How to Combine ISO 27001 and GDPR | Interview with Luigi Viscione
Welcome to Secure and Simple podcast. In this podcast, we demystify cybersecurity governance compliance with various standards and regulations and other topics that are of interest for consultants, and other cybersecurity professionals. I'm Dejan Kosutic and I'm the host of Secure and Simple podcast. So today my guest is Luigi Viscione. He's CEO and founder of at Miscar.
Dejan Kosutic:This is data protection and information security consultancy. He is a very seasoned, very experienced consultant and professional. He's almost ten years now in the consultant business, but before this he and basically in this business he acts as CISO, Chief Information Security Officer and DPO which is the Data Protection Officer for several companies and before that he was a manager in several large national and international groups in the ICT sector. So in this episode today we'll discuss how actually he manages to combine this privacy and cyber security and of course how he succeeds in this consulting niche which I would say is very specific but it's also very competitive. And of course you'll be able to learn firsthand what it means to be an independent consultant in a highly competitive but also a regulated market.
Dejan Kosutic:So welcome to the show, Luigi.
Luigi Viscione:Thank you. Thank you.
Dejan Kosutic:Okay. Great. So first thing, how did you actually start to decide actually to start a consulting business? And what was kind of the trigger for for you to go into this career?
Luigi Viscione:Well, I spent a lot of time in private companies before starting consulting, as a consulting, and those years, more than twenty years, I learned lots of things about how I would be my consultant as a customer, as a client. At a certain point, I thought about if I do something good, I will do this thing for me and not for myself and not for my company, And so I switched from to be an associate in a company, even if a manager, to be an independent consultant. So I started a new company, Nixar, that's still working in different areas, manager consulting in ICT, generally speaking, and and deeply in security and data protection consulting, trying to combat both or just one or the other one. So the main services are CSO as a service and BPO as a service.
Dejan Kosutic:Okay. Great. Sounds exciting. Okay. Great.
Dejan Kosutic:So how do you manage to combine actually these two areas of, you know, security, cybersecurity and privacy? Know, because most of the consultants I know are either on one or the other end, They're not actually doing both of these things. And I mean, there is an overlap. Right? So how do you actually manage to to kind of combine these two things?
Luigi Viscione:Yeah. First of all, first of all, I'm I have a technical background. I'm an engineer, and I spent most of my professional life in ICT. Started as a programmer and then I became a manager, but managing ICT processes developing infrastructure and so on. So when I started to discuss, to to to see these new new things about the data protection, privacy, data protection, I had always a look a a technical look, a technical overview, and and not only a legal one, that, of course, there are lots of legal aspects in data protection, GDPR and so on.
Luigi Viscione:And so, in every matter concerning GDPR, data protection, I naturally consider also the technical side and security side. Of course, as you know, there are several touch points between data protection, GDPR, and security. I'm ISO 2,701 lead auditor, by the way, and DPO, so working on both areas, little by little I had a view, a kind of new view of integrated view of both this matter, and we will discuss in detail about that in the next few minutes.
Dejan Kosutic:Yeah. Sure. But, you know, basically, okay, let's say that you have a client who wants to implement both, let's say ISO 27,001 and GDPR at the same time. So how do you actually, you know, suggest to a client where do they need to start? What are the steps?
Dejan Kosutic:Where are they, let's say, overlaps between these two frameworks?
Luigi Viscione:Well, first of all, the GDPR has a couple of articles, article five number five and number 32 that has a vertical view on Mhmm. Security, of course. They have to start implementing an ISMS and a personal information management system, PMS, together. Know, personal data are a subset of data, of business data, of course, they are very important, but at the end they are data, okay, So when I start to integrate, usually I start from security and they extend to data protection or maybe they a data protection officer and they need to be IC twenty seven one certified, for example. Mhmm.
Luigi Viscione:You can start both from both side. For example, I start from IC twenty seven one certification. There is another an extension of this certification, which is 27,701 ISO seven seven and one, and the first thing that you have to do to have a unique risk management approach. So please.
Dejan Kosutic:Yes, please go on, please. Yes.
Luigi Viscione:Okay. So you have to see this approach with risk analysis and risk treatment considering both ISO twenty seven point one and two thousand seven hundred seventy one controls, so you have to integrate security control with privacy, data protection and legal controls.
