Name: How to Approach ISO 27001
Uploaded: 2025-06-19T13:46:04.645Z
Duration: 1 h 1 min 20 s
Description: How to Approach ISO 27001

Transcript for "How to Approach ISO 27001": Alright. So we are just at the bottom of the hour. We'll give it a couple minutes for folks to get dialed in. For those of the who you, that are just joining us, we are just giving it a a couple minutes for folks to get dialed in, and then we'll kick off. Seeing lots of activity in chat. That's always exciting. Yes. Seeing all is important. Alright. I think we're gonna we're gonna kick off. So good morning, good afternoon, good evening, depending where you are in this world. Thank you all for taking the time and joining us today. My name is Justin Sparks. I'm the director of governance, risk, and compliance here at LastPass. I've led global initiatives, resulting in ISO 27,001 certification, and specialize in building scalable risk aligned programs. I do try and bring a real strategic world, real world perspective, to implementing ISO 27,001 from aligning controls with business objectives, to really fostering executive buy in and driving continuous improvement. I'm joined today, with Mario Platt, our VP and CISO. And, really, I'll hand it over to him for a quick introduction. Thank you very much, Justin. So for everyone yes. As, Justin mentioned, I'm the the CISO at LastPass. So I run all of the the security teams at, most of the security teams at LastPass, GRC being one of them. So we I've been involved in some way, shape, or form with with ISO for for about fifteen years now. So in here with ISA, was also had the opportunity to, to collaborate with the British Standards Institute and contribute to a few of the standards, myself, about ten, twelve years ago. Yeah. And then I've helped many organizations before joining LastPass and with LastPass on, making sure we get a good field process certified. And so today's, session is really obviously, we're gonna be going through the standard, but, we also want to make sure that we make it more of a practitioner, type of, approach that, myself and Justin will will be sharing some of our thoughts and approaches on, on how to do ISO twenty seven zero one based on our experience. Wonderful. Yes. So we have a a jam packed agenda for you today. We're gonna kick things off with an overview of ISO 27,001, and walk through the certification life cycle. From there, we're gonna take a closer look at the different audit stages and really what each one involves. Next, we'll explore some audit nuances and share some practical tips to help your organization prepare. We're gonna then shift to, how ISO 27,001 can benefit your business, how to approach control selection, which is always important, and what the full ISO journey looks like from start to finish. We'll also highlight how LastPass can support, you along the way. And finally, we're gonna wrap up with some actionable takeaways, and leave some time for q and a. Well, we also have, some of our professionals from our team in chat that are ready to answer any of your questions throughout the conversation today. So we encourage you to, ask those questions and and be interactive, with one another as well. So kicking things off, let's start by grounding ourselves in what ISO 27,001 actually is and how the certification process works over time. So at its core, ISO 27,001 is a globally recognized international standard. Right? That sets the requirements for establishing, implementing, maintaining, and continually improving your information security management system or your ISMS for short. At its core, it provides a risk based framework. This is crucial. Right? Unlike prescriptive checklists, ISO 27,001 is built around understanding and addressing your specific business and security risks. That flexibility, is truly one of its biggest strengths, especially for companies where security is not just a function, but part of the product delivered to your customers. It can help guide your organization to identify threats, assess their potential impacts, and take practical steps to mitigate them through both technical and organizational controls. Importantly, ISO 27,001 is certifiable. Right? This means that external accredited certification bodies, more on that later, can come in and audit your your ISMS, and formally confirm that it meets the standard. For many of our customers and yours, especially those in regulated sectors, or large enterprises, certainly. Right? This certification is more than a nice to have. It's really a key proof point, of trust and maturity. So talking about the certification life cycle, when you first pursue ISO 27,001 certification, year one is where the initial audit takes place. Right? Begins with stage one, which is primarily a documented review. Your auditor is gonna come in. They're gonna check to see if your ISMS is, designed appropriately, and ensure that your scope is clearly defined. Ultimately, they're just checking to see if you're ready for the full assessment. That's followed by stage two. This is gonna be the deeper dive. It's a full on audit. It's a comprehensive review of how your ISMS is implemented in practice, and whether it's effective in managing your risks. Once you're certified, it doesn't stop there. Fun continues. In year two and three, you're under you're gonna undergo your surveillance audits. These are your annual check ins to ensure you are continuing to meet the requirements. Each surveillance audit typically focuses on a subset of controls, specific corrective actions, or changes in the business environment. Finally, in year four, it's time to you're gonna have to prepare for your full recertification audit. This is the full assessment similar in scope to the original stage two. It's really, it's necessary to maintain your certification and demonstrate that your ISMS remains effective and fit for purpose. So really in short, ISO isn't just a set it and forget it exercise. Right? It's it's really a continuous commitment to managing risk, staying responsive to change, and maturing your security posture over time. So now that we've looked at the certification life cycle at a high level, let's take a deeper dive into the actual audit process and how to set you up for success. So starting with the initial stage one, this is your pre audit stage. This phase is so often underestimated, but getting it right can make it or break it for your stage two. First, it's helpful to really be clear about your ISMS scope. This is the foundation of your implementation. Misalignment here, can lead to downstream issues, especially during audits. Your documentation should be not just complete. Right? But it should be clean and accessible. To, it's helpful to take the time to polish, your documentation, policies for all inconsistencies or outdated references will certainly raise questions