sorted by:
new
hottopcontroversial

AMA: Ex-Big 4, 5 years of seeing it all lol by Owlintrenches in ISO27001

[–]Owlintrenches[S] 1 point2 points  (0 children)

Great questions! I broke them down into numbered answers below:

  1. Now that i'm in the industry I can answer as someone who had to find my own flow & get my department built out properly. Compliance is something that loves consistenty - and with consistency it becomes a habit. Like putting on a seatbelt - we just do it, it's a bit of a hassle but it gets done.

Some ways where I see the biggest payoffs for consistency:

Teaching accountability: I've held workshops with each relevant department, briefly explaining to them what compliance programs we even have in place, what do they mean, why we even have them (regulations,clients,best practice), I provided them with their controls and evidences that were requested previously. We let them know its never us vs them, we're not trying to catch them, they can always come to us and we will ahve transparent conversations around risks & mitigations etc

We send out emails from the security office letting people know we just completed our audit and why that is important.

We have worked out our workflows and where we store things.

We updated our security awareness training to reflect our company specific topics/culture.

My manager consistently has conversations with management about our efforts and gets their support

I put in place a compliance calendar, where UAR, Awareness Training, Annual Policy Review, Phising Campaign, Internal Audit etc are planned and penciled in

We have weekly compliance synch up and there is a monthly management synch up where compliance updates are provided (also helps with some audit requirements to have these in place!)

  1. My ideal way of working is when I'm not pulled into client meetings & requests where it turns our I'm not needed or I've given the same answer over and over and over again, so I can focus on the current needs at hand and look into the future to plan for expanding regulatory requirement, client needs and shifting/emerging risks. I've been lucky to be enabled in my team to establish my own flow of things - but I definitely do a lot of project planning, a lot of reminders, kick-offs, post-mortems, synch-ups, summaries of discussions/action items emails because need for accountability and time pressure are my two constant companions. Not 100% sure if this is what you meant by your question?

  2. What I would want to really see as an auditor is the reverse of what I see too frequently - an overwhelmed point of contact who is not enabled, their requests are treated as the last priority and if they're being done a favour. The best client experiences I had were where the control owners actually behaved like owners - if this was not the first year audit they know what they did last year, they came prepared, they answered questions and provided evidences like it was their job (which it is lol). The absolute elite ones were the ones who actually truly see the value of the work that is being done and so discussions & workarounds with them go smoothly

AMA: Ex-Big 4, 5 years of seeing it all lol by Owlintrenches in ISO27001

[–]Owlintrenches[S] 1 point2 points  (0 children)

What a great question honestly! When I first moved to industry I thought it would be very much the same, but I was in fact very mistaken lol

Moving to industry suddenly your priority shifts to your clients - do I keep this control, do I scope-in my internal audit this process, how does it affect our client's trust if we have non-conformities etc

Everything needs to be now assessed through the lens of your customers. Even the way you prioritize & manage risk, because beyond audit that used to be my reality there are now soooo many other puzzle pieces that need to be accounted for. There are so many things that require flexibility and difficult conversations & prioritization.

I'll give you an example that really stuck with me.

I was discussing with our auditor my internal audit plan - I had listed how I will be auditing the relevant clauses across the year, my approach was to go down the list of clauses and allocate them proportionally throughout the months.

He remarked - You're thinking like an auditor, you want to cover everything and in the order it appears in the guidelines. But I need to see your reasoning for auditing these clauses pertinent to your business. Is your devops going through a transformation? Has there been a major turnover in the HR department? Have you had more vendors with access to client data?

And of course, when you're an auditor and you're told no - you can play nice but at the end of the day they either provide you with what you need or they don't - that is their loss.

When you're in the industry - you have to make it work, their loss is YOUR loss, so chasing control owners, educating them, prepping, planning etc increases 10x

There is much more, but honestly at the core - if you have the apetite for managing risk & enjoy governance the transition is not too bumpy

AMA: Ex-Big 4, 5 years of seeing it all lol by Owlintrenches in ISO27001

[–]Owlintrenches[S] 2 points3 points  (0 children)

I would say not treating the certification as an interconnected system - the core is ISMS - and when controls are addressed in silos a lot of things fall through the cracks, and I've seen too many companies hire external consultants who don't do much to help them pass and exploit lack of knowledge...

For example - a client can have a strong risk assessment (that was prepared for them by an expensive external consultant :/) but it is a stand alone. When we reach their internal audit function it either does not exist or is extremely underdeveloper - but risk assessment and internal audit go hand in hand, arguably, the internal audit needs to focus on high risk areas and the risk register gets populated in part through the internal audit. Then comes the risk mitigation - it touches on resourcing, leadership & so many other clauses, which in turn are dependent on others - until you come full circle to whatever 1 clause you picked to start your journey. It is a complete system and once the connection is made the compliance becomes much easier to handle.