Dejan Kosutic:So if I understood well, so then then you're starting with basically a a kind of integrated risk management and and basically as as an outcome of this risk management, you have on one hand the controls for cyber security and the on the on the other hand the controls for privacy. Right?
Luigi Viscione:Yes, and you can use these controls for several things, for example, okay, it's attacking a matter, but you have a unique state statement of applicability with these controls, of course, but you can you start considering a unique management of your approach both to security and data protection matter, for example, you have a relation with third parties, of course, have a unique relationship, very often the company, they consider third parties in two ways in security, they have, for example, contracts and security requirements in the contracts, and for data protection they have a DPA that are two documents, but in these documents you always have the security requirements, so what you can do is to integrate this unit requirement in unique documents, for example, and so you have an approach to third parties unified, that includes also to make audit, when you go to this third party, you perform an audit, you take with you a checklist with both data protection and security controls, of course, there is no happening and the audit is also shorter, it's also more efficient and you see of this third party in both the data protection and security side. Other point is when you start a new project, when you start a new project usually comes in the meeting, meeting a privacy officer, a security manager, DPO and so on, so what I suggest and also I do and to write down a security and pricing by design integrated procedure, because before starting a project you may ask something, some questions to the project manager and to other people at the table about security controls, but also about data protection control, GDPR controls, legal controls, so you write down a unique document, a unique approval of the project both from security and data protection side.
Luigi Viscione:Other point is the way in which you handle the security incident, because, of course, security incident may come, may happen on data, generally speaking, might be business data, but if they are personal data, should be a link between incident management procedure with the data breach procedure, or you can write down a unique procedure that you call incident management procedure and inside that procedure you fix what we have to do with the data breach, in case of personal data breach, you know that in case of personal data breach is not only a security handling of the problem, but also you have to handle, to evaluate the risk for the data subject and once you evaluate the risk, you have to notify to the authority to notify to the data subject if risk is very high and so on, so there are some specific aspects in this incident management procedure, but except for this specific aspect, the rest is the same because you have to handle, you have to contrast the attack, you have to put in place some actions to mitigate the risks and so on.
Dejan Kosutic:Yeah, yeah. Well, these are great examples, I mean, incident management, third party suppliers, so basically these are great examples of actually where you can integrate all of these things. Now question is you know how do actually your clients react to this because usually these audiences within a company you know for privacy these are more on the lawyer side right where for cyber security this is more on the IT side. How do they actually react to this integration thing and so you know is there any kind of a resistance here or do they see this as a positive thing?
Luigi Viscione:Well, sometimes there is a resistance because if you consider your job a kind of power position, of course, I don't want people in security coming on my side where I am on the protection and the contrary, of course, but mostly they see this integrated approach as an opportunity, because if you are a legal or if you are a privacy officer, you need to consider also security in your system. So what is better that with you, the most expert security experts, so usually they expect the integrated approach. Of course, the complication is to explain if you are a legal or not technical, some technical aspects, but I see that they trust with us and goes very well, and so it's also a matter of accountability because if you have an integrated approach, being a privacy officer, you can show that you have an integrated security and privacy by design procedure, an integrated incident management procedure, and you are accountable for that and if the authority of some other audit comes in the company, you have another variant of your accountability, you have an integrated approach which is the better.
Dejan Kosutic:Okay, great. And what happens if there is a kind of, let's say, conflict within the company where, let's say, the IT side wants, let's say, one kind of a solution and, let's say legal side wants a very different approach to basically the same thing. How do you then manage this kind of let's say different expectations from the same client company and I mean how do you reconcile them?
Luigi Viscione:Well, usually, as a former manager, I try to prepare the road map before to understand what are the real objectives of both privacy and security organizations. First of all, when I come in a company, such a company, I admit me the enforcement from the top, very top management, from a CEO or from general manager, and so this kind of project starts from the top management enforcing the job, the objectives, because for them it's a matter of business or to mitigate the risks of their business, so they don't care about their business unit or what they think. So usually, if I start with top management behind me, goes usually it goes well, And also, of course, they have a different view, the things to do are always the same more or less.
Dejan Kosutic:Okay. And how do you actually get to to the to the how do you get this support from the senior management? I mean, they are they are you know looking at these things as you know purely compliance and they don't want really to deal with it. Right? They want simply to to push it to the lower, let's say, management level.
Dejan Kosutic:So how do you actually get this senior management support?
