Mastering Integrated ISO Management Systems | Interview with Jim Moran
Welcome to Secure and Simple podcast. In this podcast, we demystify cybersecurity governance compliance with various standards and regulations and other topics that are of interest for consultants, CISOs and other cybersecurity professionals. Hello, I'm Dejan Kosutic, the CEO at Advisera and the host of Secure and Simple podcast. Now today we have a very interesting guest. His name is Jim Moran and he's the founder of Simplify ISO and he has a big very big experience with consulting more than thirty years and with various ISO standards like ISO 9,001 and others. And he's also the host of Simplify ISO podcast and he's also the member of ISO committee 280 and this is for guidance for management consultancy services and this is related to the standard ISO 20700.
Dejan Kosutic:So lots of experience with various ISO standards, so in today's podcast you'll learn what is this high level structure of ISO management standards and basically how to use this to integrate various ISO standards and to create these integrated management systems, for example ISO 27,001 and ISO 9,001 or any other standards. So welcome to the show, Jim.
Jim Moran:Well, thanks for inviting me, Dejan. It's been I enjoyed working with you with our other podcast a couple of weeks ago, so it's nice to have sort of a a connection, you might say. So thanks again for having me on.
Dejan Kosutic:Great to have you here, Jim. And, yeah, let's start. So what is this high level structure or HLS, and why is it actually important?
Jim Moran:Well, first of all, it started in in 2013 with the standard you're most familiar with, twenty seven thousand and one. And I didn't really get it when I first saw it. But I I really liked the fact that they were working together or working on some kind of structure that could be used in different standards. And to date, I think you've seen it in twenty seven thousand one, 14001, the environmental standard, forty five thousand one, health and safety, 50001, energy. It's even in fifty six thousand and one, the asset management standard.
Jim Moran:So it it was a brilliant move on ISO's part. I have a feeling they might have felt they that the ISO 9,001 registrations, which there are more than 2,000,000 of in the world, might have been slipping a bit. And had they so they probably helped design this high level structure format. I've heard people call it harmonized structure as well. So if our listeners have heard that term, it's the same thing.
Jim Moran:But the beauty is that if you have any standard, maybe some of our listeners have ISO 9,001, It the structure is exactly the same, the headings, at least. The first one is context clause four, leadership clause five, planning clause six, resources or support clause seven, clause eight, operations nine, performance evaluation, and 10, improvement. If you have one built, you can just modify it slightly for any other standard you wanna integrate into the into your management system. And there are many advantages we'll get to in a minute. But, 2015 came along, and here's ISO 9,001 now using the same format that twenty seven thousand one did in 02/2013.
Jim Moran:14000 and one environmental came out the same year, and it's just been a terrific, I guess, you'd say, was probably a paradigm shift for ISO because each area of expertise was pretty protective of its own format for making standards. And as you probably know, thirteen four eighty five medical devices still has their own format, and 17 o two five calibration and testing still has its old format. And fifteen one eighty nine medical labs is the same as 17 o two five. So with our with our listeners hearing this whole swirl of numbers, suffice to say that I think the others will come along. I'm I'm I think they'll kinda be left in the dust if they don't from an ISO from an international standards perspective anyway.
Dejan Kosutic:Now I noticed that, you know, once you compare, all of these, standards and and by the way, this forty two thousand and one, the AI standard, is also following the the high level structure. Anyway, when you compare all of these standards, I have an impression that, you know, clauses four context, clause five, the the, you know, the management and clause, especially four and five and nine, which is about maintenance and, let's say, and measurement and clause 10, they're basically almost the same amongst these standards, where their differences are mostly around clauses let's say especially eight and six right clause seven is also almost the same so do you also see this kind of pattern between these standards? And and why are only these two clauses really so different?
