ISO Standards

Punit 00:00
ISO standards. There are many of these, and all these standards go with one objective. They help you justify that your company is doing the right thing. Now, as there are many standards, is there some commonality between these standards can complying with one standard lead to some benefit, some saving of time? When you start with the second standard. How does the standardization or the compliance with these standards work? What does the organization have to do? Or what does your, your organization have to do if it has to certify another company? And if you're a person and you want to be an expert in one of these standards, what do you have to do? All these are very relevant questions. And also another question is, why should a company comply with or start to think about complying with the standard? Well, who better than Dejan Kosutic, who is the CEO of Advisora and my good friend to share with us? What are these ISO standards and how can they help? Let's go and talk to him. 

Fit4Privacy Introduction 01:06  
Hello and welcome to the Fit4Privacy Podcast with Punit Bhatia. This is the podcast for those who care about their privacy. Here, your host, Punit Bhatia has conversations with industry leaders about their perspectives, ideas, and opinions relating to privacy, data protection, and related matters. Be aware that the views and opinions expressed in this podcast are not legal advice. Let us get started. 

Punit 01:35  
So here we are with Dejan. Dejan welcome to Fit4Privacy Podcast. 

Dejan 01:41  
Thank you for inviting me. I'm glad to be here. 

Punit 01:44  
It's a pleasure to have you, and as you work a lot on ISO standards, I'm curious to understand what do you think about digital trust? 

Dejan 01:56  
Yeah. Well, Digital Trust is I would say kind of a branding issue. And for example, you can actually take a look at digital trust in, let's say two levels. One is a kind of more generic one. It's like you know in a car industry, you're expecting by default that cars have, you know, from the safety features you have, they have, I don't know ABS the I don't know airbags, this kind of thing. So, one way to look at digital trust is that basically by default, users of various digital systems, online systems have by default the expectations that their information will be, will be kept secure. And the second level to look at the digital trust is more on the individual company level. So again, going into this direction of car industry, you know, we have a certain expectation from let's say BMW, okay, expectation in terms of, let's say, performance, I don't know, speed, handling, you know, comfort, these kind of things.  And you could also have on the digital trust level, you could have certain expectations of particular companies, you know what are your, let's say, specific expectations on how this company needs to perform from the security point of view, from the, from the point of view of protecting your critical information. So these are, let's say, I would say two ways to, to look at the digital trust. And I would say both actually go under, under a general view of branding, so to say. 

Punit 03:20
For sure I think that's very well put. It helps perceive your brand in a certain way. And when we talk about branding, there is also a role that standards and frameworks play, and one of the well-known standards are ISO standards. So, and you have a specialty in many standards in your company. So what is your view on how these standards play a role in helping a company create, let's say the digital trust dimension of it.  

Dejan 03:54 
Yeah. So there are many standards worldwide, especially these cybersecurity standards. But basically the, the most dominant standards are ISO Standards. So standards published by ISO Organization, so the International Standardization Organization, and I would say there are a couple of reasons why these standards are dominant. First of all, because ISO organization is, is basic organization that is founded by governments all over the world. So I think more than 150 governments are founded ISO organization and basically each standard that is accepted by ISO is basically implicitly accepted by all, all of these governments. The second one is, is basically that these standards are equal whenever you use them. For example ISO 27001, the most important cybersecurity standards is exactly the same in let's say UK or USA or I don't know. China or whatever. And so, even though they're translated into local languages, nevertheless they're word for word exactly the same anywhere. So, speaking of digital trust and ISO standards, 27001 is really the, the dominant standard, the most important one. And it's actually, I think, the third most popular standard worldwide first two being 9001 for Quality Management and 14001 for environmental. So, I think that 27 is already third. It's maybe third or fourth. And there is also another standard which goes more in the direction of resilience. This is the ISO 22301 Business Continuity Standard. It's not as popular as 27001, but it's gaining popularity because of this regulations like Dora. Which is a cybersecurity regulation for financial institutions in Europe which goes heavily in the direction of resilience and also partially needs two, which is also European Cybersecurity directive for critical infrastructure. Also goes a little bit in the direction of resilience. 

