Trends in ISO Standards: Certification Body Perspective | Interview with Tom Wheat
Welcome to Secure and Simple podcast. In this podcast, we demystify cybersecurity governance compliance with various standards and regulations and other topics that are of interest for consultants, and other cybersecurity professionals. I'm Dejan Kosutic and I'm the host of Secure and Simple podcast. And in this podcast today, we have a very one very interesting guest. His name is Tom Wheat, and he's a UK Country Manager at PJR.
Dejan Kosutic:PJR is one of the more known certification bodies, and we are going to discuss some interesting topics for consultants around what are the trends in certification industry, around ISO standards, but also what happens behind the scenes in a certification body. So, Tom, welcome to the show.
Tom Wheat:Thank you, Dejan. I appreciate it. Thank you for the invite. And I'm looking forward to, yeah, discussing some hot topics, shall we say, what the flavors of the month are, more importantly, you know, go into some of the back end stuff that consultants may not know about Accreditation Box.
Dejan Kosutic:Great. So what is it that you are actually doing in PJR?
Tom Wheat:Yeah. So quite simply, I'm head up as The UK Country Manager. Ultimately, what that means is a case of is it's the responsibility of not only the accreditation side, also the quotes and basically running the whole of the team. It'll be quite new into The UK. We've been there since 02/2017.
Tom Wheat:We've got a real good foothold now. And, hopefully, that's down to the customer service that we offer as well as the global footprint that's there, Dejan. So yeah, it's a huge global organization. Therefore, I take the smaller piece of The UK.
Dejan Kosutic:Okay, great. But if I understood well, you're also responsible for European operations, right?
Tom Wheat:Correct. So as with anything in life, we've really successful in The UK at the minute, and now I've took on the European role. We have a very established successful operation in Italy, therefore that's why I've worked very closely to yourself to cover the rest of Europe. And let's not talk about Brexit, That's a different story. But, yeah, in theory, we're on our own, but I do cover Europe also.
Dejan Kosutic:Okay. Great. So how did you end up in a certification business?
Tom Wheat:I never thought I would. And I think we'll both smile with it. It wasn't by choice, Dijon. I've been a consultant on other side for a long, long time. And quite simply, I can only talk respectfully about The UK market.
Tom Wheat:Maybe interesting to also know your opinion on European market. Therefore, the standard of customer service is very good. And as with UCaaS that we know many times it's preached that we have to get a minimum of three quotes. And a client would ask me, would you recommend Thomas' certification bot? And he should say none of them.
Tom Wheat:They're as bad as each other. So I don't know if any can relate to this on the on the call with regards to consultants, but most definitely I did. And as with anything in life, if you recommend someone that goes wrong, it's your fault. Right? Yeah.
Tom Wheat:So I had a pint with my father, and my father said, what are you gonna do about it? And I said, nothing, dad. And he said, well, shut up. Well, three years later, Dijon, I'm here. I'm flying the flight.
Tom Wheat:I'm rebuilding trust, rebuilding hope, and more importantly, we have really nailed customer service. And I think that the people most definitely witnessing this, it used to be the situation of going from one hot frying pan to the other. In other words, is the grass always greener? I can most definitely say I'm trying to make that cultural change within the certification side heading at PGR.
Dejan Kosutic:Okay, great, great. If I understood all, you were also in firefighting, right, before? Yes. It's quite a change in career from a firefighter to a consultant and then to certification body manager. Yeah,
Tom Wheat:Many would say saving cats rather than firefighting, but it's true. I I joined the fire service at 18, young Mhmm. And naturally fell into the world of ISO 45,001. From there was a case of, obviously, I used to do a lot of private stuff in regards to films, implementing ISO consultancy in that sector. It sounds glamorous to each other.
Tom Wheat:Uh-huh. Uh-huh. If you saw how people filmed TV shoes, you know, eight hours of time took one minute to film, I soon got bored of that. And then, yeah, as with anything in life, I found consultancy. I found a passion for it and implementing change.
Tom Wheat:I think compliance is something that's undervalued. Many organizations is not respected for the value it is. But, yeah, firefighter to a PGR country manager. Different to say the least.
Dejan Kosutic:That's a that's a very interesting career. Anyway, so do you enjoy more working as a certification manager or as consultant? So what do you find interesting there?
Tom Wheat:Good question. I think there's two sides. I think the consultants, as you know, from your background, your expertise is you're in the ground helping. You're part of it. You're integral part adding value.
Tom Wheat:And I think my role now is giving people a home, then that's being safe, ensuring they continue to improve and give them the certification that they need. For an answer to your question, I suppose, I'm not gonna be that person to say both, Dijon, because that's not very good. I'm gonna say certification more. And the reason why is at the minute, I find it more of a challenge.
Dejan Kosutic:Mhmm.
Tom Wheat:I find it more of a challenge not because of what the role entails, but the reputation that's out there of certification bodies. And I I know I've mentioned it before. I'm out there to change that.