Jim Moran:Well, it's a it's a good question. I think as you pointed out, the biggest biggest differences are in clause eight operations because every field of endeavor, every industry, every company, and so on, they they deliver their service or build their product uniquely for their own, first of all, the industry. And, of course, within each of the hundreds of thousands of industries in the world, there are requirements related to legal requirements that go along with those. So what have been pretty difficult for an organization for for ISO, the International Organization for Standardization, would have been hard for them to come up with a generic enough clause, clause eight operations, but but but with enough detail to be worthwhile or usable by various companies. So the result is, as you just suggested, that some standards I'm thinking of health and safety has 8.1 general, 8.2 is emergency preparedness and response.
Jim Moran:That might be it for them, what I'm thinking now. And then we think of quality or or especially your, you know, your area of expertise, 20 07/2001. Not only is there a pretty extensive clause a, there's a an annex a with 93 separate requirements. I love the way they set that up, by the way. It all it looks to me it reminds me of Ishikawa's fishbone diagram.
Jim Moran:The man would be the people. Six methods would be operations. Or I guess the organizational one, the first one would be like the milieu in his man method milieu. Mhmm. It's it's so there there are a lot of good thinkers out there, but the eight eight is definitely the biggest one.
Jim Moran:That's usually how I start explaining integrating to any of my clients is that, you know, since you have ISO, what x y z, whatever it happens to be, you're gonna have all these things in place. And the I guess the other because eight is so different or so unique to each standard, as you said, six, the risk assessment is it will be equally unique because although the methodology can be the same, a lot of clients use ISO 31,000 as guidance in in the twenty seven thousand world, twenty seven thousand five, a specific guidance document, twenty seven thousand seven for internal auditing. So if anybody's listening is venturing into information security, and if you aren't, you should be, you'll find lots of help. I was especially pleased to see 27,002 where you have if you do it mathematically, you have almost a page and a half of explanation for every one of the 93 clauses in in the annex a. So it's a there's lots of help for people.
Jim Moran:The other thing the other one I love of that series too is 27,036 part two, the information security standard for the supply chain. I mean, the supply chain came under everybody's magnifying glass during COVID when we saw how how critical it was for survival. And I think everybody inherently knows, like, your supply chain is the life blood of your organization.
Dejan Kosutic:Mhmm. Going back to to clause six, what I noticed is that, yeah, there are differences, let's say, especially in this approach to to risk management. And one of the specifics in ISO 27,001 is this statement of applicability, right? Yes.
Dejan Kosutic:This was for a longer time, this was the only standard which requires this statement of applicability directly related to this Annex A, right?
Jim Moran:Yes.
Dejan Kosutic:And then I saw the 42001, the AI standards has the same concept, right? They have this Annex A with controls and the statement of applicability in clause six, which basically regulates or specifies which of these controls are are applicable. So but this is unique for these two standards. I didn't really see it anywhere in any other of these ISO standards.
Jim Moran:I can't think of any other standard where it's as prominent. And when you see it, it makes so much sense for an organization to take the time to go through all of these requirements and maybe look for ways to see that it would apply. And the only I guess I've done a half a dozen 27,000 ones now. Nothing compared to your vast accomplishments there. But I did I did notice that in any company and varied companies as well, there everything still applies about the only exception that in my in my particular realm was, the writing of software.
Jim Moran:That's the section that says if you're if you develop software, most of my clients or all my clients just use it. They none have developed it. Yep. So I imagine that creates a whole another special set of challenges, if I might say.
Dejan Kosutic:Yeah. Yeah. Yeah. Yeah. Definitely.
Dejan Kosutic:Now this Annex A, right? So it has would say I think all these standards do have Annexes, but this Annex A is particularly important as we mentioned in twenty seven thousand and one and forty two thousand and one. Is there also, with other ISO standards, are these annexes in either ISO standards, also important, or or they have less, let's say, meaning?
Jim Moran:In the annex a that you and I know in twenty seven thousand one, they aren't it isn't guidance. It's requirements, 93 requirements. And the other annexes that I've used are just guidance, just guidance document. And even in even in a guidance document like 19011, the auditing document. It even has annexes.
Jim Moran:Also, not not shells. They're shoulds or may. And it makes a big difference, but I find them very helpful for people building systems It just in a sense that it gives you another perspective. It gives you something to think about. But nowadays, I'd say in the last two years, for me anyway, I started using AI for writing or creating webinars for BSI.