Punit 06:00 
 Okay. That's interesting. And you mentioned these standards are common. So are they common in sense of the same standard, let's say, ISO 27001? Is it the same anywhere that's applied in the world in that sense, or there is a commonality between standards also like ISO 27001, ISO 42001, 30001 or 31000? So are there commonalities between standards or it's the standardization across regions? 

Dejan 06:28  
So there are some similarities between ISO 9001 and 14001 and 45001 and 27 and ISO 22301. So all of  these standards are basically management standards. And when you analyze each of these standards, you see that for example, document control is basically the same. They have the same requirements about gathering the interested parties and their requirements, you know, training and awareness let's say internal audit management review. So, there are many, I would say, management components that are basically the same across these standards. Also, basically it's there, I would say, widespread all over the world. So you can see that for example there's something like 60,000 companies that are certified against 27001. And the, I would say, distribution against these certified companies is more or less equal across the continent. So, they're, you know, many companies certified in China or Japan, but also in Africa, especially in Europe and up to a certain extent also North America. So I would say their distribution of these standards is very worldwide and similar pattern. You can also see in 9001 and 14001. 

Punit 06:36  
Okay. And when we talk about these standards, there are two dimensions. One is the learning for person who will basically say, implement, audit, or act on these standards. And second is the organization which would take care of implementation of the controls as they're suggested.  

Dejan 08:04
Correct. Yes.  

Punit 08:06 
Yeah. So in, in that context, from an let's dissect it from both organization and individual, let's first go organizational. So if an organization wants to implement a standard, and let's say it chooses IS 27001, later on, it chooses 9001 later on it goes for 31000 then is there some synergy or benefit that they can leverage saying since it's a management standard, a manage information management or management standard, they can say, I did this in this part. Now in this part, I can leverage it rather than having to re-do it. So, are there any advantages? 

Dejan 08:42  
Yeah, certainly. So if a company, let's go let's say implemented already is compliant already with the 27001. It already has these components like document control, internal and so on. They do not have to recreate it again for let's say 9001, if they want to implement these other standards. So basically they're already using these existing components. For creating a new management system, let's say quality management system. So basically there is this term called integrated management system, where you basically have two management system, but they're integrated into in some elements.   For example, the ones that I, that I mentioned. So, there is certainly a synergy between various ISO management standards. And so this means that for each new standard that you go for, it makes it actually easier for you as a company to go for the next one. So each next one actually requires smaller effort than the previous one.  

Punit 09:36 
And if a company hasn't chosen it yet, and that's the first standard they're going to implement. What would be the drivers or reasons for them to say, let's go for this standard? The first one, of course, the second and third. If once they're on the journey, it would be relatively simpler, I believe.  

Dejan 09:53 
Yeah. So the main driver usually is the requirements from their buyers. Okay? So what we see in, in advisor in, in our company is that most companies that actually go for ISO 27001. They go, they do this because their clients require them to actually implement and certify against the standard. So this is a driver number one. It's not only for 27001, it's basically the same across other ISO standards. The second driver that we see is becoming more and more important is because of laws and regulations. So, for example as I mentioned this Dora regulation for financial entities and also these needs to directive for critical infrastructure companies. They both say that the companies that are suppliers to either financial entities or to critical infrastructure companies, they must be compliant with security standards. Right? Now, they don't say 27001, you know, explicitly, but they do say, you know, either international or European standards. And when you take a look at, you know, which international standard is the most popular one for cybersecurity, it's 27001. So implicitly it comes down to actually compliance with 27001. So, what we'll see in, in Europe in the next, I would say year or so, is, is a big surge in 27001 implementation and certification because these companies are suppliers either to financial entities in Dora scope or to critical infrastructure companies in an ease to scope. 