during the audit. I also find that it's helpful to consider conducting a self assessment or a gap analysis against the ISO 27,001 standard. This really helps identify your blind spots early, ideally before your auditor does. Right? Oh, and it's also, remember that the principle there is a principle, right, of of trust but verify. I find that you might think something is implemented, but gathering evidence to prove it early, is is is really, certainly helpful. The biggest thing here is you don't wanna assume a documented policy equals operational reality. Finally, I I think it's most important to be ready to articulate your risk methodology. Auditors wanna understand how you're identifying, assessing, and prioritizing risks, and that what you're doing aligns with your stated approach. Moving to stage two, this will be your full recertification audit. This is where theory needs practice. The auditor is now assessing whether your ISMS is actually working in the real world. Be ready to answer practical real world questions, not just about what your policy say, but how they've been applied across your business. You should expect evidence sampling. Auditors are gonna dig and dig and dig. They'll look into, logs, records, tickets, meeting minutes, really whatever helps them verify that your controls are operational. Transparency here is key. Right? If something isn't perfect, let's be honest, no environment ever is. Don't try and hide it. Show awareness, show action plans, and show ownership. The golden rule here is always link your evidence back to controls. This helps your auditor follow the logic, and give some more confidence in your ISMS design. Surveillance audits years in three and two and three, these are annual audits again, right, often lighter in scope, but no less important. You need to demonstrate that your ISMS is not just maintained but improving. Auditors are gonna wanna see, that the system is alive. It's a working system. Continuous improvement is a core principle of the standard. You're gonna wanna track your business scope and changes if your company has entered new markets, launched, products, for example, or change even change hosting providers or or, environments, your risk landscape then has changed too. Make sure your statement of applicability reflects those updates. Lastly, nonconformities from previous audits, even minor ones, should be addressed. Partial fixes or deferred plans will raise red flags during surveillance years. So to summarize, success with ISO 27,001 isn't just about passing audits. It's about building a credible, defensible, and evolving security posture. These stages will help you translate good intentions into verifiable controls, all while demonstrating to auditors, and really your key stakeholders alike that you're serious about protecting information. So at this point, it's worth clearing up a common area of confusion in the ISO 27,001 journey, the difference between an accreditation body and a certification body. These two entities, while alike play very different but equally important roles in the certification ecosystem. So starting with the accreditation body, you can think of this as the auditor of the auditors. I like to phrase it as anyway. An accreditation body is a government authorized, and and it could also be a or formally recognized authority, that evaluates and approves certification bodies. They set the roles and oversight mechanisms that ensure that audits are credible, impartial, and also that we meet international standards. In other words, they just make sure that certification bodies themselves are confident, consistent, and operating with integrity. In most regions, including across EMEA, each country typically has one official accreditation body. For example, UKS in The UK, DAKKS in Germany, and ANAB in The The US. Certification bodies, on the other hand, are the group that you're gonna actually work with day to day. Certification body is the third party organization that conducts the ISO 27,001 audit of your company. Right? They're gonna be your main point of contact throughout the process from stage one to full recertification. One helpful tip that I like to share is that it's always a good idea to ask prospective certification bodies who their accreditation body is. You'll find that reputable firms will be very transparent about this. They'll actually usually display that, information on their website or on the certification, itself. I find that if you know knowing the distinction helps you ensure that you're choosing the right partner for your organization, and that your certification really carries the weight and recognition, that your stakeholders really are gonna look for and and expect. Thank you, Justin. So now to give you a bit of, context on this slide. Right? So, there are usually and this is coming from a practitioner perspective, right, having, gone through this, many different times before. So there there are two rules for the cloud. You do not want the information you weren't asked. And the the second rule is the same as the first one. Right? Kind of we're keeping the team with the with five cloud. So but let me be clear about what I mean. I am not suggesting. I never did that in my career, and I'll never do lying to an auditor as Justin was saying. Right? That's that's not a thing. Right? And that should not be a thing. One of the, the the part of management systems that we do is really, can we withstand or are we meeting the requirements or not, right, with the view of continuous improvement and making sure that, that we can go through the process. Now that also does not mean that every time we are asked the question, then we should provide everything and anything we know about the context of that thing for the last ten years of the company. Right? That's not what the question is. So, and, obviously, we need to realize that auditors themselves, they, come they are people like all of us, and they come with certain areas where they're they have a lot of in-depth knowledge in other areas where they may not have as much. So as much as you, would want to make sure you provide that element of, of education, we always need to consider that the more you need to, you go into what I call the education business. Right? So when you're looking at your at the auditors and you're doing a lot of job to educate them on what good cloud security looks like, that would if they don't have that prior experience, they may come into that conversation with a lot more questions that that may they may not be qualified to understand the answers. Right? And that's always a really fine line when dealing with each, of it is, making sure that we fully understand what the question is and that we reply exactly what it is that we're being asked. And it's the author's job then if they believe that they did not have