactly. People either hate Dallas or are a giant fan. So I mean, now we’re running lean. So look, I’ll try to gather a few people back in. I have the misfortune of rooting for the Jets. Perhaps as a pity, you’ll listen to the rest of the podcast. So as you guys know, I usually start by saying what’s your drink of choice, but both of you guys are seasoned pros at the Virtual See So podcast. So I won’t say it exactly that way. I do know that Andrew tends towards bourbons. Anything interesting you’re drinking?
Leigh Ronczka (00:54.946)
Good.
Andrew Frost (01:18.126)
Honestly, I have a completely different direction because I tried a tequila that I really liked this weekend. I was at a Batch Bin and Barrel in New Brunswick. It’s a new place that’s part of Steakhouse 85. But they have a, it’s Closet Agla or something. It comes in this really nice big white bottle with a bell on top. It’s a really good tequila. And I usually don’t drink tequila, but I liked it.
John Verry (01:23.98)
Ah, where’d you go?
John Verry (01:45.204)
Yeah, I’ve got… I do. I enjoy. Casa Amigos, Patrone, usually the two go-to’s. Although I don’t know the brands and I don’t know anything about them, I also tend to recently been drinking a lot more mezcal drinks. But I don’t yet know anything about it. And you tend towards wines typically.
Leigh Ronczka (01:48.927)
I like to feel it.
Andrew Frost (02:00.737)
Okay.
Leigh Ronczka (02:06.638)
I’m a wine margarita girl, yep. And tequila is on the list as well, not gonna lie.
Andrew Frost (02:11.374)
Well, try that tequila.
John Verry (02:13.243)
And if you ask Lee for a recommendation on wine, it’ll be any boxed wine is a good wine.
John Verry (02:23.752)
All right, so, all class. All class. So, I think it was Andrew and I did a podcast in May. It was episode 118 for anyone who wants to catch up with that. That was focused more on what is ISO 27001 colon 2022, how does it differ from 2013, etc. So, if you’re looking for that kind of information, that’s a good episode to look at.
Leigh Ronczka (02:23.79)
John, you know me too well. I know, very positive.
John Verry (02:50.22)
In today’s episode, guys, I was hoping to take advantage of the fact that we’ve started to get some of our clients successfully transitioned to the 2022 standard. One of the things that’s always interesting is all standards are open to interpretation. Understanding how auditors are actually looking at the standard and what they’re emphasizing I think is really important for any one of our clients or anyone who’s listening that’s going to be making that transition. That’s what I’m hoping you guys can help me with today. Let’s just really briefly just to kind of set a floor.
Let’s just go over the most significant changes from 2013 to 2022.
Leigh Ronczka (03:30.574)
Sure, actually one thing I think we should back up and do mention John is with the clauses 6.3 for planning and operational requires how you plan changes, right? So there is one addition into the 27.01 clause area 6.3. Very subtle and it’s about managing changes to the management system, right? So one thing that’s really important is everybody has change control SDLC for the technical controls.
but you also have to consider how you’re managing the system itself, notification, people, onboarding, offboarding, services, larger things, business divisions, whatever it may be. So we don’t wanna lose sight of that. From the technical side, really, there’s not anything that’s so new to the world of IT security compliance. They’ve brought in threat intelligence, they’ve brought in configuration management.
information around security cloud, data loss prevention, data masking, web filtering, Andrew what am I forgetting off the top of my head? Secure accounting, ICT readiness.
Andrew Frost (04:38.934)
secure coding, physical security monitoring. But they’re all things that people were doing in most cases to some extent. That’s the key of a lot of this.
Leigh Ronczka (04:53.738)
Yeah, deleting information and monitoring physical environments.
John Verry (04:54.217)
It was sort of updated.
John Verry (04:59.36)
Yes, it’s your point, Andrew. It sounds as if from most people’s perspective, it’s really more just a formalization of the ways that you’ve probably already adapted 2013 to address the contextual changes in the world between the 2013 standard being adopted and the 2022 standard.
Andrew Frost (05:17.206)
Absolutely. Yeah.
Leigh Ronczka (05:18.166)
Absolutely.
John Verry (05:21.166)
Cool. So now that we’ve been through it, how significant are the changes that we had to make to key ISMS artifacts for our clients?
Leigh Ronczka (05:31.246)
So really the largest level of effort that we’ve done for our clients, obviously is how we do a gap analysis, right? So one of the artifacts that’s not called out that’s really important to this transition is your gap analysis, your transition plan, right? What are the new controls? Are they applicable to your environment? Are they operationalized? Are they not? What do you have to do, right? So that planning and transition is a large part.
understanding the involvement of them, updating your risk assessment so it includes the new numbering the new controls, right, you need to do the diligence to make sure things are not omitted that are applicable on your SOA. The SOA is probably one of the heavy uplifts from an artifact because it has new columns and new attributes that are defined by the standard. If it’s a predictive detective, you know, what’s the control type?
Other than that, the body of policies and SOPs and stuff we look at, it’s really making sure that they cover the spirit, the language of the new requirements that we’re actually doing stuff. So, in a lot of our clients, they do the things that are in the new requirements, they’ve just not documented. And as we’ve always talked about, ISO is, say what I do and do what I say.
John Verry (06:57.618)
us.
Andrew Frost (06:57.762)
I mean, I would say the one policy that almost all of our clients have to add is configuration management, because most people don’t have that documented. I think that’s the…
Leigh Ronczka (07:05.895)
minus-minus.
John Verry (07:09.28)
And Configuration Management, does that cover just like traditional Configuration Management, or is that tied into like the Change Management that you were talking about? When you were talking about the Change Management earlier, I got the impression we were talking about Change Management almost at the ISMS level itself.
Leigh Ronczka (07:26.21)
The configuration management is more at the technical level. Think of standard imaging, right? Baseline images, their hardened profiles. You’re knowing what ports and services are authorized to be running on your systems. You know what the authorized accounts are to be on your systems, right? You don’t want people going in there, changing configuration to meet their work needs, run separate services, run gaming stuff on their workstations for work, right?
So that’s really where the configuration management comes, to make sure that your assets have the secure profile that you expect them to have.
Andrew Frost (08:07.03)
to answer the other part of that question, 6.3 is the new control in the clauses. And that is literally, it’s a one-liner in the standard. It just says, you need to manage your changes in your ISMS. So for that, we’re usually just recommending like a one-liner in either the charter or the manual that says, you know, changes to the ISMS will be managed by the ISMC.
John Verry (08:20.856)
Okay. Gotcha.
John Verry (08:35.532)
Gotcha. What about the, were there many changes required of the scope statement?
Leigh Ronczka (08:42.938)
No, no, there really wasn’t. The only thing, and the way that we do our scope statement is maybe based on the new controls, there’s new key interface dependencies, tools that we wanna reference, because we do talk data loss prevention, we do talk threat intelligence, we do talk configuration management, so maybe there’s key systems that they wanna add in, but the actual scope itself does not need to change.
Andrew Frost (08:44.526)
now.
John Verry (09:08.428)
Gotcha.
Andrew Frost (09:09.882)
There’s one, I’m just thinking about this now, there’s one thing that they added into the interfaces and dependencies to say what, and I might forget the exact wording of this, it’s basically what requirements are gonna be managed by the ISMS for those interfaces and dependencies. And I don’t think it’s that important to add in there, but it’s a nice little,
week if you want to put that in there. Yeah.