Punit 11:37 
 Yeah, I think I see that same pattern, which you're saying also with the clients we serve because sometimes you don't want to get certified, but you want to leverage upon the standard as a means to set up the governance, set up the management, set up the systems inside, and then the certification you'll choose in a few years if you do or not. But we are talking about this certification. How complex is this certification for an organization to get? So, let's say, an organization has done everything or implemented all the controls, what would be the process for the organization to get certified on any of the standards? 

Dejan 12:14 
Yeah, so you can actually view this certification or becoming certification in a couple of stages or a couple of phases. Of course. First you have to implement all the steps, all the clauses that are represented in a particular standard. And, for most ISO standards, the last couple of steps that you need to perform is this, management review, sorry, internal audit and then management review and then, close the corrective action. These three steps are typically the same last three steps are the same for 9001 27, 14001 and so on. So basically, once you complete all of these steps, including these three last steps, then you have to go for the certification audit. And this audit needs to be performed by a company that is independent, and that is accredited, by some government body, that they can in fact perform these certification audits. And then, you go into these two stages of certification audit, where the first stage is where the certification, body examines your documentation. So, it's called document review. And basically they examine if your documents are compliant with the standard. And the stage two audit is called main audit. And this is where the certification body or certification auditor examines whether your activities in the company are compliant with all of the documents that you have written. So, for example, let's say that you have written, that you have, that you have a backup policy. And in the backup policy, you have said that you will do the backup, every six hours, for a particular IT system. So, what will the auditor do, he or she will actually ask, the, let's say system administrator. To show all the backup logs from this particular IT system and to see if really the backup is done every six hours or whatever you have written. And in this case, if the company is doing the backup every, I don't know, 12 hours or 24 hours, this would mean that you are not compliant with your own policy. And this means that the auditor will raise a non-conformity because you're not doing what you're saying. So ultimately, what is the hardest part here? Of course many companies are getting confused on how to write documents. But I would say this is an easier part, especially if you're using some kind of a tool or let's say toolkit or, something like this. The hardest part is really to make sure that your employees understand all these documents and that your employees are really complying with whatever rules that you have set for your company. This is the hardest part, and this is what very often most companies don't see upfront, because they are kinda obsessed with writing these documents, but they don't see actually that the documents are not the point. The point is actually that you have to you know change your behavior and start doing some activities that you might not be doing. 

Punit 15:30 
Yeah, I think that makes sense. I also see that pattern companies tend to focus a lot on the documentation. They tend to think it's documentation, the policy, the governance, the setup that's more important, which is of course important, don't get me wrong, but it is the actual realization of what is being said in the policy, what is being said in the procedures. Yeah. And that's where most departments fall short, and that's where the most findings are. So that's on the organization side. But you mentioned two types of audit. So, one is the test of documentation that the design is okay. And then there's the test of effectiveness. Correct. so, there are two different audits at two different times.  

Dejan 16:50
Yes. So, this stage one audit is basically the starting point of this whole certification process. and it, it usually it's shorter. So, let's say that, if you're a very small company, you would have seven audit days in total. Out of these seven days usually would have, let's say, two audit days for stage one audit. So, it's shorter, and it comes first. And then after a couple of weeks, the certification auditor will schedule the stage two audit, which in this case would last five days, for a very small company. And, obviously it takes much more time because what the auditor wants to do, he or she wants to check out, if you're compliant with each and every, clause in the standard, which each and every control with, and most importantly, with each and every thing that you have written in your, policies and procedures. 

Punit 17:08
So, when stage two audit is done, you get a certificate from who?   

Dejan 17:14 
From the certification body. Of course, providing that, you did not have any major, nonconformities, meaning that you don't have, that you don't have any major problem, right? if you got only minor nonconformities, so if the auditor found only some minor problems, then yes, then a company will get the certificate, which is issued by the certification body. And this certificate is valid for three years at time. and. During this, three-year periods, the certification body is actually not done with this company. The certification body also wants, to, check out if you are maintaining your system. And these audits are called surveillance audits. Okay. So, for example, let's say that the company goes for a certification, let's say in, a stage two in let's say May 2025. The certificate is valid then until May 2028, right three years. And then the first surveillance audit will be in May 2026, and the second surveillance audit will be May 2027 when the certificate expires in May 2028, then a company can decide whether to re-certify or simply let the certificate expire. 