Dejan Kosutic:Okay, great. Quite a mission. Important point, yeah.
Tom Wheat:Yeah, definitely.
Dejan Kosutic:Anyway, so let's speak a little bit about this market in general, about ISO standards and compliance in general. So what do you see, you know, especially from the certification point of view, what do see are the main trends with ISO and other standards?
Tom Wheat:I think the huge trend of the main is ISO twenty seven thousand and one. They appreciate we're going through a transition from 2013 to 2022. But at the same time as the world's changing, and the world's changing the case of the evidence going digital, electronic. And if we're both honest, let's be honest, compliance managers are getting younger, wiser, and expect more of a click of a switch. So for us at the minute, our biggest standard on a global scale is twenty seven thousand one.
Tom Wheat:And I think it's interesting that we can talk about that more.
Dejan Kosutic:Mhmm. Sure, and how come ISO 9,001 is really not kind of the main focus of yours? Because as we know ISO 9,001 is more than one millionth certificates worldwide, whereas 27,001 is less than 100,000. So how come 27,001 is such a big or important, let's say, standard for you?
Tom Wheat:I agree. I think the main thing has been influenced from central governments in The UK. If we talk on a global scale and we talk about 9,001, it's still the most standardized standard. It's a blueprint of any. Right?
Tom Wheat:It it it that's what it's about. I think what's key is I think automotive, the trends, the manufacturing that associates stereotypically with 9,001 are getting less. I think we're in an industry now whereby, you know, we could talk about 42,001 in a minute where the world's changing. I think there's still a massive purpose for 09/2001. Therefore, business, society, nomads, people working from home, more virtual offices than ever.
Tom Wheat:COVID, if we dare talk about COVID, Dijon, I think one of the policies that come with it was, you know, a lot of people worked away from the home space and the workspace and working remotely. So I there's still more than a market for 09/2001. Therefore, do I think that twenty seven thousand one's got the potential to catch up indefinitely? Uh-huh. And I think that's coming not just from enterprise anymore, not just supply chain and tenders, but more importantly, that's being pushed from government.
Dejan Kosutic:Uh-huh. Okay. Great. Good to hear. And so when you compare, let's say, twenty seven thousand and one to these, let's say, privacy standards like twenty seven thousand seven hundred one or to some other standards like 42,001, which is AI, which is becoming very fashionable.
Dejan Kosutic:So what do you think when you compare these three standards? Which one will become, let's say, a dominant one in five, maybe 10?
Tom Wheat:I think twenty seven thousand one will remain. I think what's specific about twenty seven thousand one is, you know, it's GDPR. I think for the audience that we know, it's a bolt on a pin in, you know, in a nutshell. I think what's key with that is a case of it's really not been pushed. I think it's fell off the perch because simply due to Brexit and the European community stats, and it hasn't really took off.
Tom Wheat:I still believe there's a market for it. I mean, we'll talk about Dora as well also in a minute that we'll touch on to. I think I think it will move when it's 42,001, honest opinion. There's multiple CBs that are going through the pilot scheme. I generally believe potentially that it'll be the certification body that holds the standard up.
Dejan Kosutic:Mhmm.
Tom Wheat:I still think there's a place for forty two thousand and one for consultants. I think there's definitely a place for it in the market 100%. I think were the first ones to take it on. Therefore, UCaaS were quite reluctant. And I think the reason why.
Tom Wheat:The reason for that, Dijon, was a case of is the the requirements for auditors in order to order that standard for a third party UCaaS certification were outrageous. And because they were set so high, let's be honest and talk real talk, I'm guessing people who are in AI have learned very less than 6 figures, shall we say. So we've gotta attract them people to come out to the field, more importantly, upscale and take on their roles. So I think in time, 42 will grow. I think there's still a long time off till we get to that place.
Tom Wheat:And therefore, I think we should be implementing 42,001 now to consult companies in preparation ready for our side.
Dejan Kosutic:What about this global picture? So, as you know, SOC two is very popular in The United States. Which are cybersecurity standards, international or global standards, there besides 27,001?
Tom Wheat:I think there's many out there. I think if we're honest, I think each country adapts their own standard for privacy security. And if we talk specifically about SOC two I'm no expert on SOC two, but we do know it's an American standard set by the federal government. But the irony of all this that we talk about is we're the biggest certification body in America, and we don't do SOC two. So, I mean, what does that mean?
Tom Wheat:And I've asked the president on many times, why don't you do SOC two, Perry? And he says, there's no need for it. There's no market for it. And I go, well, it's set by your central government. And from America's response is that 27,001 is the most recognized worldwide standard on the bench
Dejan Kosutic:for
Tom Wheat:information security. And I think that's really reassuring coming from a company with a big ECB that don't adopt their own standard. So I I think what's refreshing for both of us and most definitely the listeners is we talk about The UK market specifically, Dejan. Some of the companies to push push and they call cybersecurity plus. Now cybersecurity plus is still being pushed.