reasonable assurance that the controls are operating as they would expect, it's their job to ask more questions, right, and not hours to volunteer everything we know about a particular subject. Right? So keeping keeping things on schedule in in tight etcetera really means focusing on the stakeholder preparation, right, and making sure that they understand these rules of other club. And in what I, what I've done in the past, is, have different types of strategies that I use to prepare, not only myself and my teams, but my internal stakeholders. Right? Which is so I shared here four, different, strategies that I've used in the past and that we use, some of them at LastPass as well. So one of them is a stakeholder, preparation documents. So the way I usually think about that is, really having a good view of if I know my stakeholder works in engineering. Right? So I go look at the, all of the controls that are relevant to engineering, and I create just a an, a document that says, look. These are the controls you may be asked about. These are the policies you should bookmark, etcetera. These are some of the risks we have in the risk register that relate to your your area. You create really one document that is super focused on the the scope of once they call it. Right? It should lead to three pages. It gives them everything they need to know, to prepare for it, for for the audit itself. Another strategy is to create evidence collection guidance. So that's usually something that takes a long time in organizations. So the more we can provide some clear guidance on how someone in procurement, HR, or engineering, the type of things they need to do to provide the evidence, they will streamline, the process on their end, as well, in having ways for them to to validate evidence quickly, as well. Another strategy is a creation of narrative documents. So what I mean by that is, for instance, if we're looking at access control, we would create one document that walks the other through. So access control, it starts with identity. This is how they're provisioned. This is how we review access. This is how we delete them. And we just create a document that provides that, that whole narrative, right, on how something, works end to end. And that works really well for for auditors because they don't see just separate pieces of evidence, just aligned with the controls. They actually have a narrative that helps them understand the thing better, and they also positions auditors to ask better questions. Right? Because at that point, you've got everything written down on how it works end to end. And finally, another thing that is often, not given the all of the needed importance, in my opinion, is the scheduling. Right? So auditors will always want to optimize for usually, want to optimize for their time. Right? So they would prefer to have, one, part where we're only talking about access control. But access control in your, thing may involve HR, IT, etcetera. So if you're trying to organize a period of one or two weeks where you've got all of these deep dives as part of the audit process. And your may or may not be the stakeholder for ten minutes on that meeting and fifteen minutes on the other one, etcetera. It becomes really complicated to organize your internal stakeholders and make sure they're prepared, to support that. So having a a discussing with the auditors and your internal stakeholders on what's the best way to organize the overview sessions such that we can make, better use of everyone's time and we can be as efficient with the internal stakeholder time as possible It's a time that is well spent, in terms of the planning process itself, and that will will pay its dividends really great. Wonderful. Thank you, Mario. Just a quick pause, for questions in chat. I've seen some really, really great ones. Love the, the to see all the the collaboration and, of course, all of your your wonderful questions and encourage you to continue asking them. And the team's gonna do, do their absolute best to to respond to all of them. So we're gonna switch gears back to, well, a topic that I think is is also very misunderstood, but often really powerful, to to really understand and make sure that you get it right, which is a common misconception about ISO 27,001. Right? I've heard this so many times is that it's a checklist or it's fixed requirements and it's compliance requirements. You know, the the terms continue to float around in the industry. But really in reality, the standard is a blend of mandatory elements, and risk based decisions at the end of the day. It is a risk based framework. And you can tailor that to your organization's, specific needs or or context. So we look at what's mandatory. Really, these are the nonnegotiable components that every, ISO certified ISMS must include. These are the foundational pillars from, from my perspective, of the standard. Right? So, there was a question earlier about scope. So your your ISMS scope definition, it it's really starts with that. This sets the boundary of your ISMS. You must clearly define which assets, processes, systems, locations are in scope, your entire org, all of your processes, all of your if if you're, a company that sells products. Right? Not all of that needs to be in scope for ISO. You get to determine which is in scope for ISO, and define that within your your definition. It is also important to have your information security policy. That's your documented commitment to security. Right? That has to be endorsed by leadership and communicated across the entire organization. Senior management must not only just endorse the ISMS, but what I found that is really helpful sets the tone of, tone at the top. Right? So they should actively be engaged as well. Their involvement, in my view, is a 100% a requirement. Because ISO is a risk based framework. Right? No surprise. Risk assessment treatment processes are also a mandatory requirement. So you must have a formal repeatable method, to assess and treat risks. Your statement of applicability is gonna be your control mapping. Right? It shows which annex a controls, that later as well, that you're implementing and why, or why not, really. Internal audits are are are a crucial portion of ISO where you really should have a regular independent review, of your ISMS to verify compliance and effectiveness. Your management review is gonna be your periodic review, from top management to assess performance, issues, and strategic direction. I mentioned continuous improvement earlier, and I'm just reemphasizing now that the ISMS should evolve over time. It's that active, working, program for your organization. So this means tracking opportunities for improvement, not and not really not just fixing problems. And then lastly, if the corrective actions, is is something that every organization should