John Verry (09:38.604)
You might get some on a nitpick. What about, did you find, I was very curious with some of the hashtags and things that they were doing. Did you guys end up making changes to the risk methodology?
Leigh Ronczka (09:41.035)
Yeah.
Leigh Ronczka (09:50.77)
No, not at all. Based on several conversations that we’ve had, specifically how C-Biz PivotPoint does it, we’ve always discussed how risk is a module, it’s a method, it’s open to interpretation. So the way that we do it, we always base the maturity on the actual controls of the environment. That’s what we base our risks on. And we have been very successful with all of our clients that we transitioned to 2022 version of ISO that have been audited. There’s not been any questions at all.
all the new controls are part of our actual process, they’re assessed, we’re good.
Andrew Frost (10:26.742)
But we are putting those attributes in the SOA now.
John Verry (10:32.624)
Okay, gotcha. And that’s why you mentioned that was such a big, that was a fairly heavy hand lift. Okay, what about any significant changes other than the content change to internal auditing, internal audit program?
Leigh Ronczka (10:47.103)
No, I think… Go ahead, Andrew.
Andrew Frost (10:49.346)
Well, I mean, the big thing that, and we mentioned this already, but the big thing that the auditors are gonna look for is a transition plan, how you did this change. That’s like the first thing they’re gonna look at and they’re gonna go through it. Like that’s probably the most important artifact for the transition.
John Verry (11:09.984)
Gotcha. And that’s that was the one that was specified in that was that IAF MD26. I always forget the name of that document. But that was something that we actually talked about during our first podcast that we thought was going to be the case. So it’s interesting. That’s when the first artifacts they love.
Andrew Frost (11:14.964)
I a yeah.
Leigh Ronczka (11:16.738)
Yeah.
John Verry (11:31.312)
So I think we actually covered a couple of other questions that I had. I was curious about specific artifacts that were unique to the transition and you’re saying it’s just the transition plan, correct? Gotcha. And then we talked about control attributes and you said that the auditor’s not necessarily looking for them in the risk assessment, but in a sense you sort of hijacked that.
by putting them in the statement of applicability, in a sense, if we’re applying a control, you are applying the control attributes at that point, right? There is a mapping control attribute to risk assessment effectively.
Leigh Ronczka (12:08.222)
Yes.
John Verry (12:09.664)
Was that a point of conversation at all? I was curious as to what they were going to do this year with that.
Leigh Ronczka (12:14.39)
No, it has not come up from the client side. It has not come up from the external auditor side. I know that when we’ve been doing the Uplift Me specifically, you know, I do reference it’s part of the new standard where it’s identified and there’s an expectation that we acknowledge it through our documentation and we actually put it in the SOA. It’s not been a point, it’s not a question at all.
John Verry (12:39.733)
Interesting.
John Verry (12:43.128)
Did they emphasize control groups at all? That was another question that I was wondering what they would do with those.
Leigh Ronczka (12:48.93)
When you say control groups, what specifically is your point of view of a control group? Andrew and I actually were talking about this before we got online with you.
John Verry (12:56.736)
Also, if I recall correctly, and you guys have forgotten more about 2022 than I know, but the control attributes were more the hashtags that would, let’s say, specify things like whether a control was, as you pointed out, corrective or detective. But they had control groups that were around whether it was organizational, it was technology, people, and physical. Really?
Leigh Ronczka (13:07.661)
Right.
Leigh Ronczka (13:13.079)
Yeah.
Leigh Ronczka (13:19.652)
Oh no.
And no, that did not come up at all.
Andrew Frost (13:22.754)
So, I mean, that’s just the, that’s like the four subsets of the controls, basically. So, I mean, obviously it’s organized better when you’re going through an audit, it’s really nice because you’re actually looking at these things when you should be instead of like picking from different places. But…
John Verry (13:26.42)
Right. Yeah.
Leigh Ronczka (13:40.642)
Yeah.
John Verry (13:40.908)
So that was really the only way it actually influenced the process is really from an audit program perspective. Did it have the same effect both from an external audit and an internal audit perspective?
Andrew Frost (13:47.49)
Yeah.
Leigh Ronczka (13:51.95)
I think it did. So I’ve sat through external audits, I’ve done some internal audits, and I’ve done up lists, and I see the same value to Andrew’s point. It organizes things better. And actually, John, one of the things Andrew and I were talking about is one of the new controls, threat intelligence, you know, what did that really bring to the table? And what I was saying to Andrew from my point of view, that’s really discussing further in detail.
Andrew Frost (13:53.166)
Yeah, I agree.
Leigh Ronczka (14:18.274)
three existing controls that were already there under the 2013 version. It was maintaining the contact with special interest groups, all those alerts that come in. It’s your vulnerability management, your scanning program, how often you’re doing it, you’re doing patching. It’s really the alerting and monitoring. So what I’ve experienced with the external auditors when it comes to threat intelligence, they’re really taking those three predefined control areas.
and they really want you to dive more explicitly into your process of how you manage it, how you proactively manage it versus reacting when something’s discovered. So I thought that was really nice of how threat intelligence brought three existing controls together and allows you to take that deeper dive. You’re already doing something, but now you have the opportunity to explain it more.
John Verry (15:12.46)
When I think threat intelligence, that’s one of those interesting words and we talk about threat surfaces and we talk about vulnerability, they all kind of are different sides of the same die, so to speak. But when I think of the threat intelligence, and I think about proactive, I tend to think of more not only being aware of our threats that we’re in control of, but those that are outside of our domain.
Leigh Ronczka (15:14.934)
Mm-hmm.
Leigh Ronczka (15:29.432)
Yeah.
John Verry (15:41.024)
Did they dig in at all into things like dark web monitoring and things of that nature?
Leigh Ronczka (15:49.494)
You know, there were examples like that were brought up. So what we’ve seen from our clients is, it’s the communications, it’s the reviewing things, is it something that impacts their environment? It’s the dark web monitoring, it is the IDS, it is the IPS, it’s about being proactive, being on webinars, going to seminars, staying in touch with the government, SANS, US CERT, right? What’s coming, what’s trending, what are we seeing?
even to the point AI came up as an emerging threat with all the unknowns around it. And we know that’s a hot topic today.
John Verry (16:29.784)
Do you think that there’s an expectation that you’re doing something like dark web monitoring? Is that something that someone’s going to end up with an OFI if they don’t have something in place at this point? Do you think that there’s an expectation that you’re doing something like dark web monitoring?
Leigh Ronczka (16:39.054)
I don’t think that you’ll get an OFI on it, right? Because ISO is not prescriptive when it comes to it, but I think it’s a good conversation point that auditors and consultants can bring to the table, specifically what your environment, what your business service line is, how critical is it, and do you do more privacy work and collect more PII versus are you in an environment that does more work that has public data, right? So there are…
elements that could come into play with the dark web monitoring when it comes to your user IDs, passwords and other access points.
John Verry (17:19.5)
I’m curious on the configuration management front. Configuration management, 10 years ago was largely an internal function. Now, it is, or 15 years, whatever the number is. Now as we’ve gone much more towards SaaS and we’ve gone much more cloud, configuration management is a much broader topic. How much did they dig into the configuration of SaaS, cloud, et cetera?