Punit 18:30
But I guess when the surveillance audit is an option that the company chooses or not. Because since it's an external company, it's paid for, right? 

Dejan 19:39
It’s not an option so basically, when you actually, sign an agreement with certification audit, with certification, body, the requirement of this agreement is that you actually go for stage one and stage two audit initially, but also that you, go for these surveillance audits. So they're not optional, they're a must. And actually it does make sense because you know, if there is a certificate, showing that your company is compliant with the standard, it does make sense for a certification body to check out regularly if you're really maintenance, the maintaining this, compliance or not. 

Punit 19:15
And now another type of organization, which is doing the audit, who certifies, let's say advisera, or advisory or a fit for privacy, is a certified auditor who decides that.  

Dejan 19:28
Okay so, the, is it the person or is it the company? The company. So basically, or better to say an organization. So, for example, one of the biggest certification bodies in the world is, let's say SGS. Okay. Or DNV so or BSI. So, these kind of, organizations are certification bodies Now. The question is who gives them the license to actually issue a certificate? And these are the accreditation bodies. Accreditation bodies are basically government agencies and these accreditation bodies. Are giving the, let's say, license to these certification bodies. And this license is called accreditation, right? So basically, SGS and other certification bodies are accredited by certification bodies, by accreditation bodies. In this case, by UCAS is one, is United Kingdom Accreditation Service. So basically, this UK government body gave them the license to certify other companies. So, they, as an organization, have the license to do it. Now, this is one component to it. The second component is that they need to have skilled people to perform the auditing job, right? And these are certification auditors. So, certification auditors work for certification bodies, but these certification auditors also have to qualify for that job right. And part of this qualification is they actually have to go through these courses. In this case, ISO 27000 doesn't lead auditor course. So basically, this is one part of their qualification to be able to work for a certification body other parts of this qualification is that they actually need to have enough experience, in some other things. And basically, they gain this experience as a trainee working for a certification body.  

Punit 21:22
So basically, there are three levels of certifications, if we get it. First is a company, a client, somebody who, let's say, is in a manufacturing domain and wants to be certified on for cybersecurity perspective via 27001. They go to another company to get that certificate, but the company giving the certificate has the authorization to provide or authorization to provide these certificates. So that's there, but then there are people working in that company who would do this. Check those two audits, which you talked about, or three, stage one, stage two, and the surveillance audit. Then the person, let's say you or me, if we want to go and do these audits, we will need to be certified in iOS 27001. Either as a lead implementer or auditor, lead implementer, meaning we are capable of implementing it or auditor, meaning we are capable of auditing it. And then if we are an implementer, we can directly work for the client. If we are the auditor, we work through the accredited company to certify them. Is that the right process?  

Dejan 22:25
Exactly, yeah. There are three types of, let's say authorizations or certificates. So individual certificates for individuals working in this area. certificates, for companies that, that are basically, that want to prove to their clients that they're compliant and accreditations, for certification bodies yes. 

Punit 22:43
Okay. And then the interesting part is these people who want to be certified in these audits or in these implementations, they need to get these trainings, and they need to pass an exam.   

