We are all about creating awareness while poking fun. Will your team avoid the office with a 10-foot pole but is the last to leave the happy hour? This newsletter might be for them.

We are all about creating awareness while poking fun. Will your team avoid the office with a 10-foot pole but is the last to leave the happy hour? This newsletter might be for them.

Posada del Faro in Jose Ignacio, the site of some big-brained moments last week

Building in public is not a novel idea but I have only seen it tried a few times. For it to be effective, it requires near total transparency and a rigid schedule of updates. Treat the readers as investors in the company, and give them access to semi-private data points as if they were employees.

The primo example of building in public is Tyler Denk, the founder of beehiiv, the platform used to send this exact email and that competes with juggernauts like Mailchimp and Substack. Tyler and I are not connected (yet) but I feel that I know his vision for beehiiv on a personal level thanks to the openness he has communicated to his followers through his newsletter.

beehiiv is nearing $10M ARR and announced its Series B just last month. If you like this style of entrepreneurship, I recommend you subscribe to Tyler’s newsletter Big Desk Energy linked below. 👇

Big Desk Energy

startup insights, stories, and vibes sent to your inbox every Tuesday

Subscribe

Building in Public

Lesson #1: You are the company, and the company is you.

Previously, if you made a mistake, you have the air cover of a bigger machine that guarantees payroll every two weeks. Now, the company is a reflection of what you put into it.

Suddenly, work is very personal.

It is not only gambling on your knowledge and your ability to succeed. It is betting that you can create something iteratively different and that the customers within your target market even want something different.

A good friend (CG) shared this quote, and it captures the essence of this phase of building that I refer to as the fake it till you make it stage.

Call it assembling the plane while you are flying it, or whatever.

This shit is hard.

These last few months and in states of panic, I attempted to isolate what exactly was unnerving about starting Mastermind. My anxiety was not rooted in one specific thing, but rather an unconsciousness, or, better said, the things that I did not know I needed to be worrying about.

• S-Corp vs. C-Corp vs. Single-Member LLC but the last one is a “disregarded entity”

• Do I need a registered address or can my house be the principal location?

• How do I decide on a color palette and a brand guide?

• Why did Chase bank only give me a $3,000 credit card limit?!

Building in public is about sharing the behind-the-curtains moments. When things look well-constructed, this open newsletter format shows readers the Instagram vs. reality.

The company launch video required 3 weeks of edits with a designer in India. Completely worth it, but sending ACH payments over Wise when Mastermind has no revenue is not for the faint of heart.

Other expenses you can expect if you decide to take the founder’s plunge:

• GoDaddy/WordPress: $239

• Letterhead: $420 (designer in Pakistan)

• Swag: $554 😎

• QuickBooks: $622

• Registration Fees: $624

• beehiiv: $767

• Insurance: $2,723

• Website Design: ~$4,000 (developer in Indonesia)

• Professional Association Membership: $5,000

The above is a tiny sample of these initial expenses. As of this writing, we’ve spent $35,000+ starting this thing before collecting our first dollar.

But, we did it.

It’s here, and it’s launch week.

Whether you are a personal friend, an old coworker, a customer, a competitor, my parents, or you stumbled across this newsletter on your LinkedIn feed amongst so many truly humbled connections, thanks for giving a shit.

Now, let’s go make a million bucks.

David 🧠

ISO standards are all around us, and it's overwhelming to comprehend the sheer scale that these documents have embedded themselves into our everyday movements.

• Interested in fair trade chocolate? There’s a standard for that – ISO 34101.

• Required to submit CPE every few years to maintain that license? ISO 17024 is to thank.

• Not sure about scanning that QR code to pay for parking? ISO 37180 wants to enforce minimum security requirements for QR technologies impacting consumers.

•  And, a long-time favorite, ISO 8601 thinks that the first day of the week is Monday – mainly to provide consistency across systems and regions where the representation of dates and times is critical.

In fact, ISO has published over 25,000 standards, crossing this milestone for the first time in 2023.