Leigh Ronczka (17:49.538)
They didn’t dig into service providers as much as what are you doing to manage the assets themselves and how baselines are maintained, how they’re changed, how they’re approved. You know, they use examples of clients, are you running Puppet or NinjaRMM, like to go out and scan your assets. Are they meeting?
the guidelines or do you have to roll back a configuration because something was changed in an unauthorized manner? One of the things that I experienced specifically on that topic was the external auditors were not approaching clients with a heavy hand around the controls because they are new and they wanna have the conversations, understand what the baseline is first and let companies start to mature and determine what level of configuration management they have to go to.
in the next two years.
Andrew Frost (18:46.99)
That’s a really good point. No, that’s a really good point. You know, they’re not, like ever, it’s new to everybody, including the external auditors. So we’re all kind of feeling our way around it a little bit and taking a little, maybe the auditors might be taking a little bit of a lighter approach to, you know, what exactly they really want you to do. But I mean, and you can always argue ISO anyway, because it’s not prescriptive. Like,
John Verry (18:47.166)
Andrew, what are you seeing there?
Andrew Frost (19:15.766)
Well, it doesn’t say I have to do dark web monitoring or I went back to that, but, you know, maybe it might be better if you do that. So, you know, third.
John Verry (19:31.904)
Yeah, there’s a…
Andrew Frost (19:32.194)
They’re just not digging that hard yet.
John Verry (19:35.04)
Yeah, that’s interesting to me. And I’m starting to wonder about whether they should be. And we had an internal conversation recently, at least I think it may have been on the thread. I had a conversation with someone there ISO certified. They just had a near scare from a business email compromise perspective. An email was compromised, but they had good monitoring. They were able to get it addressed right away. And the question was is,
What is an external auditor and what is an internal auditor’s responsibility? Digging in a little bit more deeply into some of the controls for risks of that nature, right? So I don’t think any of us could argue that business email compromise is you know social engineering is Arguably one of the single greatest risks that we should be looking for You know this organization was on a Microsoft plan that had a safe links as an example and didn’t have safe links enabled You know, so I’m curious is from your perspective, you know a should
in order to be asking a question of that nature? I think we could almost call that table stakes at this point in time for a high risk organization. And B, you think that we’re going to see them do that? And C, should we be doing that as a, you know, when we’re doing internal audits on our clients’ behalf?
Leigh Ronczka (20:37.55)
Come on.
Leigh Ronczka (20:45.742)
So I think if we even take a step back a little bit from that, John, I think fundamentally the most important thing is making sure consultants and auditors all actually understand the control and reading the guidance that goes to the ISO requirements is very valuable, right? I think that’s the first critical point that should be brought because different people have different expectations, different experiences, no auditor audits the same way.
you come from a very highly regulated environment that does not translate to ISO, right? It just doesn’t. So you have to understand the environment. You have to understand the control, the guidance of what they’re looking for, and obviously right size controls that are applicable to your environment where the return on investment is appropriate, right? You’re not going out and spending a lot of money on best of breed systems that you don’t need to do for the size of your organization. So I think that’s fundamental.
I do think it’s appropriate to ask the questions, you know, should you be doing dark web monitoring? Can you do it? Do you know how to do it? Is it something you can build on your security roadmap? I don’t think it’s something that I personally would write up in an audit report unless it was a very mature industry, ISMS, smaller companies. You know we do a lot of work with a lot of smaller companies. I don’t know it’s necessarily their wheelhouse.
Is it something that there’s a third party that, you know, they could hire at a reasonable cost to do that monitoring for them? That would be an obvious tabletop discussion I would have with them. And I think as time goes on, it probably will become a much more prevalent conversation to have because we do see data breaches on the increase, right? There’s no getting around to that. We have more data in our environment.
data that does not get deleted, it’s there forever, right? So you have more exposure, more risk. So I think just by nature of our business and the way that technology is moving and the amount of data, how it grows exponentially every day is absolutely a vital conversation to have. Andrew, your thoughts?
John Verry (23:02.undefined)
I’d be interested in your thoughts more on 365 specifically. I’d like to hear your thoughts on it.
Andrew Frost (23:02.154)
I-I-
Andrew Frost (23:08.267)
Unway.
John Verry (23:09.464)
Office 365, that specific example that I gave. Because I do think you can make an argument that’s not, that’s an example. If they didn’t have multi-factor authentication, multi-factor authentication is a configuration management. I don’t think any of us would not lean into a conversation about, guys, you really need to have multi-factor authentication enabled. We all agree that despite the fact that it’s non-prescriptive, we have to take a risk-based approach.
Leigh Ronczka (23:09.81)
Office of the District of L.A.
John Verry (23:38.62)
lack of two-factor authentication, we’d all agree is inappropriate. In 95% of the organizations we’d have to do business with. I’m just curious as to where that line gets drawn because business email compromises such a significant risk. Where do you think the line is and then where do you think the obligation of the internal auditor and or the external auditor stops with regards to that? Is it just leaning into the conversation? Is it just leaning into the conversation and suggesting it’s an OFI? At some point, given the risk, it’s
Is it a nonconformity?
Andrew Frost (24:10.158)
So I can’t see how you could ever make it a nonconformity following ISO because ISO is not prescriptive and technically they’re doing what they determine that they should be doing. Unless their risk register is wrong and they miscalculated or something. But they determine their risk, they determine what controls that they wanna have in place. But I can definitely see a case for an OFI.
because this is how they can improve their program. And that’s what an OFI is. That’s, you know, here’s how you can be better than where you are, but you are following the standard as far as I can evaluate it.
John Verry (24:53.216)
Yeah, I think you can make an order. I think an order, what is the term they use? Professional judgment and experience, I think is the term that they use. But I mean, if somebody said they had no locks in the door and all passwords had to be three characters long and start with A and end with C, I think that we would all agree that there’s a nonconforming there because you’re not effectively managing risk, right? There’s something wrong with your risk management program if you accept that risk. So I know that we’re talking about shades of gray here.
Andrew Frost (25:15.393)
Yeah.
John Verry (25:22.964)
I was just curious as to how far up or down. So I do think an auditor does have the discretion to say bullshit, right? But I think they’re very hesitant too. I kind of feel like maybe sometimes as consultants and if we’re doing a consultative internal audit on their behalf, perhaps we should be prodding them to move further forward.
Leigh Ronczka (25:25.57)
Thanks.
Andrew Frost (25:28.833)
That’s a good point, yeah.
Leigh Ronczka (25:43.262)
We we call the we call the bullshit. You know well you know I’ve done it right. I’ve done it multiple times in my life so far at PBS. But I think another point as a consultant and I think more of a consultant and maybe less as an auditor right because an auditor is coming in to validate compliance and look for how you can strengthen controls. But as a consultant I think one of the consideration talking points is
John Verry (25:51.104)
I’m sorry.
Leigh Ronczka (26:12.086)
Do we know that those controls are there to be enabled? Do our clients know those controls are there to be enabled? Do they know how to do it, right? So I think one of the barriers that we go up with any framework is so many technologies, so many controls, we are not all experts in all areas, but it’s starting to compile those things, those control areas that are quick hits that cost little to no money.
to implement to have a more secure posture. And I think as a consultant, taking that approach is a win-win for everybody. And as a consultant, then when you go into audit, you’re aware of that and you make sure that conversation is had. And if you’re gonna write it up as an OFI, you explain why you’re writing up as an OFI. Strengthen your security posture, build in your roadmap. But part of it also, John, and Andrew and I talked about this a little bit earlier today,
is dealing with culture of change and restriction. And we were talking about some of the other controls and how you have to really manage that from the tone at the top, and you really need leadership to send the message that we’re doing this for a reason, to protect ourselves, protect the data, protect our clients.