Tom Wheat:Therefore, in some ways, does it do what it's meant to do? Yes. Therefore, I think on a global scale now for that global trust, you know, reputation credibility, twenty seven thousand one's now being pushed by central government. So it's interesting as everything's changing, but what I think I can be quite confidently clear on is the case of it's not three or four standards, it's being railed towards one. And twenty seven thousand and one seems to be the benchmark low.
Dejan Kosutic:Yeah, so everything seems to be converging towards this standard, and especially when we take a look at, let's say, some other cyber security regulations like Dora and IS2, especially in IS2, you know, is going very much in the direction of twenty seven thousand and one. So yeah, it seems to be like a baseline for any type of And
Tom Wheat:I think even if we talk about baseline, I think it's baseline for the requirement. But if you actually look at the standard and the credibility it gives, it absolutely excels that. I think it's just rather than the I say it's the gold standard. I I think nationally, it's a standard everyone works towards. It gives the continuity in the supply chain.
Tom Wheat:So rather than being based in a different country and on a different admission, which is standard, if everyone's working towards the same, which is naturally happening, which is twenty seven thousand and one, then there's no need to check and go, well, does this actually cover the privacy security that we need to deal with this client?
Dejan Kosutic:Yeah. Yeah. Yeah. Okay. So are you also involved in any way with these European cyber security frameworks like, I mean, laws and regulations like DORA and ISTU?
Dejan Kosutic:Is this something that is covered by certification bodies?
Tom Wheat:We haven't involved and I think that I wouldn't say a fact or information for the group's case of is that the door should have been completed by January 2025. Mhmm. And what I know specifically in The UK from a real reliable source is that 80% of applicants haven't even started the process yet, Dijon. So that's how much the demand is behind. But I think what's key and what's key for the people that need this in regards to the regulation is we both know, you know, within short terms that twenty seven thousand and one and two two three zero one, which is business continuity, In essence, it's giving 80% of the application form done.
Tom Wheat:So when you talk about the the uplift for applying for this by adopting the two standards, there's only 20% uplift to do. But if we actually pause on and think and go, okay then, if people do that as a process, we're also adding the value of twenty seven thousand one, and we're also adding the value of 02/02/1930. So I think the main pathway now, I don't know if many others, is that the gateway to getting DORA for consultants and clients is sharing that knowledge of going by attaining these two certifications. There's only 20% off left to do.
Dejan Kosutic:Yep. Yep. Yep. Okay. So can you speak a little bit about what happens behind the scenes in certification bodies?
Dejan Kosutic:So, very often, you know, consultants have only the the contact with, let's say, certification auditor that audits their their clients, but they don't usually know what happens, you know, afterwards in in a let's say, behind the doors in in the certification body. So who actually makes a decision on whether a company gets certified? Is this a certification auditor or is it someone within the certification body after an auditor does the audit?
Tom Wheat:Yeah, so it's a common question and it makes me smile and it's a case of we know many clients are going to need certifying and when do you need certifying by? Last Friday. And the reality of what we know is that that's not the case. We both know that. I think when an auditor leaves at stage two and does a closing meeting Mhmm.
Tom Wheat:What's what's presented as a case of is you are recommended towards certification, or there's been some fines. So let's use the first, the recommended certification. Every certification body has to carry out a process called EC review. And the technical review that sits there is a case of is where a qualified auditor, if we use 27,001 as example, checks all the documentation, checks it's non biased, all the information is readily available, and then they stamp that for approval. So that process can take a week and take up to two or three.
Tom Wheat:So as soon as the auditor submits the report, it then goes to EC review. Once the EC reviewer, which is a qualified auditor, is happy, they'll then push forward for certification.
Dejan Kosutic:Mhmm.
Tom Wheat:What happens then is when it comes to certificates, we have to send out a draft copy. And the draft copy quite simply is for simple stuff, spelling mistakes, grammar to ensure the scope is spelled correctly. And then once the client approves the draft certificate, we then send out the certificate. We also go the added way PGR, Dijon, that you you maybe will not be aware of. We also send the golden plaque for the wall that's engraved.
Tom Wheat:And the reason we do that is for HQ is to show off the good work that you've done. But I think the main thing that people understand is that when the minute the audit is finished, they think it's done. It couldn't be any trouble.
Dejan Kosutic:And
Tom Wheat:I think that's what's absolutely key. And we have many consultants oh, please, Dijon, please.
Dejan Kosutic:So sorry to interrupt, but so if I understood well there, at least what, two or three steps after the certification auditor does the closing meeting. And what can go actually you you you said that this EC review is being done as one of the major steps, right, after the the submits the report. So what can go wrong in this EC review?
Tom Wheat:What can let's get a number of examples, okay? So one could be a case administrative that obviously the scope is correct, the building address is correct, all the findings have been done. There may be a situation whereby there's been nonperformances found. And if the nonperformance has been found, any client can challenge these, but also the EC review account. And if they deem it necessary, that might might be a case of, you know, that it's, you know, subforce 4.1.