Dejan 22:58
Correct. Yeah. So, there are many training providers, including our company, that you know provide various courses, typically in this, in this, business, in this, compliance business there, let's say four types of courses. As you mentioned already, lead auditor courses are intended for, people who want to work as certification auditors. then there lead implementer courses. and these, typically, these are people who, who actually, are in charge of the implementation of, the certain management system in their companies. These two courses are also very popular with consultants. Because consultants are obviously very important, I would say, players, so to say in this industry. And so, they usually go for either lead auditor or lead implementer courses, beyond these two. They're also internal auditor courses. So, the courses that are specifically intended, for people who will work as internal auditors, in their companies. And by the way, this is a mandatory requirement for any of these ISO standards. So you need to have needs to have a qualified internal auditor. And finally, there called foundations courses, which are intended, in general form, let's say, people who are part of, let's say, a project team in a company or maybe a senior manager who wants to learn about the standard and so on. So, For example, for ISO 27001, you would have 27000 foundation scores, 27001 internal auditor course 27001 lead auditor and 27001 lead implementer course.  

Punit 24:43
And previously, a few years ago, there was also this something called, manager course. And is the manager the same as the lead implementer?

Dejan 24:52
You could say so. there is, yeah, there is, sometimes this, overlap, between these two. But yes, in, in most cases. for example, we are launching now the, for Dora, in know, 10 days, or so we are launching the, SO series of course is for Dora, cybersecurity regulation. And, basically, we will launch Dora Foundations, Dora internal writer and Dora, lead implementer course. Now, when you take a look at our competition, for instance, PCB, which is our biggest competitor, basically PCP does not have the lead, Dora lead implementer course. They have Dora Lead Manager course. But when you take a look at the curriculum, it's very similar so, It's, basically the same thing, but you, I would say the. The product name is slightly different. However, the essence of such courses is very similar.  

Punit 22:52
Okay. That makes sense. So, tell us something about you and your company. What do you do? You mentioned certification courses and everything. So, what exactly do you do and how does it help people?  

Dejan 26:07
Yeah, so the, our company advisories is a of, has a couple of, products, which, help companies and individuals and basically, on the courses side, we provide the various courses, for various ISO standards. starting from 27001, 9001 14, 45, which is health and safety standard. Also, 13495 and the GDPR. So, for these, seven or eight, standards, we have this range of courses, as I mentioned, foundations, internal editor, lead, implementer, now for companies, who want to implement, standards and comply with them, we provide these documentation toolkits. So basically, this is the set of documents, and also. Our consultation, which helps them implement all of these standards. and also, specifically for 27001, we have this software. This is, I would say a mini, GRC software for ISO 27001. And also, we have another product called a company Training Academy. This is a learning management system, which enables companies to train a larger number of employees. So, it's different from courses because courses are in, targeted towards individuals. Whereas, if companies want to train their whole workforce on an East two, or Dora, or, I don't know, 27001, then they use this company training academy. So, I would say a range of products. But our idea was really to enable our clients to satisfy, their, all of their needs. When they go, when they need to comply. So, from training the individuals which are leading the project, all the way to training their whole workforce, all the way to documents and setting up all of their processes and everything, they need to comply with the standard. 

Punit 28:10
That makes sense. Providing a full service. So, if somebody wants to comply with ISO standard, I think you can help them end to end. That's how I understand. And, now based on this conversation, if somebody wants to get in touch with you, what would be the best way?  

Dejan 28:28
Easiest, of course, is to visit our website. So, it's advisora.com, and you can find all the information there. Of course, you can also contact me directly, through LinkedIn. So, I'm very active on LinkedIn and it's easy to find my profile. So, you can simply send me a direct message, and I typically respond within one or two days. either of these two ways is, I would say, good for getting in touch.  

Punit 28:59
And you recently launched what we call a podcast just like this one. Tell us something about that. What is it called? Where is it available?  