John Verry (27:29.964)
Gotcha.
Leigh Ronczka (27:30.422)
and we run into that a lot.
John Verry (27:34.432)
Have either of you guys gone through a 7,122 transition with a SaaS company? I’m just curious as to what they were pushing on from a secure coding perspective.
Leigh Ronczka (27:50.126)
I have not, but from secure coding, what I have seen is really the focus on doing like, what is it, sonar scanning, sonar cube scanning, making sure you’re up to date on the top OWASP 1020, making sure you’re giving the right training. There are the things that seem to be very common regardless of your environment, but if you’re doing any type of…
services and development around that, they’re pushing for that.
Andrew Frost (28:26.714)
And I think that’s an area that I probably always went down that, like, I don’t see any difference with that new control in the coding controls, because I’ve always asked all those questions anyway. But I’ve come from a coding background, so it’s a little bit different. And that’s like what Lee was saying, like depending on your background, you might concentrate on different areas. So I’ve always gone down that road with the developers.
John Verry (28:26.824)
on the whole last one.
John Verry (28:57.452)
Um, so I’ll ask each of you, Andrew, first, um, you know, if you were chatting with somebody who was having a beer or having a tequila, uh, with someone asking the question, they’re getting ready to prepare for their 27,001 2022 transition audit, uh, and they asked you for any recommendations, what would they be?
Andrew Frost (29:17.586)
Um, the very first thing is to make sure you have a transition plan, which we’ve said before a few times, um, that is key and it’s always going to be reviewed. Um, I think that.
Andrew Frost (29:35.894)
At least one of the controls that I thought of that we talked about a few times is data masking. A lot of people don’t realize that might not be applicable to them because when you read the control, it sounds like, oh, we have to do data masking of sensitive data. It’s really like a control that should be evaluated for applicability before you decide whether or not it needs to be implemented. And…
And that happened, I think, with one of the clients that Lee was working with. Like during the audit, they actually, the external auditors told them, you can take this control out of applicability because you don’t have any legal or regulatory reason to have this, to be doing data masking.
Leigh Ronczka (30:06.583)
Yeah.
John Verry (30:24.332)
Yeah, with 2013 we used to see that sometimes with some of the 14 dot controls. You get some people that would say, you’re always a little awkward, does this need to be in scope, does this not need to be in scope? And often you’d have those conversations and like you said, even an external order might say, hey, you know what, you don’t really need this one.
Andrew Frost (30:29.314)
Mm-hmm.
John Verry (30:44.009)
Anything else, Derren?
Andrew Frost (30:44.074)
Um,
I know they asked at least one of our clients during the audit, like, did you have any issues implementing any of these controls to kind of bring them down that road a little bit? And they were able to say, no, we were basically doing most of this. We just had to button it up a little bit and add some documentation and change all our mappings and all that. But it’s not.
In most cases, it’s not a huge lift. That’s really the biggest takeaway. It’s, it’s not as big as you would if you’re doing these things already, which a lot of our clients are. It’s not that big of a lift. It’s just making sure you, you have.
John Verry (31:31.872)
think the caveat is if you were already doing it and by definition if they’re our client they probably were because we tend to hold people’s feet to the fire a little bit more than the standard does by definition, right? All right, Lee same question. Yours is not tequila, it’s wine, but he or she failed. Yeah, you guys have your box of wine there and you’re chatting with someone. What would be your record?
Leigh Ronczka (31:34.942)
if you’re doing it well.
Leigh Ronczka (31:46.262)
Just a little bit more.
Leigh Ronczka (31:50.406)
Oh, mine’s wine, not Margarita’s. Okay.
my box of wine. I think the first thing is don’t panic with the new control and control language and really sit down and read through them. To Andrew’s point, data masking is a big one. A lot of clients panic like, oh my God, we can’t anonymize our data. What do we do? Our systems don’t do it. And the first question you have to say, do you have any legal requirements, contractual requirements that you have to mask data?
Second question is can any of your systems do it, right? And that’s gonna drive the applicability and how you have to handle it. Don’t confuse data masking with encryption. To Andrew’s point, when we went down this with an external auditor, because we didn’t know and we marked data masking in scope, right? And we documented the bolstering controls, to use that word, because it’s in the standards itself, we talked about encryption, how it’s everywhere, at rest, processing, and you know, just across the service wire.
And that’s when they came back and said, but you’re not required to do it. And we’re like, no, and we weren’t sure. So we were being very conservative. And they’re like, you’re not required. It’s not applicable. You’ve got great encryption, right? So because there’s encryption top to bottom, the auditors were very comfortable. I think the other thing is take a deeper dive look into data loss prevention. You don’t have to go out and put money into new systems, but look at what you have today.
One of the things I like to do when I go into audit is, okay, USBs are locked down, or you have to do whitelist it and crypt it USBs, but where are all the different points of access that you can have? And it’s just not connecting writeable media to your SB. Do you have to do VDI implementations for workers, contractor workers in other data centers, call centers, other parts of the world?
Leigh Ronczka (33:51.766)
where they can’t copy screens, copy data, or you’re monitoring your email. And my favorite one where I love to throw clients off, and I’ve only ever had one client say they do this, is we always talk about Windows-based assets and we never talk about the Mac stuff, and I love to bring in air dropping, right? The Mac, the iPhone, the watch, like where are your controls around that? Because data can still go there, like how are you blocking it? So when you talk about data loss prevention, because it’s not data loss,
program, right? Look at all the elements of monitoring you’re doing today, all your encryption, all your block, see what areas of data access points you have, where you’re sending data out or could export it and determine if you can put simple controls in place like doing secure in your email, doing PGP encryption, you know, little things like that will go a long way, right? And it’s not about giving the option.
to do it, it’s about configuring it so it must be done. Cause that data loss prevention, data gets out unauthorized access to something, you get a data breach, you get fined. The trickle effect to that could be huge. So I think to Andrew’s point, there was nothing really new in the environment or the controls, it’s just how they phrased them to make them more realistic in today’s environment.
Andrew Frost (37:21.652)
Something that we talked, that Lee and I talked about earlier was, now I forgot what I was going to say, was how sometimes some of the controls can be implemented without technical controls and you need to be aware of that. Especially, we were talking about web filtering. So web filtering, like everyone thinks of, oh, you have to block certain websites.
Leigh Ronczka (37:39.658)
We’ll be back.
Andrew Frost (37:46.596)
You have to block everyone from getting to like all the any website with — on it or something. But that’s not the control could be a policy that says you’re not allowed to go to any of these websites. We’re not actually actively blocking them or you might just be blocking certain IP addresses that you know have ransomware or something. But it’s not it doesn’t have to be a full fledge.
John Verry (38:18.048)
Guys, thank you very much. I normally say, how would people get in touch with you? But they know how to get in touch with you anyway. You can get in touch with all of us at pivotpointsecurity.com. It’s andrew.tross.
Andrew Frost (38:18.592)
That’s important.
John Verry (38:50.414)
We look forward to chatting with you.
Leigh Ronczka (38:52.898)
Thanks, John.
So, hey there and welcome to yet another episode of the Virtual Season Podcast with you as always, John Verri, your host. And today is a two for one. We’ve got Mr. Andrew Foss and Ms. Lee Ronska. Hey guys.
Leigh Ronczka (00:34.647)
Hang on.
Andrew Frost (00:34.83)
Hello.
John Verry (00:36.244)
are you guys all doing today?