Toblerone was forced to drop its logo of the Matterhorn in 2022 after it moved its production facilities to Slovakia putting the iconic image in violation of the Swissness Act designed to combat selling counterfeit Swiss products.

It’s similar to the experience when you first discovered that there is an image hidden within a recognizable image you encounter daily, such as a popular brand logo like Toblerone (find the bear). Or, even a third meaning beyond the second image – that bear is a nod to Bern, Switzerland known as the “City of Bears”.

ISO standards, in many respects, act as an invisible hand, but they have far less sinister intentions than a Big Brother seemingly perpetually surveilling you. As the name suggests, ISO is the International Organization for Standardization. Think consistency, repeatability, calibration. These are all positive attributes when attempting to define or mature processes, systems, and products that require interdepartmental, intercompany, and cross-border collaboration.

According to its website, ISO “brings global experts together to agree on the best ways of doing things, from making products to managing processes.”

As a group of experts in our subject matter, it is wise for us not only to be aware when these standards are at play but also to investigate the meaning behind the content and its defined boundaries to avoid ghost requirements. Commonly, we refer to this practice as understanding the source material.

For us to be students of the text, we need to know not only all layers of the requirements (more on that in the future) but by whom so we can learn their backgrounds and incentives.

By learning these behind-the-curtain topics, we will combat the trend of checkbox auditors and practitioners akin to soldiers blindly following their general into danger.

Stay tuned.

🧠 🧠 🧠 🧠 🧠 

We are all about creating awareness while poking fun. Will your team avoid the office with a 10-foot pole but is the last to leave the happy hour? This newsletter might be for them.

In our quest to understand the source material behind ISO standards, let’s start with the very basics: what do we mean when referencing ISO?

ISO is an acronym for the International Organization for Standardization. Contrary to popular understanding, “ISO” was never short for “International Standards Organization” or a similar sequence of words, even in an alternate language than English. Commonly, American practitioners will say that the long name of ISO translates into a phrase that can be abbreviated as “ISO” in the French language due to the location of the Central Secretariat, but the acronym would actually be “OIN,” short for “Organisation internationale de normalisation,” so that argument lacks validity.

And, if you want to argue the short name should be “IOS”– well, you will lose that battle too, as ISO has selectively registered “International Organization for Standardization” and the short name “ISO” as international trademarks while omitting registration of any other acronym variation.

If you are the type that spells out the acronym as I-S-O when talking about the entity or describing a standard like ISO 27001, the origins of the name will give you a clue on how to pronounce it. ISO is derived from the Greek “isos,” meaning equal. From here, it is plausible to think that the organization intended for the short name to be pronounced as a single word like “eye-so.”

ISO world headquarters in Geneva, Switzerland

Let’s triple confirm. Here is a 10-second clip from the 2023 ISO Annual Meeting in Brisbane. This is Vanessa Von der Mühll, who has been Head of Communications and Engagement at ISO for the past 4 years.

Debunked? Buckle up.

From an interview published in 1997 with Willy Kuert, a Swiss delegate who had traveled to London in 1946 to attend the meetings that originally formed ISO, he details the following:

“The first question that had to be settled in London was that of the name of the new organization. There were different proposals. The English and the Americans wanted “International Standards Coordinating Association,” but we fought against the word “coordinating.” It was too limited. In the end, ISO was chosen. I think it is good; it is short. I recently read that the name ISO was chosen because “iso” is a Greek term meaning “equal.” There was no mention of that in London!”

And, it appears we are back to our starting point. We may never know the original intent of the name, as modern-day ISO seems to be romanticizing the importance of the short name selection. This is probably a case of picking the name because it sounded cool.

🧠 🧠 🧠 🧠 🧠 

We are all about creating awareness while poking fun. Will your team avoid the office with a 10-foot pole but is the last to leave the happy hour? This newsletter might be for them.

Let’s shed light on this somewhat closed-door organization, giving it a reputation akin to that of the Knights Templar or the Freemasons.