take time to do, Something goes wrong, taking the time to really deep dive into a root cause analysis and then take actions to prevent that very same bad thing from occurring, essentially to prevent recurrence is is certainly important. These elements are audited every time. So whether you're going through initial certification, surveillance audit, full re recertification, your auditors gonna be checking for these things. Now on the flip side of the coin, ISO 27,001 can also be very flexible. You're you're gonna be expected to find the context of the organization, but really that just means that you're understanding your external and internal environment, your legal and regulatory obligations, business objectives, etcetera. You must also consider, the needs for expectations of interested parties. That can include, you know, customers, regulators, stakeholders, really even internal, stakeholders like engineering or legal, etcetera. And finally, there's the annex a controls. There's 93 of them, in the 2022 version, which seems like a lot. Right? But you really don't have to implement all of them. Instead, you can select the ones that are relevant based on your risk assessment and, your statement of applicability justification. So, really, what it boils down to is that this dual structure, the mandatory requirements and risk tailored controls is what gives ISO 27,001 its power and relevance. Ensures that baseline of governance, while still allowing your organization the flexibility based on your size, industry, and your threat model. One tip I do like to share is that during audits, be ready to explain not only why you've implemented certain controls, but why you didn't. The auditors are definitely gonna be interested in both elements, and that risk based justification is equally important on both ends. Thank you. So, another question that, that comes a lot is why should you do Wiser twenty seven zero one? Right? And, as with anything from a a business perspective, business should not be doing that if there's not clear value. Right? As with anything else, it's going to take time away from the organization. Training, it's going to to it got the audits cost money. It takes away times from developing products or servicing your customers, through through the other process. So everyone should have really big, reasons on why they're doing it. Right? But there are a few that are more kind of, generic. One of them is obviously around the improvement of risk management and security posture. So it provides really a good framework, to to ensure an holistic overview of security and the application to the context. Right? Because it has all of that risk based, approach that Justin was, referring to. There's always also elements on regulatory compliance support. So particularly in Europe right now, we are seeing, we've been seeing in the last few years, a big surge in, we have the regulatory environment has been, increasing. So things like NIS two, Dora, cyber resilience act, etcetera, they are all now, expecting and mandating, that, that controls security controls are in place and operating. So while ISO 27 o while being compliant with ISO twenty seven zero one will not make you directly compliant to all of these regulations, it is an amazing step towards them. Right, because they all speak to, about the need of, of having a good security posture. And it needs a great baseline if you were ever to deal with regulators, if they were asking questions. If you can show that you've based your approach to information security on a recognizable standard and, another process, etcetera, it puts you in a in an amazing position, to deal then, with the deltas between, things that are not covered by ISO and things that you may need, from a regulatory perspective. So to give you an example, ISO does not say that you need to notify, in a particular time frame your clients. Right? But the regulatory frameworks do. Right? So, the, ISO says you need to have an instant mentoring process. You need to have identified parties. The specifics of those, then you can lean on some of the regulatory, requirements to complement, how you implement your controls. Right? So it's a good, kind of good symbiotic relationship between between those two things, the regulatory frameworks and ISO twenty seven zero one. And, also, there's the element around business opportunities. Right? So it's a way for you to show your, your your clients or partners, that that you that you put in the effort to have not only appropriate security controls, but that you are going through the the process of being audited on them. Right? So it provides, a good level of assurance that, you're putting in, the right the right controls in place. And, also, particularly if you are a company that is, on b to b side of things, so you're selling to other businesses, that is often ISO thirty seven zero one and or SOC two are off will, typically appearing as contractual requirements. Right? So that tends to to be one of the drivers for business opportunities. It's one of the reasons we had at LastPass as well. So in our contracts, we're required to to keep some of those certifications. So largely, make sure that you are managing within your business in order to be compliant with the with the regulatory frameworks in the as an a measure to improve trust from your clients and partners. Those are all good reasons why you should be thinking about doing ISO being certified for ISO twenty seven zero one. So the annex a and Veronique, hope I said your name correctly, is making an amazing point, right, which is, in prior versions of the standard, there was an expectation that, some, that the controls would all be applied. Right? That that has been changing in the latest versions of ISO twenty seven zero one. But that is where really where, Annex eight controls come in. Right? So there's, kind of a a a baseline of controls applicable across those four control fields, in the latest version. So organizational controls, people controls, physical controls, and technological controls. In the in the in the job of building the ISMS is really seeing what what of these are applicable to me, and do I need things that are not here? Right? That is also part of making the risk assessments is just because Aizo doesn't say you should implement a security control, doesn't mean you shouldn't do it in the same way. Just because it's in annex a doesn't mean that, that you should do it. It should all be based on that, that that risk assessment practice that we, that we're talking about. So organizational controls are more, as the name implies, organizational. So it's about the the the security policies, the risk and supplier management, asset inventories, and how we do, all of those. It also includes business continuity. Remember that, twenty seven zero one is not either 