Leigh Ronczka (00:38.678)
You know, Eagles won last night, beat Dallas, it’s all good.
John Verry (00:42.348)
So we just lost a good percentage of the audience. Thank you for that.
Leigh Ronczka (00:46.35)
I’m going to go to bed.
Andrew Frost (00:46.865)
Including me.
John Verry (00:48.42)
Exactly. People either hate Dallas or are a giant fan. So I mean, now we’re running lean. So look, I’ll try to gather a few people back in. I have the misfortune of rooting for the Jets. Perhaps as a pity, you’ll listen to the rest of the podcast. So as you guys know, I usually start by saying what’s your drink of choice, but both of you guys are seasoned pros at the Virtual See So podcast. So I won’t say it exactly that way. I do know that Andrew tends towards bourbons. Anything interesting you’re drinking?
Leigh Ronczka (00:54.946)
Good.
Andrew Frost (01:18.126)
Honestly, I have a completely different direction because I tried a tequila that I really liked this weekend. I was at a Batch Bin and Barrel in New Brunswick. It’s a new place that’s part of Steakhouse 85. But they have a, it’s Closet Agla or something. It comes in this really nice big white bottle with a bell on top. It’s a really good tequila. And I usually don’t drink tequila, but I liked it.
John Verry (01:23.98)
Ah, where’d you go?
John Verry (01:45.204)
Yeah, I’ve got… I do. I enjoy. Casa Amigos, Patrone, usually the two go-to’s. Although I don’t know the brands and I don’t know anything about them, I also tend to recently been drinking a lot more mezcal drinks. But I don’t yet know anything about it. And you tend towards wines typically.
Leigh Ronczka (01:48.927)
I like to feel it.
Andrew Frost (02:00.737)
Okay.
Leigh Ronczka (02:06.638)
I’m a wine margarita girl, yep. And tequila is on the list as well, not gonna lie.
Andrew Frost (02:11.374)
Well, try that tequila.
John Verry (02:13.243)
And if you ask Lee for a recommendation on wine, it’ll be any boxed wine is a good wine.
John Verry (02:23.752)
All right, so, all class. All class. So, I think it was Andrew and I did a podcast in May. It was episode 118 for anyone who wants to catch up with that. That was focused more on what is ISO 27001 colon 2022, how does it differ from 2013, etc. So, if you’re looking for that kind of information, that’s a good episode to look at.
Leigh Ronczka (02:23.79)
John, you know me too well. I know, very positive.
John Verry (02:50.22)
In today’s episode, guys, I was hoping to take advantage of the fact that we’ve started to get some of our clients successfully transitioned to the 2022 standard. One of the things that’s always interesting is all standards are open to interpretation. Understanding how auditors are actually looking at the standard and what they’re emphasizing I think is really important for any one of our clients or anyone who’s listening that’s going to be making that transition. That’s what I’m hoping you guys can help me with today. Let’s just really briefly just to kind of set a floor.
Let’s just go over the most significant changes from 2013 to 2022.
Leigh Ronczka (03:30.574)
Sure, actually one thing I think we should back up and do mention John is with the clauses 6.3 for planning and operational requires how you plan changes, right? So there is one addition into the 27.01 clause area 6.3. Very subtle and it’s about managing changes to the management system, right? So one thing that’s really important is everybody has change control SDLC for the technical controls.
but you also have to consider how you’re managing the system itself, notification, people, onboarding, offboarding, services, larger things, business divisions, whatever it may be. So we don’t wanna lose sight of that. From the technical side, really, there’s not anything that’s so new to the world of IT security compliance. They’ve brought in threat intelligence, they’ve brought in configuration management.
information around security cloud, data loss prevention, data masking, web filtering, Andrew what am I forgetting off the top of my head? Secure accounting, ICT readiness.
Andrew Frost (04:38.934)
secure coding, physical security monitoring. But they’re all things that people were doing in most cases to some extent. That’s the key of a lot of this.
Leigh Ronczka (04:53.738)
Yeah, deleting information and monitoring physical environments.
John Verry (04:54.217)
It was sort of updated.
John Verry (04:59.36)
Yes, it’s your point, Andrew. It sounds as if from most people’s perspective, it’s really more just a formalization of the ways that you’ve probably already adapted 2013 to address the contextual changes in the world between the 2013 standard being adopted and the 2022 standard.
Andrew Frost (05:17.206)
Absolutely. Yeah.
Leigh Ronczka (05:18.166)
Absolutely.
John Verry (05:21.166)
Cool. So now that we’ve been through it, how significant are the changes that we had to make to key ISMS artifacts for our clients?
Leigh Ronczka (05:31.246)
So really the largest level of effort that we’ve done for our clients, obviously is how we do a gap analysis, right? So one of the artifacts that’s not called out that’s really important to this transition is your gap analysis, your transition plan, right? What are the new controls? Are they applicable to your environment? Are they operationalized? Are they not? What do you have to do, right? So that planning and transition is a large part.
understanding the involvement of them, updating your risk assessment so it includes the new numbering the new controls, right, you need to do the diligence to make sure things are not omitted that are applicable on your SOA. The SOA is probably one of the heavy uplifts from an artifact because it has new columns and new attributes that are defined by the standard. If it’s a predictive detective, you know, what’s the control type?
Other than that, the body of policies and SOPs and stuff we look at, it’s really making sure that they cover the spirit, the language of the new requirements that we’re actually doing stuff. So, in a lot of our clients, they do the things that are in the new requirements, they’ve just not documented. And as we’ve always talked about, ISO is, say what I do and do what I say.
John Verry (06:57.618)
us.
Andrew Frost (06:57.762)
I mean, I would say the one policy that almost all of our clients have to add is configuration management, because most people don’t have that documented. I think that’s the…
Leigh Ronczka (07:05.895)
minus-minus.
John Verry (07:09.28)
And Configuration Management, does that cover just like traditional Configuration Management, or is that tied into like the Change Management that you were talking about? When you were talking about the Change Management earlier, I got the impression we were talking about Change Management almost at the ISMS level itself.
Leigh Ronczka (07:26.21)
The configuration management is more at the technical level. Think of standard imaging, right? Baseline images, their hardened profiles. You’re knowing what ports and services are authorized to be running on your systems. You know what the authorized accounts are to be on your systems, right? You don’t want people going in there, changing configuration to meet their work needs, run separate services, run gaming stuff on their workstations for work, right?
So that’s really where the configuration management comes, to make sure that your assets have the secure profile that you expect them to have.
Andrew Frost (08:07.03)
to answer the other part of that question, 6.3 is the new control in the clauses. And that is literally, it’s a one-liner in the standard. It just says, you need to manage your changes in your ISMS. So for that, we’re usually just recommending like a one-liner in either the charter or the manual that says, you know, changes to the ISMS will be managed by the ISMC.
John Verry (08:20.856)
Okay. Gotcha.
John Verry (08:35.532)
Gotcha. What about the, were there many changes required of the scope statement?
Leigh Ronczka (08:42.938)
No, no, there really wasn’t. The only thing, and the way that we do our scope statement is maybe based on the new controls, there’s new key interface dependencies, tools that we wanna reference, because we do talk data loss prevention, we do talk threat intelligence, we do talk configuration management, so maybe there’s key systems that they wanna add in, but the actual scope itself does not need to change.
Andrew Frost (08:44.526)
now.
John Verry (09:08.428)
Gotcha.