Dejan 29:08
Yeah so. A podcast is called Secure and Simple. and I recorded, I published already a couple of episodes, and this podcast is, directed to, or is, focused on, a very specific, target audience. and this is the consultants and also, security managers or, SEC chief security officers, in, a company. So basically. What I noticed is that there are no similar podcasts, which would focus specifically on these, ISO and cybersecurity consultants, or for, chief Information Security officer and officers. And I wanted you know to kinda provide them with some insights, you know on how successful people, from this, compliance, area actually, handle various, challenges and, how they become successful. So, this is why I launched this podcast. And, yeah, we'll see how this goes. in any case, my plan is to do this, every, two weeks to publish new episodes, every two weeks. and, yeah, my intention is really to include, in this podcast, the, experts, from this field. So, we, I already had a discussion interview with you as one of the leading privacies and ai, experts. And this is what I'll be doing also with, I would say, similar people who have similar experience and, and reach. So, in any case, I would say an early start, but I think it's a very good, target audience. And it fits very good into my overall strategy for YouTube channel. So, I already have a YouTube channel for a while, and something about 500 videos already there. So, I'm very active on YouTube, because I think it's a crucial way to basically present, your knowledge, and, present, and help people, resolve many questions, around, compliance. 

Punit 31:18  
Absolutely. I think, As I, as you said, it was a pleasure to be in your podcast and it's very well done and it's very useful, especially for this, some company, some consultant or CSO. Trying to understand security in a simple way and how to brand yourself and how to make yourself effective. But, while people can watch that and subscribe to yours and my podcast, I think it's time also to say it was very useful. The conversation we had gave us a very good glimpse of what these IO standards are, where do they fit, how do they help, and what an organization or what are the steps in terms of. The entire journey of ISO standards. So, thank you so much. Have a wonderful day and see you soon.  

Dejan 32:04  
Thank you for inviting me Punit. It was really a pleasure being here and I enjoyed this conversation today.
 
Punit 32:11  
Thank you.
 
About Fit4Privacy 32:13  
Thanks for listening. If you liked the show, feel free to share it with a friend and write a review if you have already done so. Thank you so much. And if you did not like the show, don't bother and forget about it. Take care and stay safe. Fit4privacy helps you to create a culture of privacy and manage risks by creating, defining and implementing a privacy strategy that includes delivering scenario based training for your staff. We also help those who are looking to get certified in CIPPE, CIPM and CIPT through on demand courses that help you prepare and practice for certification exam. If you want to know more, visit www.fit4privacy.com. If you have questions or suggestions, drop an email at hello@fit4privacy.com.     

ISO standards are much more than a compliance checkbox—they are a strategic asset in today’s digitally driven world. By adopting and maintaining certifications like ISO 27001, organizations not only ensure the security and integrity of their information but also signal their commitment to global best practices and trustworthiness. These standards enable smoother regulatory alignment, stronger market positioning, and long-term operational resilience.

For businesses, ISO certification is a powerful differentiator in competitive markets. For professionals, it opens doors to meaningful roles in implementation, auditing, and consultancy. As digital trust becomes a central expectation, ISO standards serve as a critical foundation—guiding organizations toward compliance, credibility, and sustained growth in the digital age.

Dejan Kosutic is a leading expert in cybersecurity governance, ISO 27001, NIS2, and DORA, as well as the author of numerous books, articles, webinars, and courses. As the CEO of Advisera, he founded the company to help small and medium-sized businesses access the resources needed to achieve certification for ISO 27001 and other ISO standards and EU regulations. Dejan believes that simplifying standards and regulations not only makes compliance more accessible but also provides a competitive advantage for Advisera’s clients. 

Punit Bhatia is one of the leading privacy experts who works independently and has worked with professionals in over 30 countries. Punit works with business and privacy leaders to create an organization culture with high AI & privacy awareness and compliance as a business priority by creating and implementing a AI & privacy strategy and policy.

Punit is the author of books “Be Ready for GDPR” which was rated as the best GDPR Book, “AI & Privacy – How to Find Balance”, “Intro To GDPR”, and “Be an Effective DPO”. Punit is a global speaker who has spoken at over 50 global events. Punit is the creator and host of the FIT4PRIVACY Podcast. This podcast has been featured amongst top GDPR and privacy podcasts.

As a person, Punit is an avid thinker and believes in thinking, believing, and acting in line with one’s value to have joy in life. He has developed the philosophy named ‘ABC for joy of life’ which passionately shares. Punit is based out of Belgium, the heart of Europe.

For more information, please click here.