From its website, ISO is an independent, non-governmental international organization with a membership of 169 national standards bodies. ISO was officially formed over 75 years ago in London at the Institute of Civil Engineers during a conference of national standardizing organizations spanning two weeks from October 14 to October 26, 1946. Its headquarters, or the location of the “Central Secretariat,” would not move to Geneva until 1949.

When ISO was first formed, it happened immediately following the conclusion of the Second World War—an era where the winners of the world war were restructuring international participation and heavily influencing who would have a seat at the table. In fact, ISO originally blocked the membership of any delegates represented by neutral or Axis countries.

The formation of ISO was the unity of two preexisting bodies – The International Federation of the National Standardizing Associations (ISA) established in 1926 out of New York, and the United Nations Standards Coordinating Committee (UNSSC), which formalized two years earlier in 1944 with operations out of London.

25 countries were represented by 65 delegates at the London meetings that formed ISO in 1946.

From the memoir "Friendship Among Equals," the last surviving delegate of these London meetings was Willy Kuert. In a 1997 interview, he recalled, “The atmosphere at first was a bit uncertain! We were sizing each other up. We feared that the UNSCC didn’t want an organization like the ISA had been, but an organization which was dominated by the winners of the war. We wanted to have an organization open to every country that would like to collaborate, with equal duties and equal rights. The inch system and the metric system were also constantly at the back of our minds. There was an inch bloc and a metric bloc. We didn’t talk about it. We would have to live with it. But we hoped that ISO might provide a place where we could get consensus in this area.”

Modern Day ISO

Today, while there are fewer than 200 full-time, directly employed staff at ISO, there are thousands of volunteers and experts comprising the 169 bodies or “members,” further broken down into three tiers: member bodies, correspondent members, and subscriber members. Member bodies maintain voting rights, while correspondent members have more limited privileges, such as observing standards development meetings only, and subscribers are notified on an informed basis post-meeting.

From a standards development perspective, there are 800+ technical committees and subcommittees in operation across a range of subject matters, including information technology, health, transportation, sustainability, energy, diversity and inclusion, food, engineering, and government. China, France, Germany, United Kingdom, Japan, and Korea lead among all active member bodies as the most participatory within these technical committees.

It is important to note which countries are influencing standards today at the highest levels, as these are the same delegates that are calibrating and determining global requirements and rules for critical processes, such as artificial intelligence management, data privacy, and cybersecurity.

For example, the joint technical committee (JTC) 1 is chaired by ANSI, the United States member body, via Phil Wennblom, an executive with Intel. JTC 1 is responsible for authoring the current revision of ISO 27001 for information security management systems.

We will dive deeper into JTC 1 and its subcommittees (SC), especially SC 27, in future discussions due to this group’s heavy focus on development of the ISO 27000 series.

🧠 🧠 🧠 🧠 🧠 

We are all about creating awareness while poking fun. Will your team avoid the office with a 10-foot pole but is the last to leave the happy hour? This newsletter might be for them.

Wait a second. We were told that implementing and certifying to ISO 27001 was best practice when considering benchmarks for information security.

In theory, it can be considered best practice, but only if your organization rigorously follows the governance aspects outlined in this International Standard. Let us explain.

Your opinion might differ, but it's crucial to highlight that the single most important requirement when setting up your management system for the first time is outlined in section 6 of this standard.

Let’s use the above requirement in the context of passwords. Every system and application had some form of authentication mechanism with the most common example being a username + password combo. If we take ISO 27001 at face value without applying the governance elements of section 6.1.3, this “best practice” standard states only the following:

That’s it. Those are the only requirements around “authentication”. In fact, the keyword “password” is not mentioned anywhere in the 2022 revision of ISO 27001, which actually might be forward-looking by JTC 1 since we are quickly moving to password-less authentication. In reality, technology frequently outpaces these standards as they do not receive major revisions but approximately once per decade.

For instance, an organization can meet both controls by implementing a policy specifying password requirements, such as an 8-character length using letters only and enforcing this configuration for all users. The policy does not have to address complexity, rotation, or prohibiting the use of recent passwords by the same user.