Luigi Viscione:Well, usually I try to explain them. First of all, end up a meeting with them with a presentation, is not a technical presentation, not at all, it is a business presentation, and they have to look their opportunities to be fully compliant, fully data protection and security compliant. In our business, we are always in supply chain, so your customers want you to be secure and GDPR compliant. Sometimes there are tenders, there are bid that impose you to be 20 sevenone certified or GDPR compliant with the DPO, with a completed document set, and so for them, first of all, it's a way to stay on the market, I mean, fully stay on the market, and then they understand that if you have an integrated approach, they also have less costly approach, because you can share resources, the processes, and for example, if you have a risk before coming in this company they have two risk management procedures, and so every time there's a new project, they first evaluate the privacy risk and second they evaluate the security risk, and they spend a lot of time to evaluate this risk and this comes in time to market delay, so if you have an integrated approach, you have less time to market, which is very important for many companies.
Dejan Kosutic:And this time to market is basically when they have to comply, when they have to apply for these tenders or do you also see some other opportunities there?
Luigi Viscione:In general, generally speaking, because if you start a new project internal or external, you have lots of meetings to see if you are security compliant, compliant, and of course you can waste one month, two months more to have separate approach because you first have a look and second have another look with the same, more or less the same question except the legal one, and they say, look, you always ask me that question in the security part, you privacy officer are you asking me again the same security questions, and so why don't ask security questions once in the process and not twice? And this takes also lots of confusions in roles and responsibilities, and so the integrated approach is less costly gives a faster time to mark and also more secure because you consider all the aspects of security, including data protection.
Dejan Kosutic:You mentioned earlier that there is also this connection with the business strategy, so how do you actually connect security and privacy with the business strategy? Can you explain a little bit on that concept?
Luigi Viscione:Yeah, of course it depends on the company in which industry is located, but generally you can distinguish B2B B2C independently from the industry. If you are B2C, you have millions, billions of personal data and you want to offer to your final customer the most secure and compliant approach, because not only because about the fines, of course, you may receive some fines from the authorities and it is, of course, not good for the company, but also they take care in consumer about reputation. If you have a problem, security problem, or data protection, privacy problem, your reputation is lost and you invest lots of money in commercials and then you have an incident and your operation is lost, specifically in some areas like healthcare, which you are also sensitive data, so it's very very important. In B2B you want to stay a step higher than your competitors, and so if you are, for example, certified ISO 27,001 and also the extension, the data protection extension, you may compete from another point of view, for example, if they come to you as auditor, you receive a third party auditor, and you are certified, everything goes very light, very smooth, very light because someone else, another party is certified that you are secured, that you have a process in place, COD process in place, state of the art, so their strategy, of course, the market is complementary with security and the protection target.
Dejan Kosutic:So if I understood well, if the senior management understands this, let's say, strategic business strategy value from compliance they actually find it more easier to run with your projects right?
Luigi Viscione:Yep
Dejan Kosutic:exactly. Okay very good great great this is a great way to approach the company. Now, since you act both as a TPO and CISO, is there some kind of a conflict of interest between these two roles?
Luigi Viscione:Yeah, I never be both. I never do both because DPO is a control role, so he must also control security and of course the controller might be the same person that is controlled, and so if I am data protection officer, I'm only data protection officer. If they need a CSO, they, of course, use one of my colleagues, of course, or another person in the market or an internal person, of course, but I never be both.
Dejan Kosutic:Okay. Understood. And you also mentioned this ISO 27,701, which is basically the standard for privacy information management system right and do you find these standards useful? I mean twenty seven zero zero one is basically a major you know leading international cyber security standard and it's very popular whereas 27,701 did not really take off as much as twenty seven thousand and one. So what is your opinion on this 27,701?
Luigi Viscione:Yeah. But my opinion is, first of all, it's an extension, so you can have the second one if you are not ISO 37.1 certified. Of course, there are a set of controls both as data processor and data controller, they are divided into big sets, and well, it's useful because checking one control over another control, you can have a kind of checklist of data protection GDPR compliance, as you know you cannot be GDPR compliant certified, but you can have a certification that maps many or most of the GDPR articles in their controls, and also in terms of accountability you have a certification that a third party checked that you are compliant with most of GDPR articles. Many times, most of the time my customers use this certification as a gold medal to be on the market, to say 'hey, I'm GDPR compliant because like GDPR compliant because I have this certification in data protection' and this is used mainly from the customers they work on B2C area, because, of course, they put their certification on their website and people approaching their website may know that they take care of the data protection in the company.