22,301, which is the business continuity specific standard. Right? So here in ISO twenty seven zero one, the focus is really on the continuity of information security and not necessarily your wider business continuity process. Right? You may be certified to both standards, but, yeah, just, make sure that, you you understand what what is required that is gonna one that you may not need for for the purposes. There's also the call control aspect, background checks, where is training, mandatory training, and all of those. We have the physical controls. So if you have buildings, data centers, any of those, you need to make sure, yeah, you should make the risk assessment to understand what are your security needs in that space, making sure that if, electricity goes down, how will you recover, or how do you deal with that type of risk? And then finally, the more the the technology, the side of things. So things like cryptography, access control, that, LastPass plays a role in, malware protection, and then, a number of other different technology controls, management of technical vulnerabilities, etcetera. And so, largely, these are the four kind of areas where how controls are, aggregated in the exposing annex a, which is a complimentary document to 27 in ISO twenty seven zero one. But but, again, you don't need to do all of them unless your risk assessment that ends up determining that you do. Right? So that's, the main message to to pass on this one. So one of the things that, that I think is, is amazing about the about it is thinking of ISO three seven zero one not as a destination, but what are the things along the journey. Right? And what are what can you expect to learn as you, think through that process from from start to finish? The first one is really you need to make a business case. Right? You're you when we do these types of things, we're going to take away, attention from the organization to focus on this instead of something else. Right? So there's an opportunity cost. If whenever there are opportunity costs, we should be very clear or the business should be very clear why this is important. Right? So things like legal and compliance requirements, contractual with your customers or partners, yep, competitive advantage. If your, competitors aren't doing it, maybe you should, yep, maybe it's something that you can use to differentiate your your service offering. And, there are elements of insurance benefits as well. And so any of you who may have, cyber insurance, they usually ask you a number of questions around your security posture. And, ISO twenty seven zero one largely aligns with the types of questions you would get asked from an insurer. So it provides some, some amazing benefits in that, that space as well. So with regards to, the next stage after you make the the business case is really defining the scope. Right? So in the in in terms of defining the scope, we should think about what what are we trying to achieve. Right? So if it's just one part of your, of a business unit that, requires that, maybe that's a good place to start. If it's something that, due to not having amazing segregation between different business units, right, that would make it very complicated to to try and just carve out one part of your organization, then it may make sense, then it may make sense to, yep, to think of it that way, Right? In terms of, what are the some of those, what will enable you to go successfully through the audit process. Right? Yeah, locations and geographies. Maybe you need Portugal certified, but not Australia for some reason. Right? Maybe it's a specific requirement. So you should always be going to meet what is the what the business case says, right, and define your scope around that. Obviously, covering your whole company is never a bad thing. Right? And then so if not all else being equal, I would always suggest to do the whole organization, but, things are usually not all equal. So, yeah, there are elements on how you do go about defining some, some of that structure. Then after you define scope, you need to go inventory your assets and assess your risk. So that's where you you really start, where you should start, with business processes instead of IT systems. And that's something that I see a lot as, as a challenge in how we, in how, companies approach ISO twenty seven zero one. So focusing too much early on on the technology side of things, is usually not the best practice because you we tend to then, over rotate maybe on the technology control side of things when a lot of it is about business process, ensuring that we've got the right checks and balances on things, usually involve both humans and technology. Right? So starting with business process is, the a tip that I would suggest. There are elements around the the the tiered risk assessments. You can use, templates. You you should always try to link your threats and vulnerabilities to your controls. Right? And that's the element of risk assessments. I'm worried about malware infections. So now that my users, access existing systems through web channels and email, so do I have any protections on those? But, so it's kind of that risk assessment of understanding how our people are working. So in in that such, what controls do I have in place? And one thing that I would always suggest as well to start when you define any of the controls for your statement of applicability and as you go through is always start on the from the first minute thinking about how you're going to measure it. Right? Because it's very easy to say, I want to have control x, y, or zed, and then you don't consider the the measurements. And then later in the game, when you've got the whole bunch of controls, etcetera, things become much more complicated. So starting from that point of view of I need to be able to measure this if this has been successful or not, will really accelerate, your your whole process. So that's the first part of the journey. Then there are another three steps, as we've working it down here. So after you do that, identify assets in the into risks, then you define your statement of applicability, right, and your risk treatment plans. So as I mentioned, you don't need all of the controls in annex a unless you do, right, unless you do the assessment and you actually determine that and that you need all of them. And you should always have, very clear and justified applicability decisions. To give you an example, we if you don't have a physical office, right, maybe those physical access controls, you may not need to have a lot of them. Right? If you also have to make sure that, from your supply chain, if you use companies like, the cloud providers like GCP, Azure, or AWS, you know they already have a number of, assurances in that that space. So you may not need to, to develop the physical security component of