The ISO 27001 Episode
Transcript
Introduction to the Guest and Topic:
Host Allie Krings introduces Joseph Kirkpatrick, Founder and President of Kirkpatrick Price. The conversation focuses on ISO 27001 and what it takes for organizations to achieve certification. Joseph shares his background and experience, explaining how his firm has worked alongside clients to guide them through complex audits and help them strengthen their information security programs.
What Is ISO 27001?:
ISO 27001 is an internationally recognized information security standard published by the International Organization for Standardization (ISO). It provides a framework for building and maintaining an Information Security Management System (ISMS).
The standard is widely regarded as one of the foundational frameworks in cybersecurity and focuses on managing risk and implementing controls to protect an organization’s information assets.
What Does ISO 27001 Look Like Up Close?:
For Organizations: ISO 27001 requires organizations to establish a structured system for managing information security. This includes defining policies, assessing risks, implementing controls, and continuously improving the program.
For Teams: Achieving certification is a collaborative effort. It involves multiple departments such as IT, HR, leadership, and operations, all working together to implement and maintain controls across the organization.
What Are the Biggest Gaps in Compliance?:
A common gap is focusing too heavily on checking off requirements rather than understanding the bigger picture of risk management. Organizations that treat ISO 27001 as a checklist often miss the purpose of protecting the business and its data.
Another gap is insufficient documentation. As Joseph emphasizes, if controls and processes are not documented, they are considered not to exist from an audit perspective.
How Should Organizations Assess Their Risk?:
Risk assessment is the foundation of ISO 27001. Organizations must identify their risks, evaluate their impact, and determine how to address them through appropriate controls.
Rather than applying every control universally, organizations should select controls based on their specific risks. This approach makes the process more practical and aligned with real-world needs.
What Does the ISO 27001 Process Look Like?:
Stage One Audit: This phase focuses on reviewing documentation and determining whether the organization is prepared for certification. Auditors evaluate policies, identify gaps, and provide feedback.
Stage Two Audit: This is the formal certification audit where organizations must demonstrate that controls are not only documented but actively implemented and operating effectively.
Nonconformities: Findings are categorized as either minor or major. Minor issues are typically fixable gaps in documentation or process, while major issues can prevent certification if core requirements are not met.
What Are the Key Areas Auditors Focus On?:
Internal and External Issues: Organizations must identify factors that can impact their security program, such as regulatory requirements, industry risks, and internal challenges.
Interested Parties: Companies need to define stakeholders—such as customers, regulators, and partners—and understand their expectations regarding security and compliance.
Risk Assessment: Auditors place significant emphasis on how organizations identify, evaluate, and respond to risks, including how frequently assessments are conducted and updated.
Management Review: Leadership involvement is critical. Executives must actively oversee the program, review findings, and ensure that risks and issues are being addressed.
What Are the Biggest Lessons from Real Audits?:
A key lesson is that certification is not just about passing an audit—it’s about building a strong, sustainable security program.
Organizations often discover gaps in areas like management oversight or communication, which require redesigning processes to ensure leadership is informed and actively involved.
How Should Companies Prepare for Certification?:
Start with Risk: Focus on understanding your organization’s risks rather than trying to tackle every requirement at once.
Define Scope Clearly: Organizations must determine which parts of the business are included in the certification and document which controls apply.
Practice Before the Audit: Going through an independent review helps organizations prepare for the certification audit and avoid surprises.
Who Needs to Be Involved?:
ISO 27001 is not a one-person effort. Successful implementations involve cross-functional collaboration:
- IT teams manage technical controls
- HR handles personnel-related controls
- Facilities teams oversee physical security
- Leadership ensures governance and oversight
This shared responsibility ensures that security is integrated throughout the organization.
How Can Companies Ensure Compliance?:
Compliance begins with a strong foundation in risk management. Organizations must continuously evaluate their risks, implement appropriate controls, and adapt to changes in their environment.
Leadership involvement, clear documentation, and ongoing monitoring are essential to maintaining compliance and achieving long-term success.