Dejan Kosutic:And does this ISO 27,701 certification sometimes help with, let's say, dealing with privacy authorities in particular countries?
Luigi Viscione:As far as I know, it's not a formal point, but if an authority comes to you and asks first of all the regular processing activities and look at your approach to data protection, so you have lots of audit to third party, you have a personal information management system in place with KPI under control, you have a set of policy and procedure taking care not only about data protection, privacy, the legal part, but also the security part, they see that you have an integrated approach with security, for sure you start from higher point at their eyes, and if they have to give you a fine or give you some that you find they will take care of for sure about your approach to data protection.
Dejan Kosutic:Okay, it helps in other words.
Luigi Viscione:Yeah, yeah.
Dejan Kosutic:Okay, great. Now let's switch a little bit the discussion to this more business side. I mean from as a consultant. So if I understood well you are helping other companies become compliant. So you're acting as a, let's say, implementation consultant, but also on the other hand, you are helping them maintain their, let's say, security or privacy as a CISO or a DPO.
Dejan Kosutic:And just from the business point of view, what is, let's say, more, I would say, a better business as a consultancy? Right? Is it better to be on the implementation side or on on this outsourced CISO or DPO side?
Luigi Viscione:It's a very good question. Well, the implementation is more operating, so you have a lot of work to do in completing policy procedures and also to have a project plan implementation, but, you know, if you are an expert, you have lots of policy, procedures, frameworks that you already done in other companies, in other situations, so it's very quick to readapt them to the reality, their situation, of course, and so you may also concentrate on the processes, for example, the training, because training is a very important part of the certification, and to be side by side with management to have first of all the management review, but also to train also them, because also management must be trained, I mean, maybe not formally, but on the job for sure, and staying near side by side with them you evolve the kind of trust approach with you and for sure other orders, other activities will come in the future. As a CISO or DPO, you have a connection with a very top management usually, Yeah. And you act as a manager in both situations, even if DPO is a consulting firm, but in terms of authority, you are managing in the company and also you have to consider also several aspects like the relationship between business unit, between people, within other managers, but usually you are a consultant of the senior manager, of the general manager, of the CEO.
Dejan Kosutic:Yeah, so you're closer to the power in your company, right?
Luigi Viscione:Yeah, to the power and also while as a consultant you must convince them to do these and these in the roadmap to certification. As a DPO CISO you say them what to do and they have to do it. Of course
Dejan Kosutic:Yeah.
Luigi Viscione:Yeah. Is is in approach to your also, you have to convince them, but you you understand me.
Dejan Kosutic:Yeah. Yeah. No. And I I completely get you. And and, you know, from the revenue point of view, typically consultants earn more through this, let's say, implementation projects, but the revenues from there, let's say, CISO gigs are usually stable, more stable, because you know that you will get your money every month and so this is you don't have too much effort to sell this service because you're already in the company, so it's a kind of a good balance to have I think between implementation and these, well, if I can tell, the maintenance jobs.
Luigi Viscione:Yeah, because if you establish trust with the customer, you are kind of temporary manager, but temporary could be also years. Deploying some companies since seven years, eight years, so and I'm like a co worker in the company.
Dejan Kosutic:They don't
Luigi Viscione:care. I'm external. Of course, I'm fully integrated in the company.
Dejan Kosutic:Great. Oh, you work with several frameworks. Okay. ISO 27,001, ISO 27,001, then you have obviously GDPR, you might have some other privacy frameworks, but there is also NICE too, DORA, which are also European cybersecurity frameworks. How do you manage all these frameworks?
Dejan Kosutic:How do you balance between all of them?
Luigi Viscione:Well, the key here is to, first of all, is to study a lot and work a lot because you must be updated day by day, literally day by day. When you have a framework, several frameworks, you try to map them to have the kind of mapping between, for example, you can easily map NIS two and ISO 27,001, very easily map them, and also GDPR and also DORA, so if you map the controls and you try to have a unique vision on all these frameworks and to not impact the customer a different approach for different frameworks, you must have always a unique approach, because it's very important that your tribute is not blocking or having impact on processes, you must have frictionless, as I say, frictionless means that if you establish a new procedure, okay, there is something to do, but I don't completely block the process or delay the process or generic confusion of what we can do now, who do what, so you must be very careful to roll responsibilities and to also to KPIs that comes with the new procedure in order to apply the procedure better.