Supplemental Guidance from ISO 27002

If we look for further information, ISO 27002 says “when passwords are used as authentication information, strong passwords according to best practice recommendations are selected.” This standard goes onto to provide examples by stating not to use personal information (e.g., date of birth) or dictionary words in a password while suggesting the use of “easy to remember passphrases and try to include alphanumerical and special characters” while ensuring passwords have a minimal length.

At first glance, this seems to be basic password security, but even when considered collectively, it still raises questions. Why are we encouraging an “easy to remember passphrase”? That recommendation does not scream security.

Additionally, “alphanumerical” – in other words, a combo of letters and numbers – should not be a “try” but a must at all costs when that password is protecting unauthorized access to any system containing even the lowest levels of sensitive data.

Even if ISO 27002 had some defensible criteria, this standard is informative (i.e., guidance) only and is not required to be implemented by an organization seeking ISO 27001 certification.

However, if you were to re-read these control statements under the perspective of section 6.1.3 where the standard states controls should be applied while “taking account of the risk assessment results” then these controls inherit a completely different flavor. Now, we have to consider what these authentication mechanisms are protecting, such as the data stored within the systems being authenticated through this form of access control. If there is customer data in these systems, as an example, then an auditor can say that your organization may have met the most minimal requirements for authentication, but it failed to consider the risks of unauthorized access when designing its authentication policies and procedures.

This theme is just the tip of the iceberg. Following the risk will be a recurring theme as we delve deeper into the common pitfalls of implementing these global frameworks.

🧠 🧠 🧠 🧠 🧠 

We are all about creating awareness while poking fun. Will your team avoid the office with a 10-foot pole but is the last to leave the happy hour? This newsletter might be for them.

It's 8:30 in the morning, and you and your coworkers are already in the office, venti-sized coffees in hand, ready to start. The team is never in the office anymore, and certainly not this early. Jason is out of character, seemingly rehearsing lines as if he is about to audition for a play, all while knowing he will be responsible for walking through employee onboarding evidence this morning.

You've circled the dates on your calendar for months, and then they arrive. Like a scene out of the 1999 film Office Space, the Bobs walk into the building's front entrance. You can see them from the window of the boardroom. The executives always claim this conference room, but they feel bad for the team that is about to sit through 4 days of interrogation.

This story’s antagonists, our road warriors

Maddie notices that the auditors are dressed in suits and ties. Did no one tell them that the company’s name is “Field Day”? Most of the staff comes to the office in athletic wear. Immediately, an inferiority complex creeps in, and the team starts flipping through their printout of the standard, wondering if workplace attire could be a finding.

The part-time receptionist is stuttering her words. You sat down with her 15 minutes earlier and walked her through the exact procedure she should have been following for the last 3 years of her employment. One hello, two who are you here to see, three can I see some ID, and four please follow the prompts on the iPad to complete sign-in. The door is open to the conference room, and you all sit quietly, acting like you are working on your laptop but actually hoping the weakest link in the chain doesn’t misstep before the audit opening meeting can even take place.

The Bobs chuckle. Phew, looks like they have some humor and semblance of humanity to them. We are off.

Jason hears the question and vaults his arm to the sky to wave at Bob 1 and Bob 2. Bob 1 returns a one-finger wave and tells the receptionist that it is that group in the conference room.

Of course, they are on your list. She pretends to click on her monitor while the Bobs are hovering over the ledge of the front desk.

Bob 1 shows his driver’s license. Bob 2 pulls out an employee badge with a picture and name issued by his company.

Curveball. Is this some type of test? Why did Bob 2 not show a driver’s license or maybe, and I mean maybe, a passport? Can we accept that employee badge as a form of identification?

Bob 2 returns a smirk to Bob 1 before returning his employee badge to his wallet.

Dang it, we got played. Was this a stress test? Is that in-scope? Are you really going to issue a finding to our part-time receptionist? She might actually cry.

🧠 🧠 🧠 🧠 🧠 

We are all about creating awareness while poking fun. Will your team avoid the office with a 10-foot pole but is the last to leave the happy hour? This newsletter might be for them.