your SMS that much if that's not something that is part of your of your contact, to to give you an example. So then, you need to tie all of those, controls to to restriction plans. Yeah, you need to ensure that it's version maintained, etcetera, because the DSOA, the statement of applicability, is something that you're going to need to publish, and it's going to be referenced on your certificate, a particular version of it. So it's a document that very specifically you need to be very good at version version controlling. And you should define approaches that, really speak to both the framework and the process or in the audit process. So it's something that, you, yeah, think always about how this control will be assessed by an auditor. Right? And having those things, in your thinking, will make sure that you prepare your callers better and will all of there are a lot of things that fall in place when you take that type of, that type of approach. And then after you determine all of those things in the risk treatment plans, you need to actually go and fix all of those things that you've identified as needing fixed. Right? So there are elements that you're gonna need to create some templates for management internal audit reports, for instance. You'll need to create policies and procedures. Policies and procedure procedures are particularly important in ISO twenty seven zero one. Right? So you're going to be developing a lot of procedures if you don't have them already, to ensure that you, you meet the requirements and the standard. And, all of the aspects around project management, are really important. If at all possible, getting support from a technical project manager or a project manager on on the program is, would be amazing, because, I'm gonna be just slightly controversial here. Security people are not the best at planning as a general comment. So I think any support that we can, can have on making sure something goes end to end in in that sense, I think will be it will pay off if if that's the type of support that you can get. And finally, there's the the other process. I've already talked about a bit about stakeholder preparation. And then so doing mock audits is also a way to kind of prepare your your internal stakeholders. And know that at the end of all of that, you're going to probably have, identified, opportunities for improvement that your auditor will will will will mention. It may identify some minor nonconformities, hopefully, not major nonconformities. And in the you will be, required to make sure that you capture all of those and that you show continuous improvement, for your surveillance audits, etcetera, that come in the future as Justin, was telling us a while back. So and after you do all of this and you go through the audit, that's when you, it will be finished. You will receive your certificate, and then you can start doing all of the changes in your marketing websites, talk to your customers, and, kind of talk about the the great work that your organization has been, has been doing in that space. So that's kind of the the journey from start to finish. And then, obviously, there's a continuous surveillance as Justin, had mentioned before. So we with regards to one in the in LastPass, in particular, so there are some areas where, where LastPass can help. The, there are no there's no control within ISO data. Just by having LastPass alone that you'll be automatically compliant. Right? But there are, many areas around, around the ISO standard that are supported, by a good implementation. So for instance, encrypted credential storage with regards to, storage media, protection of information at rest. We help meet with our zero knowledge architecture, so we never store, client passwords. That's not something that we have, access to, because of the architecture of the product. And there's a lot of things in the a five which deals with, some of the access control components where, LastPass can help a lot. So password generation in reuse alerting is one of them. So one of the requirements of ISO is that you've got some, complexity requirements within, how you approach passwords, and you can automate that process with security score. There are, you can see if people within are using passwords that will give them, a lower security score. Yep. And you can use those types of, of things to do continual improvements within your within your company. There are world based access and policy enforcement. So in our product, we can define policies, for each of your individual, active directory, for instance, if that's what you wanna do. And you have the granularity of defining those types of policies, depending on the for instance, you may have your people with access to crown jewels with the tighter policies, then you do someone that, that does not do that type of job. Right? So you can kind of differentiate between different levels of risk that different, parts of your organization may pose. We also obviously, in terms of information transfer, one of the key features of the product is also the enablement of, a secure sharing, right, with, with other with other people. And so you can, things that are, credentials like root accounts, right, that you always going there's no way to to to to not have them. Right? So those credentials that end up really needing to be shared where just the the named accounts are not possible. Yeah, you can use them. You can use LastPass to do so. If you need to exchange passwords externally, you can use all of that. So we provide some benefits, in that space. Also, in terms of logging, so you can, integrate LastPass with your SIEM or SOAR platform, to ensure that you can respond to, to to events. And finally, on the management of technical vulnerabilities, one of the the features of the product is dark web monitoring. And you can get alerts and notifications if, your employees' credentials or weak passwords appear on the dark web, or in any kind of public, data breaches that end up being done. So these are some of the ways where, the the LastPass product can, can help support your compliance journey. Wonderful. Yes. No. Thank you, Mario, for sharing that. Some really great information, you know, about, the start to journey sorry. Start to finish, journey and, of course, how we can help, here at LastPass. So I do wanna wrap up with some, you know, practical takeaways, lessons that we've seen play out, in the real world, ISO 27,001 implementations across, you know, different interest industries, right, and, company sizes as well. By proceeding, I I think it's important to highlight that. If when you choose to proceed with ISO 27,001, right, you're making a continuous investment of both time and money. As Mario mentioned, the journey from start to finish is it's extensive. Right? Lots of moving parts, moving components, and, ultimately, you