Dejan Kosutic:Yeah, okay how do you actually achieve this frictionless I would say approach the processes, I mean you know most of these companies are usually afraid of consultants because they think that you know they will be suddenly burdened with procedures, additional rules, everything. So I mean how do you achieve this frictionless experience for them?
Luigi Viscione:Okay, of course the real cost of ISO 27.1 certification is not paying the consultant or paying the certifier, of course, the real cost is organizational cost. If you are a new procedure that you before didn't have at all, of course you must respect the procedure and this is the cost, the cost is time to work, okay? So frictionless is not zero. There is a friction and I'm very clear when I start the project, before starting, before selling the project, that if they expect zero cost for certification, zero organizational cost for the certification, they have to ask to other people or good luck if you find someone, okay, but the fact that you have a cost is not you have to minimize the cost, okay, to minimize the cost, for example, is not writing a general procedure, but to go deeply in the actual way of doing their job and map the procedure on the real way of doing the job, the operation, for example. This is very important because sometimes we as a consultant, or me as a consultant, say we, me as a consultant try to use this, of course, the same procedure, the same framework, the same approach, why?
Luigi Viscione:Because you are quicker to deliver the procedure or the policy and so on, but of course this is important, but it's very important to customize the procedure to the real processes, because if you customize, ideally they do always the same thing, but respecting the procedure, respecting the policy. So secret here is to customize the policies and procedure on the real processes.
Dejan Kosutic:Yeah. You know, but how actually can you really customize something so well for for a customer and at the same time actually maintain this compliance with, you know, I don't know, one or two or three frameworks? So what is the secret here, you know, how to do this?
Luigi Viscione:Well, of course, if you go in a new company, let's say a new customer, they already have some process in place, security process in place or maintenance process in place on data protection policies. If you don't have nothing, of course, you have to introduce new controls and new procedures and this is more expensive from the organizational point of view, mean, for the confusion, but in that case the impact might be a big impact because of course they don't have nothing, you change completely their way to handle security or to handle data protection, but usually I work for big companies, enterprise, they already have security process in place, they already have privacy compliance in place, and so what I do is only to modify something, to adapt something, but usually they don't have a big impact. If you go in a small company, they don't consider security at all before this project, it could be a big impact, so you must prepare them to have a big impact, but also in this case I clearly explained them that to have a security approach is a matter of survival, because today not being having zero security is not being on the market, but not because you subject to attack from others, of course, yes, but because other companies don't consider you anymore, they see that you don't have a secure approach on your processes.
Dejan Kosutic:Yeah, okay, very good. I noticed that you are actually also the lead author for ISO 42,001, The AI standard from ISO. So what do you think is the future of actually AI for consultants? So how do you think the consultants should be using AI to do their job?
Luigi Viscione:Well, of course, as a consultant you must be prepared to use, you must use not be prepared, already use AI to do your job. Today I have two tools here on my laptop and I use it daily. Of course, to use AI as a consultant, you must be an expert, not using that trust completely charge a bit or perplexity or whatever you have. Of course, you must use it only to be quicker, to answer, to filter, to make an index, to say better in English, you see my horrible English, so sometimes I translate say it better and says better, for sure better than me, and so it is as a consulting. When I come in the company I obtain this certification ISO 24,001, because coming in the company I see lots of projects, lots of different projects in different business units, they don't know each other what they are doing, it's really a mess, everyone, from marketing to, let's say, ICT to legal to whatever, everybody are running on AI project just because it's a trend, it's fashion, not only because they don't have a unique approach to this matter, a unique approach considering AI risks, considering AI impact on data protection, considering AI impacts on security, and this loss of governance opens a new business area to us as a consultant, because if you have like ISMS, Personal Information Management System, you have an AI management system.
Luigi Viscione:You must have an AI management system, consider risk as only AI, you consider unique approach, consider to spend money with the integrated approach, not business unit one, consider AI one, business unit two, consider AI two, and they don't talk to each other and mess like that.
Dejan Kosutic:Yeah, so you think there will be a big market for consulting for ISO 42,001?
Luigi Viscione:Yeah, I think that it's like a premature noise, but I think would be not only 42,001 certification, but also as a consultant considering AI risks in security data protection, both security data protection area.