Every year, you hear about how an organization can prepare for ISO 27001 down to the sub-requirement level, but then bam! They get hit with some random topic chosen by their auditor on a whim – maybe it’s a flavor of the day.

And let's talk about auditors—they have this stereotype. They're seen as these compliance police carrying a quota of findings just to prove they did a thorough job. It's the reason why organizations, especially the mature ones, start getting frustrated when auditors are wrapping up and suddenly decide to dive deep. You're there, pointing to the same policy they've checked three times already, and then, out of the blue, it's like they've had a revelation. That annual user access review? Apparently, it's not "frequent enough" anymore, and now they're quoting ABC framework and some benchmark from their other clients. Hold up, are we being audited for more than just ISO 27001?

It's in these moments that irritation kicks in. It's like they're playing a game of "moving the goalposts." You thought you had the rules down, but in the blink of an eye, everything changes.

So, who is auditing these auditors?

In the world of ISO management system standards, a hierarchy of command is most simply expressed as follows:

An auditor may be part of an audit team overseen by a Lead Auditor.

The Lead Auditor ultimately determines a recommendation for certification, which is then passed off to a review committee within the Certification Body.

The Certification Body follows its own internally developed procedures in conformance with ISO/IEC 17021-1 and undergoes regular assessments to this standard by an Accreditation Body.

An Accreditation Body is a member of a larger group of accreditation oversight entities formed under mutual recognition practices of the International Accreditation Forum.

To bring it to life, let's go back to the scene in Audit Nightmares #1. Bob 2 might have a case to issue a physical security or visitor sign-in procedure finding to our fictitious company “Field Day”. However, Field Day may be able to defend their procedure. Does their policy explicitly require government-issued identification to be presented to the front desk receptionist, or does it only state a photo ID? If it's the latter, the employee badge that Bob 2 presented seems sufficient to conform to the documented process.

🧠 🧠 🧠 🧠 🧠 

We are all about creating awareness while poking fun. Will your team avoid the office with a 10-foot pole but is the last to leave the happy hour? This newsletter might be for them.

On October 25, 2022, the first major revision to the popular ISO 27001 standard in almost 10 years was published, triggering the simultaneous withdrawal of the longstanding 2013 revision.

While revisions to these standards are not uncommon, the transition periods that follow these releases vary depending on the extent of the changes to the underlying criteria and organizational circumstances, such as whether a scope is currently certified or at an earlier pre-decision and award issuance stage via a certification body.

Make no mistake – this release meets the eye test for qualifying as a major revision, as the entire structure of the standard has been renewed to the latest Annex SL outline variant known as the Harmonized Structure (HS). Similarly, a consolidation of the previous 114 Annex A controls was implemented alongside the introduction of 11 net new controls. The result is a new look for this standard with a modern control set tackling more current risks (e.g., threat intelligence, IoT, IAM) affecting service organizations operating within public cloud.

To guide this transition or upgrade from the prior 2013 revision to the 2022 revision of the standard, the International Accreditation Forum (IAF) published its instructions in the form of Mandatory Document (MD) 26 approximately 90 days before the release of ISO/IEC 27001:2022. However, once the standard was published, feedback from accreditation bodies (e.g., ANAB, IAS, UKAS) resulted in a revision to IAF MD 26, extending some of these transition timelines.

When seeking out the source on these transition timelines, ensure you are inspecting Issue 2 published on February 13, 2023 – you can find this publication date within the footer of each page of this MD.

Let’s get to the brass tax.

1. If your organization is pursuing certification for the first time to ISO 27001, you can continue using ISO/IEC 27001:2013 through April 30, 2024; however, after that date, all certificate decisions for ISO 27001 have to be against ISO/IEC 27001:2022.
   
   Note: This is a decision date for certification, so please consider quality review processes and lead times required by the certification body before your organization schedules its initial certification to the old revision of the standard. It is wise to transition to the new revision (2022) now versus flirting with this hard deadline where your certification body does not have the authority to provide exceptions or extensions.
   