Andrew Frost (09:09.882)
There’s one, I’m just thinking about this now, there’s one thing that they added into the interfaces and dependencies to say what, and I might forget the exact wording of this, it’s basically what requirements are gonna be managed by the ISMS for those interfaces and dependencies. And I don’t think it’s that important to add in there, but it’s a nice little,
week if you want to put that in there. Yeah.
John Verry (09:38.604)
You might get some on a nitpick. What about, did you find, I was very curious with some of the hashtags and things that they were doing. Did you guys end up making changes to the risk methodology?
Leigh Ronczka (09:41.035)
Yeah.
Leigh Ronczka (09:50.77)
No, not at all. Based on several conversations that we’ve had, specifically how C-Biz PivotPoint does it, we’ve always discussed how risk is a module, it’s a method, it’s open to interpretation. So the way that we do it, we always base the maturity on the actual controls of the environment. That’s what we base our risks on. And we have been very successful with all of our clients that we transitioned to 2022 version of ISO that have been audited. There’s not been any questions at all.
all the new controls are part of our actual process, they’re assessed, we’re good.
Andrew Frost (10:26.742)
But we are putting those attributes in the SOA now.
John Verry (10:32.624)
Okay, gotcha. And that’s why you mentioned that was such a big, that was a fairly heavy hand lift. Okay, what about any significant changes other than the content change to internal auditing, internal audit program?
Leigh Ronczka (10:47.103)
No, I think… Go ahead, Andrew.
Andrew Frost (10:49.346)
Well, I mean, the big thing that, and we mentioned this already, but the big thing that the auditors are gonna look for is a transition plan, how you did this change. That’s like the first thing they’re gonna look at and they’re gonna go through it. Like that’s probably the most important artifact for the transition.
John Verry (11:09.984)
Gotcha. And that’s that was the one that was specified in that was that IAF MD26. I always forget the name of that document. But that was something that we actually talked about during our first podcast that we thought was going to be the case. So it’s interesting. That’s when the first artifacts they love.
Andrew Frost (11:14.964)
I a yeah.
Leigh Ronczka (11:16.738)
Yeah.
John Verry (11:31.312)
So I think we actually covered a couple of other questions that I had. I was curious about specific artifacts that were unique to the transition and you’re saying it’s just the transition plan, correct? Gotcha. And then we talked about control attributes and you said that the auditor’s not necessarily looking for them in the risk assessment, but in a sense you sort of hijacked that.
by putting them in the statement of applicability, in a sense, if we’re applying a control, you are applying the control attributes at that point, right? There is a mapping control attribute to risk assessment effectively.
Leigh Ronczka (12:08.222)
Yes.
John Verry (12:09.664)
Was that a point of conversation at all? I was curious as to what they were going to do this year with that.
Leigh Ronczka (12:14.39)
No, it has not come up from the client side. It has not come up from the external auditor side. I know that when we’ve been doing the Uplift Me specifically, you know, I do reference it’s part of the new standard where it’s identified and there’s an expectation that we acknowledge it through our documentation and we actually put it in the SOA. It’s not been a point, it’s not a question at all.
John Verry (12:39.733)
Interesting.
John Verry (12:43.128)
Did they emphasize control groups at all? That was another question that I was wondering what they would do with those.
Leigh Ronczka (12:48.93)
When you say control groups, what specifically is your point of view of a control group? Andrew and I actually were talking about this before we got online with you.
John Verry (12:56.736)
Also, if I recall correctly, and you guys have forgotten more about 2022 than I know, but the control attributes were more the hashtags that would, let’s say, specify things like whether a control was, as you pointed out, corrective or detective. But they had control groups that were around whether it was organizational, it was technology, people, and physical. Really?
Leigh Ronczka (13:07.661)
Right.
Leigh Ronczka (13:13.079)
Yeah.
Leigh Ronczka (13:19.652)
Oh no.
And no, that did not come up at all.
Andrew Frost (13:22.754)
So, I mean, that’s just the, that’s like the four subsets of the controls, basically. So, I mean, obviously it’s organized better when you’re going through an audit, it’s really nice because you’re actually looking at these things when you should be instead of like picking from different places. But…
John Verry (13:26.42)
Right. Yeah.
Leigh Ronczka (13:40.642)
Yeah.
John Verry (13:40.908)
So that was really the only way it actually influenced the process is really from an audit program perspective. Did it have the same effect both from an external audit and an internal audit perspective?
Andrew Frost (13:47.49)
Yeah.
Leigh Ronczka (13:51.95)
I think it did. So I’ve sat through external audits, I’ve done some internal audits, and I’ve done up lists, and I see the same value to Andrew’s point. It organizes things better. And actually, John, one of the things Andrew and I were talking about is one of the new controls, threat intelligence, you know, what did that really bring to the table? And what I was saying to Andrew from my point of view, that’s really discussing further in detail.
Andrew Frost (13:53.166)
Yeah, I agree.
Leigh Ronczka (14:18.274)
three existing controls that were already there under the 2013 version. It was maintaining the contact with special interest groups, all those alerts that come in. It’s your vulnerability management, your scanning program, how often you’re doing it, you’re doing patching. It’s really the alerting and monitoring. So what I’ve experienced with the external auditors when it comes to threat intelligence, they’re really taking those three predefined control areas.
and they really want you to dive more explicitly into your process of how you manage it, how you proactively manage it versus reacting when something’s discovered. So I thought that was really nice of how threat intelligence brought three existing controls together and allows you to take that deeper dive. You’re already doing something, but now you have the opportunity to explain it more.
John Verry (15:12.46)
When I think threat intelligence, that’s one of those interesting words and we talk about threat surfaces and we talk about vulnerability, they all kind of are different sides of the same die, so to speak. But when I think of the threat intelligence, and I think about proactive, I tend to think of more not only being aware of our threats that we’re in control of, but those that are outside of our domain.
Leigh Ronczka (15:14.934)
Mm-hmm.
Leigh Ronczka (15:29.432)
Yeah.
John Verry (15:41.024)
Did they dig in at all into things like dark web monitoring and things of that nature?
Leigh Ronczka (15:49.494)
You know, there were examples like that were brought up. So what we’ve seen from our clients is, it’s the communications, it’s the reviewing things, is it something that impacts their environment? It’s the dark web monitoring, it is the IDS, it is the IPS, it’s about being proactive, being on webinars, going to seminars, staying in touch with the government, SANS, US CERT, right? What’s coming, what’s trending, what are we seeing?
even to the point AI came up as an emerging threat with all the unknowns around it. And we know that’s a hot topic today.
John Verry (16:29.784)
Do you think that there’s an expectation that you’re doing something like dark web monitoring? Is that something that someone’s going to end up with an OFI if they don’t have something in place at this point? Do you think that there’s an expectation that you’re doing something like dark web monitoring?
Leigh Ronczka (16:39.054)
I don’t think that you’ll get an OFI on it, right? Because ISO is not prescriptive when it comes to it, but I think it’s a good conversation point that auditors and consultants can bring to the table, specifically what your environment, what your business service line is, how critical is it, and do you do more privacy work and collect more PII versus are you in an environment that does more work that has public data, right? So there are…
elements that could come into play with the dark web monitoring when it comes to your user IDs, passwords and other access points.
John Verry (17:19.5)
I’m curious on the configuration management front. Configuration management, 10 years ago was largely an internal function. Now, it is, or 15 years, whatever the number is. Now as we’ve gone much more towards SaaS and we’ve gone much more cloud, configuration management is a much broader topic. How much did they dig into the configuration of SaaS, cloud, et cetera?