Tom Wheat:Context of the organization, if something's been raised that shouldn't have been raised, that can be challenged at that point. So it's very much a case of is two sets of eyes principles that make sense to basically ensure everything's in place. Common things which we smile about is signatures. Simple things like signatures of signing stuff off. Because these many situations, I'm sure consultants can also relate to is the scope has agreed to audit.
Tom Wheat:And now when it comes to putting the certificate, a client may add, that's not my scope. And and then we have to it's not just about changing the scope. This is a really important point because if the scope is so different to what's been written down, we may have to go out and do an extension to scope or clarify that the auditors covered that scope. So I think the most important thing in our world that we both know is the scope creates the a code. It creates the NACE code, and it puts the organization in a category.
Tom Wheat:It's the most important thing that we do. And I think that's left from the consultant. It's left from the client and the officers.
Dejan Kosutic:Yeah. Okay. So what does this mean for consultants that want to prepare their clients? You know, mean, how can consultants help actually overcome these potential issues when working with their clients?
Tom Wheat:Totally. I think what's key is the of this is the way of work. And we trust consultants to put clients forward ready for certification. And what we mean by ready is a case of we talk about stage one. The expectation that we both know is a case of is that all internal should be done.
Tom Wheat:The management review should be completed. All the documentation's in place. And a very common question that we get asked is, okay. How much evidence do you need in order to do a third party certification? And the rule to thumb is three months.
Tom Wheat:And the reason we ask for three months is a case of is we have respect to that time. They may have no corrective actions or things in place, but as long as they've got procedure and they've improved, that's fine. Well, when does three months stopped? And our response to that's a case of is the minute you put a on a policy, the clock stops.
Dejan Kosutic:Okay.
Tom Wheat:So it's very common questions that we get from consultants sometimes. Sometimes we get from regards to clients. For an answer to your question, how can they help is ensure that that simple stage is done. We both know that stage one's a documentation review in essence. The main thing is is also is clients don't understand what scopes mean.
Tom Wheat:And the simple analogy to put that is what does your business do in a sentence? It's really important. Yeah. And other things are a case of is is I can't speak for every certification body, but for a PJR, we don't send out application forms. And the reason we don't send out application forms is we do a Teams meeting or Google meeting, and we capture that data to ensure we get the scope.
Tom Wheat:Understand if it's a software house, if they do coding. All these questions are key. And the reason they key, Dijon, is these give the possibility of a reduction in order. Because if if a if a software house or a SaaS model doesn't do any coding or software development, that's a 15% reduction. It's really important.
Tom Wheat:Yep. Yep. The reason we gather this information in our way at PGR is it builds that trust and rapport. And if the consultant or the client has missed anything, we ensure we capture that point. So it's a very rare that EC review and question answer to your question that we any that miss anything.
Dejan Kosutic:Okay, great, good to know. And you mentioned this three month period for collecting evidence, so if I understood well, some certification bodies do require this period and some don't. How come there is such a difference in, let's say, approach to certification? Especially if some certification bodies do not require this period, then how do they audit if there is no evidence after this period?
Tom Wheat:Well, we work from the 17 o two five and the 17 o six, and then they they they they have the standardized documentation. We work off a certification bodies that's set by the AAF, UCAS, and accreditation. And what sits with that's the case, obviously, is it doesn't stipulate an exact time frame. Therefore, as you mentioned before, the old point of us doing audits is to add value. Okay?
Tom Wheat:We are not coming in to do a tick box exercise. Now I can't speak for all certification bodies, Dijon, which we'll most probably smile about, who promise that they can be done the week after. I'm not here to do that. But what I can answer on our behalf is a case of is through evidence and statistics. And over the thirty four years that we've done the of standards, the medium is three months.
Tom Wheat:And the reason for that is not all evidence is collated. Therefore, we can prove processes and ways how to do that. So for your energy controls, your statements of applicability, all the things that sit within 27 specifically is enough time to do it. You'll notice that many consultants will promise that they can get the system implemented within a week. We'll both smile at that, Dijon.
Tom Wheat:Right? Okay. We'll both smile. And we've and and it's a different conversation for a different day. Well, even if these consultants do consultants do this implementation in a week, in theory, who's gonna certify it?
Dejan Kosutic:Yeah. Yeah. Know. It's a big question, and it's certainly not going to work as a management system. Right?
Dejan Kosutic:It's it's
Tom Wheat:100%. And I don't say unfortunately, but we know there's a high there's a percentage of our market that needs certification for tender. They need it for the supply chain, and they aren't doing it for culture to add value. And that's fine. We we were not here for that.
Tom Wheat:Therefore, our approach, and I know your approach is a case of whereby the reason we do what we do is to add value.
Dejan Kosutic:That's the difference. Yeah, definitely. What kind of value actually can certification body add? I mean, you know, usually people and consultants are simply viewing certification bodies a you know, as a certificate on the wall. Right?
Dejan Kosutic:Yeah. So what kind of value beyond this certificate can certification body offer?