   

2. Likewise, for all currently certified scopes that are due for a recertification audit, that recertification audit must be decided on or before April 30, 2024, as well, if the organization intends to remain on the 2013 revision. Again, please initiate the discussion early with your certification body to ensure there is no risk to the schedule affecting both your live audit and auditor’s reporting timelines if you intend to remain on the 2013 revision. Our advice is to be strongly considering the transition to the 2022 revision for any initial certification or recertification audits scheduled as of January 1, 2024, or later.
   
   

3. And, the last scenario, which would include certified scopes that are not due for recertification in 2024. In this circumstance, the drop-dead date for transitioning to the 2022 revision of ISO 27001 is October 31, 2025, or 3 years following the last day of the month of publication. As of November 1, 2025, all ISO/IEC 27001:2013 certificates will expire.

Similar to recertification and initial certification timelines, it is wise to consider at least a 120-day buffer to this deadline of November 1, 2025, while understanding this date represents the transition period limit for undergoing a transition audit and receiving a positive decision from an accredited certification body before any existing ISO/IEC 27001:2013 certificates are rendered invalid and suspended.

🧠 🧠 🧠 🧠 🧠 

We are all about creating awareness while poking fun. Will your team avoid the office with a 10-foot pole but is the last to leave the happy hour? This newsletter might be for them.

You have purchased a license for the new 2022 revision of ISO 27001, and, after a moment of converting the "CHF" currency to something more local, you are relieved that this expense report might actually go through without anyone questioning why ISO standards cost money yet again — ugh, a topic for another day. 😒

You skim the standard, and it appears that all the favorites, such as scope, risk assessment, internal audit, management review, and the ISO 27002 controls, are still there to some extent.

Maybe a few controls look removed, and there are a few newcomers — 11 net new controls to be exact. Oh, and some controls appear to be combined — 24 consolidated controls in this release.

So, what do you really need to do to prepare your management system for one of these transition audits from your certification body in the first 36 months after ISO/IEC 27001:2022 was published?

Let’s break it down using IAF MD 26.

Within Section 4.2 of these instructions, the IAF outlines actions of the CAB (i.e., conformity assessment body, but you can think “certification body” for our purposes).

1. Gap Analysis: What you see in this bullet point is the only guidance that certification bodies also have at their disposal. For this one, we are looking for anything documented via a form of self-assessment. We have accepted assessments performed through compliance SaaS platforms as well as a simple Excel workbook demonstrating a side-by-side of the requirements of ISO/IEC 27001:2022 and how the organization believes they meet the criteria. There are several open-source documents comparing the 2013 and 2022 revisions of ISO 27001 you can find with simple online searches if you need a starting point.
   
   Common pitfall: Organizations attempt to leverage their second-party audit (i.e., internal audit) for this evidence. Your internal audit activity should be limited to a verification mechanism that your system has upgraded to meet the 2022 revision and not performing this upfront gap analysis on behalf of the management system operators.
   
   

2. Statement of Applicability (SoA): New control set, new you. Frequently, organizations will apply the Annex A controls detailed explicitly within the ISO 27001 standard as a form of risk mitigation to inherent risks affecting their management system scope. If you fall into this bucket, your organization will need to re-map these controls since the ISO/IEC 27001:2013 standard is no longer applicable. Additionally, for the 11 net new controls, there will be extra attention on clause 6.1.3(d) to ensure that these controls have been listed, justified for inclusion or exclusion with explanatory notes, as well as represented by a documented implementation status.
   
   Pro tip: Stop relying on Annex A controls. Most of these controls are written at such a high level that purist security practitioners attempt to discredit the entire ISO 27001 standard before thinking about how these controls are intended to be applied via a risk-based approach and methodology. The most mature certified organizations have internal control sets balancing all of their compliance obligations and simply map their control sets to any ISO 27001 controls that they have justified for inclusion in their scope before going above and beyond the baseline control descriptions.
   