Ultimately, ISO 27001 is not just about certification—it’s about building a resilient security program that protects the organization and its stakeholders.
Notes
In this episode, host Allie Krings sits down with Joseph Kirkpatrick, President of KirkpatrickPrice, fresh off a week in New York City helping a client through their ISO 27001 stage two audit. Joseph breaks down what ISO 27001 actually is, why it’s regarded as the grandparent of information security frameworks, and what it really takes to prepare for certification — from risk assessment and scope to the difference between a minor and major nonconformity. He shares real, fresh-off-the-plane findings from this week’s audit, including why management review tends to trip organizations up more than they expect, and why focusing on risk instead of just checking boxes is the key to actually getting through the process. Whether you’re considering ISO 27001 or just want a clearer picture of how certification works, this conversation offers a behind-the-scenes look you won’t get anywhere else.
At KirkpatrickPrice, we’re on a mission to help 10,000 organizations raise the bar for cybersecurity and compliance. Join Our Cybersecurity Mission. If you’re going to invest in an audit, it should deliver real value. That’s why we partner with you from audit readiness to final report, ensuring you get the assurance you deserve.
Ready to strengthen your security and compliance posture? Connect with an expert today and learn how we can help you meet your toughest goals.
ISO 27001 – Information Security Management Systems
ISO/IEC 27001:2022 – Information security management systems
What’s new in the 2022 version
What You Need to Know About the ISO 27001 Revisions | KirkpatrickPrice
Annex A Control 5.35 – Independent Review
You have to conduct an independent review of your ISMS, which could be an external party or an operationally-independent internal resource.
ISO 27001 Certification Bodies
British Standards Institute (BSI)
Mastermind Assurance
Performance Review Institute (PRI)
Stage 1 Audit Report
Minor nonconformities
These are not seen as serious. You must simply develop, follow, and complete your own internal Corrective Action Plan (CAP) before Stage 2. You are not required to send your CAP for minor nonconformities at Stage 1.
Examples of minor nonconformities include:
- A two-month lapse in the audit program
- A training record not available
Major nonconformities
These are more serious and you’ll need to produce a CAP for the certifying body with all actions completed before Stage 2. You will need to submit your CAP before scheduling Stage 2 and we will pay particular attention to it at our next visit. Send your CAP to your auditor.
Examples of major nonconformities may include:
- Document changes routinely made without authorization
- No future planned internal audits
Stage 2 Audit Report
Minor nonconformities
- Unlike at Stage 1, a written Corrective Action Plan (CAP) must be sent to your certification body at Stage 2, as this is when a certification decision is made
- The CAP will be reviewed by your Client Manager and must detail the nonconformity, the cause, the proposed corrective action, who is responsible and the date the action will be implemented; you will have five working days to do this
Major nonconformities
- If a major nonconformity is raised or remains outstanding from Stage 1, an additional visit will need to be booked; this is to confirm the implementation of an effective CAP
- This additional visit will take place within 30 days; however, you may request to have the visit earlier
- Major nonconformities must be addressed within six months of the assessment and prior to the issuance of the certificate
- Send your CAP to your Client Manager
Opportunities for Improvement
- When conducting an audit, your Client Manager may encounter a situation that doesn’t qualify as a nonconformity, but could improve your system
- These Opportunities for Improvement (OFI) are revealed during the audit process and include any suggestions for improvement, as well as any findings that could lead to potential nonconformities
- While it’s not required to include OFIs in your CAP, your Client Manager will include them in your auditing report to encourage continual improvement
Example ISMS – Clause 4: Context of the Organization
https://ww2.kirkpatrickprice.com/6222025/Context-of-the-organization
Example ISMS – Clause 6: Planning
https://ww2.kirkpatrickprice.com/6222025/Risk-Assessment
Example ISMS – Clause 9.3: Management Review
https://ww2.kirkpatrickprice.com/6222025/Management-Review
Send a Question
Do you have a question for our podcast? Send it to us here.