have to make sure the juice is worth the squeeze, pardon the reference. But, so first, I think, you know, a a good tip in making sure that that is, factored into the decision is define your why. Right? ISO 27,001 isn't just about compliance. It shouldn't be anyway. And it works best when it's aligned to clear business drivers, whether that's reducing risk, accelerating your sales, meeting customer requirements, which can help accelerate those sales, or really just entering new markets. If you connect your ISMS to your strategic goals, adoption, and support across the business even at the top, top levels of the the executive leadership. Right? That becomes a lot easier, across the business. Also, I I know I've emphasized this a couple times, but I I do think it is of critical importance, which is that getting leadership buy in. Right? It can't be just a side project, that own that's only owned by security or compliance or owned in a silo. Executive leadership needs to champion the initiative. Right? That tone at the top. But their why the why behind that is that their support is gonna help open doors. It's gonna unlock budget. That is always helpful, and secure the the security is is really ensure that security is really part of your culture. Right? Not just a control function. Part of my pet peeve personally is treating this as a checkbox activity. I find out find that setting you up for success is really treating it as a checkbox is a common trap. Right? It's it's, just something to pass the audit, but it's not sustainable over time. So if your ISMS isn't operationalized, it's not gonna stand up over over time. So, really, what would be the point there? Right? But building that as a live system, one that helps your business manage risk, respond to change, make confident decisions is really how that's gonna propel you forward. Designing your controls based on risk. Right? Don't over engineer them. I find that you kick the the devils in the details there. Right? But start with a real risk assessment and design your controls to address actual threats and vulnerabilities relevant that are relevant to your environment, really. This not only streamlines the effect, I find, but it also helps make the ISMS more defensible during audits. Again, the auditors gonna pro pro pro to make sure that, that you're doing what you say you're doing. Also, you are gonna wanna focus on the life cycle as mentioned earlier. ISO isn't just a once and done exercise. Plan early for maintenance, inter your internal audits, your management reviews, and your continual improvement. Building those routines into your team's rhythms, making it part of your culture. Right? It's how, it becomes part of how the business operates and not just this annual scramble to go through an audit, or to go through an initial stage one review. And finally, you do wanna choose the right partners. Right? When you select the certification body, 100% make sure that they're accredited, reputable, and ideally, experienced in your industry and region. A good certification partner doesn't just issue your certificate. They're gonna challenge the way, you think. They're also gonna share their insights and perspectives, which ultimately will help strengthen your program. I do want to close with just one thought as well, which is that ISO isn't just a framework or a standard. It can really be a business enabler. It can help you drive trust with your customers, can help build resilience for your programs, and credibility in a world where information security is now table stakes. Right? So whether you're just starting your ISO journey, or you're refining or maturing your ISMS, I think it's important to remember focusing on aligning people, process, and technology to your real risks and business objectives. This is where the the I we believe, right, that the value really truly lies. And this is how ISO 27,001 becomes a strategic asset and not just a compliance obligation. So with that, we have about ten minutes. I still see quite a few folks in chat. We have amazing questions as well. Yeah. Lots of great questions. Having been so thank you all very much for being engaged with the content and asking so many questions. Amazing to see. Yeah. Well, maybe take a a few minutes to allow folks, an opportunity to, ask any burning questions that need to yeah. Feel free to ask a few more questions in the the q and a. The the we have the team on the background also responding. But I will take a few, Justin. Maybe we'll take a few and discuss them here while we we may get some more. Yeah. I love that. Question, there was a question, that, that came through about insurance policy rights and if they are reduced when an organization is certified. So from my experience, with, with insurance, is that, it's always asked on the, it's always asked on the, on the forms, if you hold security certifications. And then in my understanding is that, is that that does affect the policy because from an insurance perspective, they've got the assurance that those controls are being verified as opposed to not. Now what I would suggest is if you are considering insurance and you still do not have ISO twenty seven zero one, ask your insurer about it. Let's say, look. One of the things we're considering is potentially getting certified to maybe facilitate. How would that change my premium? Right? And, so I would highly recommend that you, yeah, that you have that con conversation with an insurer, because they can tell you then, to see what's the if there's additional value or business case, to to go down that road. But it's an excellent excellent question. Yes. Fantastic question. I, I found one from Pratik here. Apologies if I'm pronouncing the the name incorrectly. How do we manage adoption by colleagues without acting like an enforcer? That is a fun one, ties back to that business enablement, portion of our our presentation or our talk as well. Really, it's a delicate balance at the end of the day. I find that what's most helpful is you you you asking a lot of questions. So not necessarily just taking the standard and the requirements, that go along with the standard and saying to your colleagues or different departments or business units, here's what you need to do. I find that it's helpful to approach them more openly and say, here's what we're trying define the why. Right? Here's what we're trying to accomplish. We're pursuing ISO 27,001, which means we're taking a look at our controls. What asking the question, what do we currently do about x y z access controls, physical security? Just getting a baseline understanding of where you currently sit. Maybe the controls and the other teams are already doing the very things that align with the ISO standard, and it just needs to document be documented in a process or a policy. If, conversely, though, right, if