   
   

3. Modifications to Risk Treatment Plans, as appropriate: This one is probably the simplest of the 4 objectives explicitly stated within IAF MD 26. In simple terms, if you have any open risk treatment plans from prior cycles or previous reviews AND these plans have applied an Annex A control from ISO/IEC 27001:2013, these Annex A controls will need to be re-mapped to the control set within ISO/IEC 27001:2022. Your organization does not need to address this objective for already completed risk treatment plans. Then, of course, on a go-forward basis, ensure your organization is applying the ISO/IEC 27001:2022 control set for newly identified risk treatment plans.

   
   

4. Implementation & Effectiveness of New or Changed Controls: When we first read this objective, we were initially confused as this really feels like number 1 but maybe a follow-on action. Let’s call it number 1b.
   
   In essence, this is the next step after your self-administered gap analysis. You review the changes in ISO/IEC 27001:2022, decide where gaps exist, determine their severity, create an action plan, and ensure the minimum requirements are complete prior to an external audit. Your certification body has to obtain objective evidence that your management system has implemented the new standard, and this process flow of corrective action identification through to corrective action close-out is easy and defensible evidence to meet this objective.

And, for added bonus, this last item is not listed within IAF MD 26, but is hidden in the standard itself.

Yes, your certification body must also determine that the internal audit activity was executed against ISO/IEC 27001:2022 and cannot certify the scope to the new revision with this omission.

In summary, these steps feel intuitive for a major release but note that each of these items above will need to be supported by objective evidence in the form of documented information.

Breathe easy – this standard apparently only receives major updates once every 10 years.

🧠 🧠 🧠 🧠 🧠 

We are all about creating awareness while poking fun. Will your team avoid the office with a 10-foot pole but is the last to leave the happy hour? This newsletter might be for them.

Great – at this point, we have determined the timeline for when we need to complete the transition of our certified Information Security Management System (ISMS) to the new 2022 revision. But what exactly do we need to communicate to transition or upgrade our certificate?

First, let’s recall our source material for this topic, which is IAF MD 26. This will serve as our reference file in case there are further transition topics we need to investigate.

Luckily, this counter is fake and you have more time to transition to ISO/IEC 27001:2022 as of this writing.

Next, how long are these transition audits?

It depends, but not all options are as cost-effective as their alternatives per the below:

• Option #1: Conduct the transition audit at the same time as your recertification audit. This option will be the most cost-effective, as your certification body auditor is only required to add ½ day to its audit plan. Likewise, you are knocking out this one-time transition audit in parallel with a required annual audit, limiting the time you need your staff to step away from their day jobs to address external audit inquiries.
  
  

• Option #2: Conduct the transition audit at the same time as your surveillance audit. You may not be due for a recertification audit, or the timing of your recertification audit in 2025 would put you right up against the hard deadline of October 31, 2025, to transition. If this is your scenario, you should still consider bundling your transition with a regularly scheduled annual audit (i.e., surveillance), but IAF MD 26 requires a full 1.0 day to be planned as supplemental time by the certification body auditor. This option is not as cost-effective, but you at least benefit from completing the transition at the same time as a related external audit by your certification body.
  
  

• Option #3: Schedule an out-of-cycle transition audit separate from the recurring annual audit of your ISMS by the certification body. This option is the costliest in terms of both budget and resources, as you are requesting your external auditor and your internal staff to be available for an ad hoc audit sometime throughout the year for a second time. IAF MD 26 requires the certification body to plan for a full 1.0 day for this transition audit; however, since this activity is not bundled with an annual audit, your certification body may have to charge additional fees compared to Option #2 due to the separate report it will have to generate vs. a few extra explanatory notes as a supplemental section in the annual report.

Do yourself a favor and plan ahead for this transition audit by engaging early and as a co-collaborator with your certification body on a plan to transition from ISO/IEC 27001:2013 to ISO/IEC 27001:2022.

This engagement does not necessarily mean your organization should transition early, but at least will force all parties to define a schedule to get this activity completed (and, hopefully, while leveraging Option #1 or Option #2, as both are feasible with preparation).

🧠 🧠 🧠 🧠 🧠 

We are all about creating awareness while poking fun. Will your team avoid the office with a 10-foot pole but is the last to leave the happy hour? This newsletter might be for them.