Leigh Ronczka (17:49.538)
They didn’t dig into service providers as much as what are you doing to manage the assets themselves and how baselines are maintained, how they’re changed, how they’re approved. You know, they use examples of clients, are you running Puppet or NinjaRMM, like to go out and scan your assets. Are they meeting?
the guidelines or do you have to roll back a configuration because something was changed in an unauthorized manner? One of the things that I experienced specifically on that topic was the external auditors were not approaching clients with a heavy hand around the controls because they are new and they wanna have the conversations, understand what the baseline is first and let companies start to mature and determine what level of configuration management they have to go to.
in the next two years.
Andrew Frost (18:46.99)
That’s a really good point. No, that’s a really good point. You know, they’re not, like ever, it’s new to everybody, including the external auditors. So we’re all kind of feeling our way around it a little bit and taking a little, maybe the auditors might be taking a little bit of a lighter approach to, you know, what exactly they really want you to do. But I mean, and you can always argue ISO anyway, because it’s not prescriptive. Like,
John Verry (18:47.166)
Andrew, what are you seeing there?
Andrew Frost (19:15.766)
Well, it doesn’t say I have to do dark web monitoring or I went back to that, but, you know, maybe it might be better if you do that. So, you know, third.
John Verry (19:31.904)
Yeah, there’s a…
Andrew Frost (19:32.194)
They’re just not digging that hard yet.
John Verry (19:35.04)
Yeah, that’s interesting to me. And I’m starting to wonder about whether they should be. And we had an internal conversation recently, at least I think it may have been on the thread. I had a conversation with someone there ISO certified. They just had a near scare from a business email compromise perspective. An email was compromised, but they had good monitoring. They were able to get it addressed right away. And the question was is,
What is an external auditor and what is an internal auditor’s responsibility? Digging in a little bit more deeply into some of the controls for risks of that nature, right? So I don’t think any of us could argue that business email compromise is you know social engineering is Arguably one of the single greatest risks that we should be looking for You know this organization was on a Microsoft plan that had a safe links as an example and didn’t have safe links enabled You know, so I’m curious is from your perspective, you know a should
in order to be asking a question of that nature? I think we could almost call that table stakes at this point in time for a high risk organization. And B, you think that we’re going to see them do that? And C, should we be doing that as a, you know, when we’re doing internal audits on our clients’ behalf?
Leigh Ronczka (20:37.55)
Come on.
Leigh Ronczka (20:45.742)
So I think if we even take a step back a little bit from that, John, I think fundamentally the most important thing is making sure consultants and auditors all actually understand the control and reading the guidance that goes to the ISO requirements is very valuable, right? I think that’s the first critical point that should be brought because different people have different expectations, different experiences, no auditor audits the same way.
you come from a very highly regulated environment that does not translate to ISO, right? It just doesn’t. So you have to understand the environment. You have to understand the control, the guidance of what they’re looking for, and obviously right size controls that are applicable to your environment where the return on investment is appropriate, right? You’re not going out and spending a lot of money on best of breed systems that you don’t need to do for the size of your organization. So I think that’s fundamental.
I do think it’s appropriate to ask the questions, you know, should you be doing dark web monitoring? Can you do it? Do you know how to do it? Is it something you can build on your security roadmap? I don’t think it’s something that I personally would write up in an audit report unless it was a very mature industry, ISMS, smaller companies. You know we do a lot of work with a lot of smaller companies. I don’t know it’s necessarily their wheelhouse.
Is it something that there’s a third party that, you know, they could hire at a reasonable cost to do that monitoring for them? That would be an obvious tabletop discussion I would have with them. And I think as time goes on, it probably will become a much more prevalent conversation to have because we do see data breaches on the increase, right? There’s no getting around to that. We have more data in our environment.
data that does not get deleted, it’s there forever, right? So you have more exposure, more risk. So I think just by nature of our business and the way that technology is moving and the amount of data, how it grows exponentially every day is absolutely a vital conversation to have. Andrew, your thoughts?
John Verry (23:02.undefined)
I’d be interested in your thoughts more on 365 specifically. I’d like to hear your thoughts on it.
Andrew Frost (23:02.154)
I-I-
Andrew Frost (23:08.267)
Unway.
John Verry (23:09.464)
Office 365, that specific example that I gave. Because I do think you can make an argument that’s not, that’s an example. If they didn’t have multi-factor authentication, multi-factor authentication is a configuration management. I don’t think any of us would not lean into a conversation about, guys, you really need to have multi-factor authentication enabled. We all agree that despite the fact that it’s non-prescriptive, we have to take a risk-based approach.
Leigh Ronczka (23:09.81)
Office of the District of L.A.
John Verry (23:38.62)
lack of two-factor authentication, we’d all agree is inappropriate. In 95% of the organizations we’d have to do business with. I’m just curious as to where that line gets drawn because business email compromises such a significant risk. Where do you think the line is and then where do you think the obligation of the internal auditor and or the external auditor stops with regards to that? Is it just leaning into the conversation? Is it just leaning into the conversation and suggesting it’s an OFI? At some point, given the risk, it’s
Is it a nonconformity?
Andrew Frost (24:10.158)
So I can’t see how you could ever make it a nonconformity following ISO because ISO is not prescriptive and technically they’re doing what they determine that they should be doing. Unless their risk register is wrong and they miscalculated or something. But they determine their risk, they determine what controls that they wanna have in place. But I can definitely see a case for an OFI.
because this is how they can improve their program. And that’s what an OFI is. That’s, you know, here’s how you can be better than where you are, but you are following the standard as far as I can evaluate it.
John Verry (24:53.216)
Yeah, I think you can make an order. I think an order, what is the term they use? Professional judgment and experience, I think is the term that they use. But I mean, if somebody said they had no locks in the door and all passwords had to be three characters long and start with A and end with C, I think that we would all agree that there’s a nonconforming there because you’re not effectively managing risk, right? There’s something wrong with your risk management program if you accept that risk. So I know that we’re talking about shades of gray here.
Andrew Frost (25:15.393)
Yeah.
John Verry (25:22.964)
I was just curious as to how far up or down. So I do think an auditor does have the discretion to say bullshit, right? But I think they’re very hesitant too. I kind of feel like maybe sometimes as consultants and if we’re doing a consultative internal audit on their behalf, perhaps we should be prodding them to move further forward.
Leigh Ronczka (25:25.57)
Thanks.
Andrew Frost (25:28.833)
That’s a good point, yeah.
Leigh Ronczka (25:43.262)
We we call the we call the bullshit. You know well you know I’ve done it right. I’ve done it multiple times in my life so far at PBS. But I think another point as a consultant and I think more of a consultant and maybe less as an auditor right because an auditor is coming in to validate compliance and look for how you can strengthen controls. But as a consultant I think one of the consideration talking points is
John Verry (25:51.104)
I’m sorry.
Leigh Ronczka (26:12.086)
Do we know that those controls are there to be enabled? Do our clients know those controls are there to be enabled? Do they know how to do it, right? So I think one of the barriers that we go up with any framework is so many technologies, so many controls, we are not all experts in all areas, but it’s starting to compile those things, those control areas that are quick hits that cost little to no money.
to implement to have a more secure posture. And I think as a consultant, taking that approach is a win-win for everybody. And as a consultant, then when you go into audit, you’re aware of that and you make sure that conversation is had. And if you’re gonna write it up as an OFI, you explain why you’re writing up as an OFI. Strengthen your security posture, build in your roadmap. But part of it also, John, and Andrew and I talked about this a little bit earlier today,
is dealing with culture of change and restriction. And we were talking about some of the other controls and how you have to really manage that from the tone at the top, and you really need leadership to send the message that we’re doing this for a reason, to protect ourselves, protect the data, protect our clients.