Jim Moran:And we did ten years of that with them, just finished last year, actually earlier this year. And the the the the incredible upswing of knowledge and and and prob I hope improvement to management systems with AI, it's it's almost unfathomable. It's just it's literally infinite. Well, it isn't, but it feels like it's infinite. So that all the annexes in the other standards can certainly be enhanced with using AI as well.
Dejan Kosutic:But the point I'm I'm trying to make here is that, basically, this high level structure does not really cover annexes.
Dejan Kosutic:Right? Basically, these annexes are are, I would say, quite different from one standard to another.
Jim Moran:Completely. Absolutely. Thanks. Good point. The, the high level structure didn't doesn't require annexes, but every standard I've seen has them.
Jim Moran:But, yes, the the the one standard the one exception is the one that you and I use with information security, twenty seven thousand and two. Mhmm. But the annexes sometimes get overlooked. It's a good thing that you're raising this point. There's lots of valuable information in there in every single ISO standard.
Jim Moran:And sometimes people say, oh, I don't need to worry about that because they're not requirements except in the case of twenty seven thousand one and forty two thousand one, the AI standard. But it's Mhmm. It's good to I guess there were if I could list the other standards we've talked about, 9,001, for example, 45,001 health and safety, 14,001 environmental. Even though they have companion documents that are like ISO 27,002, help help guide help guidance examples and so on, the other standards have just hey. They haven't embraced it quite the same way.
Jim Moran:And I think because they aren't requirements, people tend to overlook them. And in my opinion, they're as I think you would agree, they're missing a lot of really valuable information in there that could help them. And and back to clause 10 improvement could certainly help them find ways to improve their management system for sure.
Dejan Kosutic:Yep. Definitely. Now how is this high level structure related to integrated management systems? What what is the connection, let's say, between them?
Jim Moran:Well, if a person had to integrate a system, let's say, when 1996, when ISO fourteen thousand one first came out, I think that was my first attempt at integration. It was this company in Ontario, Canada, Southwestern Ontario in Burlington. And they took manufactured steel wire and turned it into frameworks, sometimes just bundles of cut wire and so on and so forth. And they were required by the automotive industry to become ISO 14,001 certified. It wasn't right at '96.
Jim Moran:It was probably closer to 2,000 or 2,001. So having worked already for, let's see, since '92, eighteen years with ISO 9,001, I could see some of the language of the clause requirements being similar. And so we went to work, and we just we didn't we didn't write a whole separate ISO 14,001 environmental management system. We took the parts that were similar enough and added them to the quality system. And that was my first exposure to this concept, and it went fine.
Jim Moran:It they got certified to both standards. And because of that, I started to see where integration would be easier moving forward. That but but when the 2015 version came out, it was like a whole new world opened up because it I could see immediately how much easier it was gonna be to do that kind of work. And more and more, companies are required by their customers to be certified to more than one standard. Twenty seven thousand one is probably the most popular and fastest growing.
Jim Moran:But for most people that make, especially construction companies, ISO 9,001 for the quality, 45,001 for health and safety. And then, obviously, if you're working in construction, 14,001 on the environmental side. So it's, again, probably driven by customers. I remember in 1996 going out to Vancouver with SGS. I was the training manager at the time.
Jim Moran:And there were maybe 50 or 80 people in the room, but 90% of them were interested in adopting ISO 14,001, not to save the environment, but to avoid getting fined and to get to start to manage their compliance requirements to all the legal requirements. And, of course, the legal requirements in every country when it comes to environmental are changing. I won't say daily, but but they change. I think we have 14 or 15,000 of pages pages of new environmental legislation in Canada alone, and we're a pretty small country.
Dejan Kosutic:Mhmm. Going back to to integration and integrated management systems, how does this look really look in practice? So let's say that the company wants to implement both ISO 9,001 and let's say 27,001. What exactly can they integrate and how does this reflect, I don't know, documents, processes, technologies, people, whatever?