Tom Wheat:I think what's key is a case of is if you look at PGR, for example, once you get the certificate, you then up and run. I think it's I still smile at some clients think that once they get certificate, they don't, not understanding the old basis of what we do of continual improvement. And I I think once you get the certificates, okay, so this is we catapult you into many channels. And specifically at PGR, we we put some people in the hot news, then we and we share our clients internally. And the amount of business done internally between each other because they're certified is incredible.
Tom Wheat:So we open networks. We don't just go there, your certificates, and off you go. We we we try and push organizations to the sectors we know that we've got as much as we can. And I think that the the the the value that comes with it is a case of it is, you know, it it we both know. Yeah.
Tom Wheat:A good common question, I'm sure, that consultants can ask them, managers who sit on this and from the board of directors is not to change this question, Dijon, but why do we need it and what value does it add? Okay? And I'll have a different response, and you'll have a different response. And I think ultimately, as a case of it, is these many avenues you can look at it, and it's not just internally to protect them. It also gives an external line whereby they can go out and tender and bid, then come to the side of culture, accountability, credibility.
Tom Wheat:It goes on and on and on. Therefore, as with anything in life, some people sort of go for it because they pushed. Yeah. And and I think that that that's interesting. And in regards to if I look back at my health and safety days from firefighting, if you had an health and safety fine back at that day under Redor, you used to cringe at the amount it would be.
Tom Wheat:Now if you look at it towards 27,001 information security breaches, it doesn't even touch the sacks. It it's uncomparable. So, you know, the reason you do what you do and what I do as a case of is is ultimately not just to protect an organization, but put some on a platform to then go, do you know what? We have this. We took accountability, so on and so forth.
Tom Wheat:So I don't know I answered your question, Dijsche.
Dejan Kosutic:Yeah, certainly. So but can actually auditor during an audit also, let's say, suggest some, I don't know, good practices towards the clients? Is this something that an auditor can do, not to be in a conflict of interest?
Tom Wheat:Good question. I think whoever's watching this will all smile together. The order comes in and gives nothing, and the comes in and adds value. What does that mean? It still stipulates to UCaaS that we have this line.
Tom Wheat:We have this boundary whereby we cannot consult.
Dejan Kosutic:Mhmm.
Tom Wheat:So me and go, okay. What's consult? So and we'll both smile when it's I think what's key is we have a phrase called opportunity for improvement. Uh-huh. So on an audit report, you've got a major nonperformance, a minor nonperformance, an opportunity for improvement.
Tom Wheat:An opportunity for improvement is what you've just said. It's not consulting. It's not asking the difference is this, I explained to many clients. If I'm asking you to change something, physically change it, that's consulting. That's an opportunity for improvement.
Tom Wheat:But if I want side, you can see something where you can make it better through streamline or whatever process it is Mhmm. Then that's having value. So an answer to your question, yes, we can. We can't consult, but can we come in and add value and advise and give recommendations to improve and streamline? Yes.
Dejan Kosutic:Yep, yep. Well, definitely, I have a feeling that this is really where auditors, especially the ones that have experience, if they've seen hundreds and hundreds of clients with the best practices, then these opportunities for improvement is really a great way to disseminate these best practices also to other companies. It's great if an auditor really can do such a thing and help basically these clients.
Tom Wheat:And it's true, I think an added aspect to this, and I'm sure you're smart with me, is as a certification body, we already invested in the way that consultants work. And the reason we do that, we talk about many platforms and we talk about Conformium Specifically, it's a case of is we proactively upscale our auditors on their platforms. And the reason we do that is for a simple reason. Customer satisfaction streamlines the process. And in fact, the case of is what we just talked about is if you're continually working with a platform or a system, not just the volume of experience you get from on the audience, you can see means and way of also feeding back to improve it.
Tom Wheat:And I think that's absolutely crucial because the relationship between consultants and certification bodies, UCaaS sort of comes across with a stance that you shouldn't form. Therefore Mhmm. Why not? Why shouldn't it? Because at the same time as the case office, the bit we're missing here is the customer.
Tom Wheat:And the people who recognize the customer and it's based around customer service, and we can both equally give the right service, then we've succeeded. Mhmm. So I think we go a step further as I know you do in a case of this is sharing. I think some consultants are quite wary of showing certification bodies how we do it. Yeah.
Tom Wheat:I haven't got the answer to that, Dijon. But what I know is a case of this. I can vouch and you can vouch the benefit of doing it.
Dejan Kosutic:Yep. And how about actually consultants being part of the audit, I mean, being as a, let's say, some kind of if they participate and if they are really there and work together with the auditor. What is the perspective of the certification body towards consultants who actually want to be a part of this certification audit? Is this something that is positive or negative?
Tom Wheat:For me personally, positive. Some will disagree. I think what's key is the case if we look at the size of the organization. I think what's key is if this is fully outsourced to a consultancy company, then obviously this should show up and represent. If we're using, for example, whereby a customer or client is implemented internally, but just use support from a consultant for internal audits or management review, then the rule of thumb is we have to have to have present whoever leads that from the organization within.