they're not doing the things that ISO requires or it's not up to the standards by which ISO defines the, the their the controls that would be applicable to your environment. You know, approaching it as a as an opportunity for improvement. So more of a discussion topic around, hey. Have we thought about doing things like this? What would be the impact to your team if we were to switch or or to, update a control, by doing x y z, for example? So I think all in all, and to summarize, it's really about just creating a strategic partnership rather than just, you know, coming to or or going to different teams rather and saying you must do these things. I find if you really partner with them, make it become part of their process and make them feel like a sense of ownership over over the the decisions and and processes really helps get the buy in. Thank you very much, Justin. Agreed with everything you said. And so I would, add to what Justin just said to kind of, kind of practical situations, right, that, hopefully, can, can help illustrate where I'm coming from. So to to give you an example, if you're, in your company, if you're, if you had, social engineering attacks in the past, right, you are probably not gonna have a hard time convincing people that they should know how to handle them. Right? So I think so from from that perspective, kind of focusing on education in the communication, on controls that are that people are already expecting because they don't need to be worried about, helps build that credibility in real life risk management type of perspective. Right? So it makes it more, probable that, people will listen because they understand it's something they're exposed to. Right? And another, thing that I will, that I would mention is, for instance, to give, a silly example, awareness, right, awareness training, right, and the completion rights. Right? So if you build your reporting and, in your in the the reporting around your SMS, around looking, for instance, the different areas. Right? So engineering, sales, marketing. Right? So none of those leaders will want to be at the bottom of the completion rate in that file. Right? So learning how to use these types of things to make kind of the gamification type of approach, because such that, the marketing leader can tell the sales leader, my compliance rates are higher than yours. Right? That pays a lot of dividends. Right? Obviously, you don't want to make it adversarial. Right? Obviously, but kind of using the reporting to to drive the types of behaviors that you'd like to see around the company would be my my biggest tip. Yeah. Fantastic additional notes there, Mario. Certainly, I know we found that to be extremely beneficial, here even, so certainly helpful. So I see another question that I would like to to answer here as well, so around business continuity. So, one of the thing in the, specifically around LastPass. So we have our platform, as as we, disclosed it, hosted in AWS, And we have, a, hot and warm sites. So if something was to happen to our primary platform, we've got a the mechanism to kind of completely switch the traffic, to to the different data center that is geographically, over a 100 kilometers from the from the main one. It's usually a general generic type of requirement within, with the the discontinuity. There's also another element that can be affected by policy. So that's again where LastPass enables clients to adapt the policies to their own internal risk appetites. Is there an for instance, if you log in to the extension at, at 9AM and you don't have, in the, you don't have a policy that, ever needs to reauthenticate every six hours, right, that's configurable in terms of the session tokens, then that means that while you are authenticated and after you log in to the into the extension, even if our back end goes down, right, the auto fill will still work because that does not happen on a one to one basis. Once you authenticate, the extension has the information it needs to support the autofilling. So even if the the LastPass platform was to go completely down, as long as you have logged in to the extension, etcetera, you should not feel, a loss in service as a result of that, at least for the amount of time, that you your session is valid. Right? And that's all configurable by policy. I hope that answered the question. Yeah. If I can add to that too, Mario, one of the the biggest again, a big advantage to ISO 27,001 is the, you know, the the controls around business continuity management. Right? So, you know, we are ISO 27,001 compliant and and certified. You view all of that, you know, fun details on our our compliance center, on, on our website. But, tying it back to ISO, right, there are certain, controls and standards within the framework that define how, you you know, organizations like us must, you know, keep the lights on as I like to reference it. So for us, it's not just about making sure that our our people and processes are are safe and secure, but it's also making sure that they're resilient, and can operate in in, the event of adversary, sorry, adversary. So adversity is what I'm trying to say. Sorry. So, you know, essentially, if something were to occur, and be catastrophic, right, how do we make sure that we're maintaining, adequate service for all of you and all of our customers? It's it could be set across the the business for for many organizations that are are similar to ours. Right? So I guess tying this back into the main point is that ISO helps you establish what you need to do from a business continuity perspective, creating a business continuity plan, business continuity policy, your business impact assessments. All of these are foundational elements to making sure that you keep the lights on. So it is something that we, we, we wanna make sure that we bake it into our processes. So with that, I think we're at time. So we are gonna wrap up. Thank you all so very much for spending some time with us today. I hope you all found a, a good value out of this conversation. And, Mario, closing thoughts? No. Thank you very much, for attending. We hope, you took, something useful out of this. So it's all, a lot of it based on my own experience and the Justin the experience on doing this for many different companies. And we wanted to make, not only be able to answer all of these questions, but try to make sure that we provide actionable and the tips that you can use to do in your own journey. So hope that was, that was useful. And we will keep, for everyone's awareness, we will, keep tabs on the questions that came in through q and a, and we will endeavor to respond separately after, after this event. So we will probably do that within the next week or so. So thank you all very much, and thank you for attending. And hope you enjoy your time. Take care. Bye bye. Thank you.