Dejan Kosutic:Yeah, I think I mean you know this AI will definitely already actually has a big impact on on consultants you know on one hand you know how consultants are using these tools really to to work with their clients and and you were saying you know how to speed the things up also on this end actually how do consultants distinguish themselves and from let's say AI tools because you know anyone can type into a chat GPT and or write me a backup right so it's something that consultants did before now you know AI can do in a second. So the question is really how do consultants distinguish differentiate from these kind of tools that are automatic? So this is a very interesting question really.
Luigi Viscione:Yeah, of course for me it's a kind of enabler. I will never be a consultant or whatever, I don't know, using Charge GPT or other tools, because of course the answer, I have my answer, but I don't understand if the answer is correct, is complete, is targeted on the context of the question, so I use it also to be faster, to be quicker, also to understand, for example, if there is a technical matter that I don't completely understand very well, an acronym, let's say, or a side that I'm okay, I start to ask questions and in a few minutes, I don't have to read a book, in a few minutes I become not an expert, but I know something, considering also my gray hairs, that I'm able to study very quickly now at my age. I'm an expert, only an expert of this specific side of technology. Of course, I prefer to have the source of the answers from the AI and that's why I use, for example, Perplexity that gives to me also the document attached that I can investigate deeply and read deeply, because I don't trust completely.
Dejan Kosutic:Yeah. Yeah. Yeah. Yeah. Always need to double check and this is still the thing with with AI.
Dejan Kosutic:It's it's you can never trust it completely. Right? Yeah. In any case, know, this AI thing will be bigger and bigger and certainly in some other episodes in this podcast I'm I'm I'm going to dedicate more time to investigate this because yeah it's going to impact consultancy on a big level. Okay so just to try to of go towards the end.
Dejan Kosutic:Where do you see going in the next, let's say, five to ten years? So we speak when you speak about cybersecurity and privacy consultancy, so how do you think this consultancy business will evolve in the next yeah, in the next period?
Luigi Viscione:Well, the evolution, for first of all, comes from the evolution of technologies and regulations. Here in Europe, we are regulated, maybe over regulated, but I don't care, so you have to follow the evolution of regulation and also of technology, for example, AI, example, AI is a matter of security now in my not only AI in general, but AI may be used also to be attacked from third parties, from hacker, and also to defend yourself you may use AI, for example, or if you use AI you can, you might be careful to not give to AI or your personal data or your business data externally, so there's a lot of space in the few years, have a lot of work coming from day by day luckily, and I think will be a lot of space to us. Of course, we must be very quick to understand, very quick to be prepared to new business, to new technologies, to new regulations, that is a real challenge for us because the world of consulting is evolving monthly very quickly, today I do things that ten years ago I did in three days for example, and I'm older, imagine, can imagine.
Dejan Kosutic:Yeah, this is a big change, yeah definitely. Okay, so to wrap it up, would you kind of summarize in let's say three most important things that the consultants acting in this cyber security and privacy arena, what kind of the most important things consultants should keep in mind?
Luigi Viscione:Well, be prepared, study a lot, try to stay near the business and not only near of course, the technical part is important, the legal part is important, is your job, of course, but try to stay near the business, near the processes, near the business, and in that way you would be considered as an enabler, not a person that comes to you with audible, acronomous and unknown technologies to the business.
Dejan Kosutic:Mhmm. Mhmm. Okay. Great. Thank you for this insight, Luigi.
Dejan Kosutic:It's been a pleasure talking to you.
Luigi Viscione:You're welcome. You're welcome. You're welcome.
Dejan Kosutic:Thanks for making it this far in today's episode of Secure and Simple podcast. Here's some, useful info for consultants and other professionals who do cybersecurity governance and compliance, for a living. On Advisera website, you can check out various tools that can help your, business. For example, Conformio software, enables you to streamline and scale ISO 27,001 implementation and maintenance for your clients. The white label documentation toolkits for NIS2, DORA, ISO 27,001 and other ISO standards enable you to create all the required documents for your clients.
Dejan Kosutic:Accredited Lead auditor and Lead implementer courses for various standards and frameworks enable you to show your expertise to potential clients. And a learning management system called Company Training Academy with numerous videos for NIS2, DORA, ISO 27,001 and other frameworks enable you to organize training and awareness programs for your clients workforce. Check out the links in the description below for more information. If you like this podcast, please give it a thumbs up. It helps us with better ranking and I would also appreciate if you share it with your colleagues.
Dejan Kosutic:That's it for today. Stay safe.