Dejan Kosutic:Mhmm.
Tom Wheat:So we can't have, for example, that scenario on the latter and then have a consultant lead and answer all the stuff because that's not right. They haven't implemented. You know, when we talk about leadership in regards to the culture organization, we have to talk to key people. But the reason I prefer that consultants are a part of the audience, more importantly, is a case of is it just improves the all experience. Because I think the problem and stigma 've got within our organization with clients and consultants is the majority of clients are put off because, one, where did they start?
Tom Wheat:And two, cost. And I think the key point of the consultant is to break down the doors, give that reassurance and be part of the team. Because not everyone can afford a compliance team internally, therefore there's a huge benefit of bringing in the compliance team, exiting.
Dejan Kosutic:Yep, yep. Okay, okay, very well. Yeah, I know this is very often a dilemma and but this kind of perspective helps and it does certainly help if a consultant is also present at the audit. Now, what happens if an audit client is not satisfied with, let's say, a non conformity? So, you know, some companies are really afraid of challenging the certification auditor and basically telling them that they do not agree with this non conformity.
Dejan Kosutic:So, what is this process? How does this work of, let's say, challenging this audit finding?
Tom Wheat:So I think what's key regards I can only speak for PJR, Dijon, in regards to our processes. But at the opening meeting, it's always explained how, what the audience is there for, obviously, appeal process to do it, and and if they have any disgruntles. And I think our smile here is many nonconformities are not raised because consultants there during the audit, and you'll smile with Because sometimes clients will roll over and not challenge because they may not have the knowledge. Therefore, a consultant should go, I'll stop you there. And what happens there is the majority of what goes on with this, shall we say, event, is they normally get crushed down then because the consultant's got the notch.
Tom Wheat:For an answer to your question, if one is raised and appealed, there's a process of 30 later, which is three zero, where they can appeal that. And what happens at PGR then? We have a board that is dedicated to set up. May I add in these three and a half years I've done this, Dijon? I've never had one of these cases, but I do know the procedure.
Tom Wheat:It's whereby the procedure sets. They have a board of people from accreditation. And I would come in as the client, and you would come in. The auditor will present the information, present the evidence, and then the decision will be made there and then. If it remains Okay.
Tom Wheat:As a nonperformance or it gets scrubbed off.
Dejan Kosutic:So Understood.
Tom Wheat:Everything's up for debate. Everything's up for appeal. And I I think, yeah, I I think that naturally comes on and makes me smile from the one before whereby if it is an experienced audit, the consultant's the first one to time up the knots and go no, you won't be racing that.
Dejan Kosutic:I mean 99% of the cases, I know that usually this is resolved at the closing meeting and basically clarified, if not even before, right? But yeah, this is very often a question, what happens if I don't agree? But in practice it's like, in majority of cases really certification, it represents the non conformity in a very clear way, after which you can't say anything else, right? Yeah. Okay, let's speak a little bit about this certification market.
Dejan Kosutic:From this perspective, a consultant, this certification market seems to be very, very competitive. Lots of these certification bodies, seemingly they offer more or less the same thing. So, do you actually compete in such a very competitive market?
Tom Wheat:It's a fair point, Dijan. I think it's a case of the real talk is a case. I think our side is when I mean our side, the certification side is epically failing the industry. I think consultants consultants are doing an incredible job, and why that's a case of doing their bit and showing the customer service is there. For The UK specifically, you know, in the top four or five that sit there, unfortunately, that's not the case.
Tom Wheat:Customer service doesn't exist. And more importantly, it's a money club. It's all about creating money with no no respect for the client at
Dejan Kosutic:all. Mhmm.
Tom Wheat:And the reason we've gone about our ways is everyone that works in PJO in The UK has all been a consultant. We've all got qualifications. We've all been on other side of the fence. We aren't sales reps. So what that means is if we talk about, you know, a technical question and you you ask it between me rather than I'll get someone else and ask you, we should be able to answer it.
Dejan Kosutic:But Mhmm.
Tom Wheat:Customer service is We absolutely pivot on customer service. We're an American based company, which we'll smile about, and all that our fellow Americans talk about is customer service. An example to that quite simply as I think there's a lot of frustrations out there with consultants at the minute as well as clients that, you know, no one answers the phone. No one returns the quote. You get promised audit days that actually don't exist.
Tom Wheat:And not even the parrots died anymore. The hamsters now died. It's just excuse after excuse after excuse, it's unacceptable. It's totally unacceptable. And our approach is a case of as, you know, if a client or consultant comes to us, the first thing we ask is, when do you want the audit back?
Dejan Kosutic:Yeah. If we
Tom Wheat:can't do the audit, we don't take the deal off. And the shock horror, it sends absolutely ricochets through the market because it's not the norm. Everyone else takes deals on, promises we can do, and therefore, they can't fulfill it. And I think what's key for us in the case of is that, you know, we don't send application forms. We jump on a call.