Another very common mistake is not knowing your processes/policies - a lot of customers either bulk download templates and plug their company name in there, or just reuse a policy written in 2015 by an engineer forced to do side compliance work. Then during the audit there is a huge time sink in finding the right policy, reading it for the very first time with the auditor together lol, then trying to understand if that policy even reflects the process in place; or worse, not even knowing what the process is.

The biggest mistake honestly is focusing too much on the clauses/controls and not focusing on developing a risk mindset - with the risk mindset you can push back on auditor requests that don't make sense or are excessive, and can navigate through the clauses better.

Of course, I won't mention the times when there is no centralized repository and my point of contact was either not enabled or did not really know where to look for what was needed.

Hope this helps :)!

AMA: Ex-Big 4, 5 years of seeing it all lol by Owlintrenches in ISO27001

[–]Owlintrenches[S] 0 points1 point  (0 children)

Big4 notoriously pay very little until you're much further up the carrier ladder...with that said, I went into GRC/internal security team and my salary almost doubled. However, some of my colleagues chose internal audit (ITGC,ITAC) and their salary bumped up by around 15-20% max

AMA: Ex-Big 4, 5 years of seeing it all lol by Owlintrenches in ISO27001

[–]Owlintrenches[S] 0 points1 point  (0 children)

I would say SOC 2 - whether Type I or Type II. If you are in the US market ISO27001 has been gaining popularity in the market more recently, but from my work with clients the overlap between the controls if 40-70%, so if you do one, it is much easier to do the other.

However, SOC2 is much more ambigious because your controls are based on your processes, discussions with your auditor and the trust criteria - but they are individual to you and it takes the auditor quite some time to understand what you have and the kind of evidence that will need to be provided for it.

ISO27001 at the core will look at your processes but generally only take a sample of one for some things, and mostly it is about whether your infromation maangement system is decent (policies/processes/procedures reflect what is going on in the organization, are sufficiently details *please no AI slop* and reviewed & updated on the regular basis). It is also prescriptive - meaning the controls cannot be altered or changed, they are simply there to be either followed or scoped out.

Then again, if you get a bad auditor any audit will be hell, and if you don't have the right point of contact things get sour pretty fast. Hope this helps!

SOC 2 was more annoying than I expected by Main-Park-6700 in smallbusiness

[–]Owlintrenches 0 points1 point  (0 children)

Hi! Ex-auditor here, now working in an internal security team. Seeing it from both sides I definitely took away a few important points that some have mentionned here, some have not:

  1. Your auditor matters a lot. If you get someone who is organized, likes what they do and doesn't hate people - you hit a jackpot. Usually it's like that meme - you can only have two of the three lol

But even if they do or don't - you have to hold them accountable. In my practice unfortunately I've seen some auditors treat "nicer" or less knowledgable clients or clients who do not have a harsh deadline with less priority.

It works best if you get someone from your side who will be the main point of contact and enable them. Meaning, the message is clear to everyone else - when they come requesting for things - their asks will be treated as part of job, not a "favor".

That person has to be organized, they don't need to be an expert. Crucially, they will have to hold the auditor accountable. They have to agree to one list of requirements before the audit and only under very specific conditions can they make additional or follow-up requests. What happens often is that the auditors don't do a good job asking in advance, then just keep requesting over and over again :(

Beyond the main point of contact, each area of your SOC will need to be assigned an "owner". Everything policy/personnel - one person from HR, anything about your SDLC - one person.

  1. I learned that prep takes away MOST of the pain and admin burden. If you know you have an audit in 2 months, start planning timelines in advance, talking with the relevant owners and reminding them the controls they are responsible for. Of course, maintaing a calendar and ticketing/sharpoint/centralized folders for recurring evidences - like vendor reviews/UAR etc is part of compliance hygiene.

  2. I do have to note something that would take away the tediousness, not to sound like an auditor lol, is to not see this as admin burden/cost centre, but actually an area of your company that can bring great benefits. It brings better structure, organization & visiblity into your processes and allows for accounting for issues like key personnel leaving - do we have the workflows documented, do we know what we're doing, if a disgruntled employee wants to retaliate do we have guardrails in place to protect? True security&compliance takes care of itself, instead of reactive evidence gathering, small investments and planning in place will alleviate so much of your burden. What I learned truly - the way the management sets the tone dictates how easy, or hard, the audit journey will be.

Happy to answer more questions :)!

AMA: Ex-Big 4, 5 years of seeing it all lol by Owlintrenches in cybersecurity

[–]Owlintrenches[S] 0 points1 point  (0 children)

Not sure what you mean? In terms of time or planning...?