John Verry (27:29.964)
Gotcha.
Leigh Ronczka (27:30.422)
and we run into that a lot.
John Verry (27:34.432)
Have either of you guys gone through a 7,122 transition with a SaaS company? I’m just curious as to what they were pushing on from a secure coding perspective.
Leigh Ronczka (27:50.126)
I have not, but from secure coding, what I have seen is really the focus on doing like, what is it, sonar scanning, sonar cube scanning, making sure you’re up to date on the top OWASP 1020, making sure you’re giving the right training. There are the things that seem to be very common regardless of your environment, but if you’re doing any type of…
services and development around that, they’re pushing for that.
Andrew Frost (28:26.714)
And I think that’s an area that I probably always went down that, like, I don’t see any difference with that new control in the coding controls, because I’ve always asked all those questions anyway. But I’ve come from a coding background, so it’s a little bit different. And that’s like what Lee was saying, like depending on your background, you might concentrate on different areas. So I’ve always gone down that road with the developers.
John Verry (28:26.824)
on the whole last one.
John Verry (28:57.452)
Um, so I’ll ask each of you, Andrew, first, um, you know, if you were chatting with somebody who was having a beer or having a tequila, uh, with someone asking the question, they’re getting ready to prepare for their 27,001 2022 transition audit, uh, and they asked you for any recommendations, what would they be?
Andrew Frost (29:17.586)
Um, the very first thing is to make sure you have a transition plan, which we’ve said before a few times, um, that is key and it’s always going to be reviewed. Um, I think that.
Andrew Frost (29:35.894)
At least one of the controls that I thought of that we talked about a few times is data masking. A lot of people don’t realize that might not be applicable to them because when you read the control, it sounds like, oh, we have to do data masking of sensitive data. It’s really like a control that should be evaluated for applicability before you decide whether or not it needs to be implemented. And…
And that happened, I think, with one of the clients that Lee was working with. Like during the audit, they actually, the external auditors told them, you can take this control out of applicability because you don’t have any legal or regulatory reason to have this, to be doing data masking.
Leigh Ronczka (30:06.583)
Yeah.
John Verry (30:24.332)
Yeah, with 2013 we used to see that sometimes with some of the 14 dot controls. You get some people that would say, you’re always a little awkward, does this need to be in scope, does this not need to be in scope? And often you’d have those conversations and like you said, even an external order might say, hey, you know what, you don’t really need this one.
Andrew Frost (30:29.314)
Mm-hmm.
John Verry (30:44.009)
Anything else, Derren?
Andrew Frost (30:44.074)
Um,
I know they asked at least one of our clients during the audit, like, did you have any issues implementing any of these controls to kind of bring them down that road a little bit? And they were able to say, no, we were basically doing most of this. We just had to button it up a little bit and add some documentation and change all our mappings and all that. But it’s not.
In most cases, it’s not a huge lift. That’s really the biggest takeaway. It’s, it’s not as big as you would if you’re doing these things already, which a lot of our clients are. It’s not that big of a lift. It’s just making sure you, you have.
John Verry (31:31.872)
think the caveat is if you were already doing it and by definition if they’re our client they probably were because we tend to hold people’s feet to the fire a little bit more than the standard does by definition, right? All right, Lee same question. Yours is not tequila, it’s wine, but he or she failed. Yeah, you guys have your box of wine there and you’re chatting with someone. What would be your record?
Leigh Ronczka (31:34.942)
if you’re doing it well.
Leigh Ronczka (31:46.262)
Just a little bit more.
Leigh Ronczka (31:50.406)
Oh, mine’s wine, not Margarita’s. Okay.
my box of wine. I think the first thing is don’t panic with the new control and control language and really sit down and read through them. To Andrew’s point, data masking is a big one. A lot of clients panic like, oh my God, we can’t anonymize our data. What do we do? Our systems don’t do it. And the first question you have to say, do you have any legal requirements, contractual requirements that you have to mask data?
Second question is can any of your systems do it, right? And that’s gonna drive the applicability and how you have to handle it. Don’t confuse data masking with encryption. To Andrew’s point, when we went down this with an external auditor, because we didn’t know and we marked data masking in scope, right? And we documented the bolstering controls, to use that word, because it’s in the standards itself, we talked about encryption, how it’s everywhere, at rest, processing, and you know, just across the service wire.
And that’s when they came back and said, but you’re not required to do it. And we’re like, no, and we weren’t sure. So we were being very conservative. And they’re like, you’re not required. It’s not applicable. You’ve got great encryption, right? So because there’s encryption top to bottom, the auditors were very comfortable. I think the other thing is take a deeper dive look into data loss prevention. You don’t have to go out and put money into new systems, but look at what you have today.
One of the things I like to do when I go into audit is, okay, USBs are locked down, or you have to do whitelist it and crypt it USBs, but where are all the different points of access that you can have? And it’s just not connecting writeable media to your SB. Do you have to do VDI implementations for workers, contractor workers in other data centers, call centers, other parts of the world?
Leigh Ronczka (33:51.766)
where they can’t copy screens, copy data, or you’re monitoring your email. And my favorite one where I love to throw clients off, and I’ve only ever had one client say they do this, is we always talk about Windows-based assets and we never talk about the Mac stuff, and I love to bring in air dropping, right? The Mac, the iPhone, the watch, like where are your controls around that? Because data can still go there, like how are you blocking it? So when you talk about data loss prevention, because it’s not data loss,
program, right? Look at all the elements of monitoring you’re doing today, all your encryption, all your block, see what areas of data access points you have, where you’re sending data out or could export it and determine if you can put simple controls in place like doing secure in your email, doing PGP encryption, you know, little things like that will go a long way, right? And it’s not about giving the option.
to do it, it’s about configuring it so it must be done. Cause that data loss prevention, data gets out unauthorized access to something, you get a data breach, you get fined. The trickle effect to that could be huge. So I think to Andrew’s point, there was nothing really new in the environment or the controls, it’s just how they phrased them to make them more realistic in today’s environment.
Andrew Frost (37:21.652)
Something that we talked, that Lee and I talked about earlier was, now I forgot what I was going to say, was how sometimes some of the controls can be implemented without technical controls and you need to be aware of that. Especially, we were talking about web filtering. So web filtering, like everyone thinks of, oh, you have to block certain websites.
Leigh Ronczka (37:39.658)
We’ll be back.
Andrew Frost (37:46.596)
You have to block everyone from getting to like all the any website with — on it or something. But that’s not the control could be a policy that says you’re not allowed to go to any of these websites. We’re not actually actively blocking them or you might just be blocking certain IP addresses that you know have ransomware or something. But it’s not it doesn’t have to be a full fledge.
John Verry (38:18.048)
Guys, thank you very much. I normally say, how would people get in touch with you? But they know how to get in touch with you anyway. You can get in touch with all of us at pivotpointsecurity.com. It’s andrew.tross.
Andrew Frost (38:18.592)
That’s important.
John Verry (38:50.414)
We look forward to chatting with you.
Leigh Ronczka (38:52.898)
Thanks, John.