Tom Wheat:You have one dedicated point of contact. You don't speak to Dijon, Tom, Susan, Sarah, Gary. You just talk to Dijon from start to finish. And these small men, I say, minimal changes, which don't seem any big at all. It's just norm.
Tom Wheat:It's been overwhelming, and we're having a high volume of transfers. We've gone out and headed the auditors that not we want, but what clients want and what consultants want. Whenever I speak to a client or consultant, I say, who's the best audit you've ever had? And they tell me, and we go out to find them, Disha. And that's what we've built our model on.
Dejan Kosutic:It's fascinating. I mean, this kind of thing is really something that can so much differentiate you from the competitors, I mean, customer service itself, right? It's something that should be kind of by default for everyone, but it seems that you're doing this much better than everyone else.
Tom Wheat:I I couldn't agree. And I think the irony of this is I don't think this is my honest approach. I don't think any clients or really consultants care about certification wise. The only thing that clients care about is auditors. They build the trust.
Tom Wheat:They build the rapport. They build the relationship. And wherever auditors go, clients will fuck. Because let's be honest with Dijon. Day price regarding from different bodies in The UK that I speak from, even Europe.
Tom Wheat:The day price is from one end of the scale to the other. It's the same certificate with the same accreditation with the same stamp. So what adds the value? We have the value regarding the customer service. Orders actively fail on that, therefore, charge twice the price.
Dejan Kosutic:Therefore,
Tom Wheat:the reason they stay with their bodies is because they've got a relationship with the auditors. It's nothing to do with certification one.
Dejan Kosutic:Yeah, yeah, yeah. So, how do you see this, you know, certification bodies in, let's say, five to ten years from now? So, how do you think that their, let's say, role will will evolve, especially in the you know, in this because of these technological developments like AI and all these things.
Tom Wheat:So Yeah.
Dejan Kosutic:How will PJR look in ten years from now?
Tom Wheat:Great question. I think the biggest problem we've got, the biggest hurdle is UCaaS. I think it's a case of the start at the top of the tree because they're the one that dictate the rules. They're the ones that dictate, and that comes downwards. So Mhmm.
Tom Wheat:We have great plans, and great plans are the case of is we're very I'm gonna use the word modern, Dijon. What do I mean by modern? We very have an approach whereby there's a lot of talk in the mains in regards to the whole audience who gotta go back on-site. All of them are gonna go back on-site. They can't fully virtual.
Tom Wheat:They can't be hybrid. And there's a lot of myth busting in that. And I think the reason that people are really going back towards it is they're losing money in expenses. The reason I'm saying this is PGR's approach is a case of it's to be modern, and that's to move with times. I think we're going towards standards now that are very technical based in regards to information security.
Tom Wheat:And we both know as a consultant and an auditor that the majority of people that own these businesses don't even have an office. All this stuff stored in the cloud. Yep. Therefore, we've been told from the top is we've gotta go out and order these people. Where?
Tom Wheat:In your front room, Dejan? In your bedroom? Downstairs?
Dejan Kosutic:It's crazy.
Tom Wheat:So it's well well, this is what's happening in the industry. And I think within the industry is power approaches to stay modern. And I think, you know, when we had COVID, it was a massive shock. Everyone virtual in our world as we both know. And I've gotta be honest that the majority of orders don't go out on the road anymore.
Tom Wheat:They don't go out on the road anymore. So our approach, and that's due in ten years' time, is is hopefully to be as modern as we are now. And that means a case of we know the guidelines set by UCaaS. We work within them guidelines. We work with consultants.
Tom Wheat:We work with clients, and we do what's best for the customer. But unfortunately, in our world, that's not the reality for us.
Dejan Kosutic:Yeah. I mean, know a lot of our clients are really, you these virtual companies, SaaS companies that everyone is working from home and they're asking, okay, who is this auditor going to visit? He's not going to come to my home, hopefully, these kind of questions. This kind of approach where you acknowledge that these companies are virtual is very important. But what do you think about AI?
Dejan Kosutic:Is AI going to change the world of certification?
Tom Wheat:It's a real interesting question. I suppose we can answer both of us in regards to, is it gonna change consulting? Is it gonna change certification? Good question. I I think it has to.
Tom Wheat:If we say it isn't, we're absolutely in denial. Mhmm. What aspects we'll hold on to, I don't know. Well, in answer to your question, yes. I I think it will.
Tom Wheat:I think the difference in the case of regards to, you know, can it write an audit report? I'm guessing it can. I mean, technology is frightening now. Will we miss that physical aspect of regarding us doing this, voice? Mhmm.
Tom Wheat:Well, never say never, Dijon. You can get a voice now. Right? So I I think it will. I I don't know how quick it will change.
Tom Wheat:I don't know what we'll hold onto. Therefore, I hope we can hold on for as much as we can. And I suppose the only thing that we can do as humans in some way and take peace from is the relationship and customer service, if that makes sense. That's the bit we can hold on to, that physical aspect. What's your thoughts, Chetan?
Tom Wheat:What do you think?
Dejan Kosutic:I think that drastically change this compliance world, you know, starting from consultants and how they do work all the way to auditors, but I think that it will change even more for consultants. You know, when you take a look at what happened, you know, thirty years ago with the, you know, advent of the Internet, right, how Internet has changed the way consultants are doing their work, I think, you know, AI will have also the the same magnitude of change, you know, when it comes to when it comes to consulting, not only in terms of that that AI will take over some, let's say, more repetitive tasks and more mundane tasks when it comes to, let's say, preparing documentation or processes or these kind of things, it will also go, I would say, even much further where actually AI will be able to kind of, well, I wouldn't say consult clients, but certainly give some advice, I would say smaller pieces of advice to clients. And of course, raises a big question then what the consultants are, what consultant role will it be? And in my opinion then, I would say consultants will be here as, I would say, knowledgeable people who will use, on one hand use this AI to speed up their work, but also on the other hand that consultants will be, I would say, configuring this AI in a way that actually then it helps clients directly.
Dejan Kosutic:So the role of some consultants or at least the role in some part of these consulting jobs will change as well.
Tom Wheat:I agree and I think the pick picked for Mel is the case of this is speeding things up for both of us. And I think the most controversial podcast you could do is regards to, you know, how how how do we justify these mandates in regards to 27,001 audits. And I think it's a topic on its own. And I think in time, which is out of our control, that's set to the top table of UCaaS is if technology is that quicker, will it reduce audit time? Not gonna answer that one, Djinn.
Tom Wheat:I'm gonna leave it there and there, but that that's a huge one in a case of you know? I'm sure these many consultants on here are going, you know, how how how about orders are sitting there and they twiddling the thumps? It's that many days. We don't know what to do. Unfortunately, we have to follow the m d 11 table, and that's what every certification body comes from.
Tom Wheat:We don't just pluck it out the air, but as you said there, think it's a valid point that, you know, if we do get smarter and faster with AI, will that reduce audit time?
Dejan Kosutic:Yeah, yeah, yeah, it will change obviously these rules.
Tom Wheat:We'll see. Okay,
Dejan Kosutic:great. So, let's wrap up the show today. So, what would you say are kind of top recommendations consultants when they're preparing their clients for certification?
Tom Wheat:I think what Key is a case of is is there's a lot of pressure out there that they want it now. I think the majority of consultants do ensure that you're ready to go with regards to the basic stuff for stage one. That that's a must. I think it's also key to communicate whereby that once the stage two day finishes, don't get the certificate the next day because they're the ones who are on the phone going, where's my certificate? Yeah.
Tom Wheat:And I think the main thing is just keep doing what you're doing. And the reason I say that's the case of is we can't do our bit without your bit. And we have if anyone rings PGR and says they want 27001, the first question we ask is, have you got a consultant?
Dejan Kosutic:Mhmm.
Tom Wheat:We don't just ask that to pass a lead. The reason we ask that to case obvious is if the client was to say, no. We don't. We recommend the gap as a minimum. And the reason for that is we don't set anyone for a form.
Tom Wheat:And I think the main gatekeeper in this to ensure is the consultants who are listening to this video. I think it's credible what you do, and I think it's important for you to know that believe me from being this side of the fence. You know, a high percentage of clients that implement on their own, it doesn't only end well. And and I think the main one is, Dizhan, I'm gonna finish on which I think you'll smile with me, is keep the prices right. The amount of people who've gone to the most cheapest consultant, cheap is not always the best.
Tom Wheat:And all of a sudden, you are receiving a call to say, can you pick this up and get me out of this mess? And, unfortunately, that's business. That's life. But I think, yeah, maintain the price for the value add.
Dejan Kosutic:Okay, so great. So let's finish up with these very nice, very good suggestions. So thanks, Tom, for all of these, for all the interview today and for your valuable insights. And, yeah, I think consultants will certainly have a lot to learn.
Tom Wheat:Thanks, Deja. I really appreciate your time. Take care.
Dejan Kosutic:Yeah. Great. Thanks for making it this far in today's episode of Secure and Simple podcast. Here's some useful info for consultants and other professionals who do cybersecurity governance and compliance for a living. On Advisera website, can check out various tools that can help your business.
Dejan Kosutic:For example Conformio software enables you to streamline and scale ISO 27,001 implementation and maintenance for your clients. The white label documentation toolkits for NIS two, DORA, ISO 27,001 and other ISO standards enable you to create all the required documents for your clients. Accredited Lead auditor and Lead implementer courses for various standards and frameworks enable you to show your expertise to potential clients. And a learning management system called Company Training Academy with numerous videos for NIS2, DORA, ISO 27,001 and other frameworks enable you to organize training and awareness programs for your clients workforce. Check out the links in the description below for more information.
Dejan Kosutic:If you like this podcast, please give it a thumbs up, it helps us with better ranking and I would also appreciate if you share it with your colleagues. That's it for today, stay safe!