Jim Moran:Well, it it's not as maybe as hard as it sounds. It's it's it's requires a lot of work, and it requires a lot of paying attention to detail. But if you go to clause four point four point one a and b in ISO 9,001 and by the way, the other standards, I hope over time, will adopt the same language. But four point four point one a and b talk about, first of all, a, is identify the processes you need in your organization to meet your requirements, customer requirements, legal requirements. It doesn't say all that detail, but that's the idea.
Jim Moran:And four point four point one b says, determine the in inputs and outputs. Show their interaction. I think a is determine the inputs and outputs, b is show the interaction. So for years, I've the first step I've done with my clients is to get some sticky notes up on the wall with flip chart paper. And we I I asked them, so what happens between the time the customer calls and the money goes in the bank?
Jim Moran:So we map out all the steps in their company. And by using that technique, the integration becomes so much easier because you can go to the first box and say, okay. What's the deal with quality? And you can, again, imagine identifying risks using these techniques. It's it's pretty good.
Jim Moran:It's not foolproof, but it's pretty good. So what are the risks related to the first phone call with the customer? Next, what are the risks related with determining their requirements? And then at that point, you can add in environmental. Are there any any requirements related to environmental issues, climate change even, that latest amendment, then in health and safety.
Jim Moran:Oh, so if the customer wants this, if we have to handle sulfuric acid, we've a we've got both environmental and health and safety. The good news about that first step is there's really there are really no information security issues, but there certainly are when you're dealing with your customer. Are are we talking to the customer while we're sitting in Starbucks, or are we on a secure network? And you just go step by step by step by step, and you can literally look at every step of your organization, start to finish, and decide. And, you know, cross functional team is certainly helpful for this, But you can decide if there are any issues.
Jim Moran:And and while you're doing that, you can build your integrated system.
Dejan Kosutic:Mhmm. So, basically, if I understood well, you're saying that the, let's say, implementation steps steps of of two standards can actually be merged, especially if you go if you take this high level view of actually processes and and identify them both from, let's say, quality and security point of view.
Jim Moran:Very yes. Exactly correct. And the other thing that most of our listeners would be happy to hear is that the there are some significant cost savings from having your your registrar in audit your system as an integrated system rather than two or three or four separate systems.
Dejan Kosutic:Mhmm. Yeah. Of course. When a company goes for for a certification. Now, how does this integration look, for example, when you're writing documents?
Dejan Kosutic:For example, what I found is that if you're writing a procedure for Document Direction Control, you don't have to write two documents, right? For 09/1927, you're simply writing one document which covers Document Record Control for both of these systems. But how do you normally approach this, let's say, integration, integrated management systems and writing documents?
Jim Moran:That was a good example you gave, Diane, the the document control requirement. But think about the others. Internal auditing, another critical tool to managing or benefiting from a management system. Auditing is auditing is auditing. Doesn't matter if you're auditing.
Jim Moran:Now your auditors need to have special skills for each area, but you could very easily have an integrated audit team. Maybe they wouldn't be auditing, maybe not walking around the organization together as a little herd, but meeting during the day, comparing notes, and so on. And you wouldn't have to have a separate even risk identification methodology. It can be the same for all. Now health and safety has some specific requirements, and 27,001 information security has specific requirements related to health and safety adds the concept of hazards, of course.
Jim Moran:But just the the I guess the the working together can really enhance. You kinda get a synergy happening there. But back to your question about writing the documents, management review will be identical. Just have the other areas. Yep.
Jim Moran:Corrective action, it I've got when we design ours in our clients' sites, we just have a drop down. Is this quality? Is it environmental? Is it health and safety? Is it information security?
Jim Moran:So you can do virtually use the same system for all of them. And it and I think as as a hope for me, for my for the larger clients, I'm hoping that the integration of the management system can actually help break down silos that you've seen in every company you've worked with, I'm sure. Even Yeah. Yeah. Definitely.
Jim Moran:Even smaller companies, people have sort of a a desire to hold on to their stuff. So this I think the the whole movement of integrating management systems can definitely help people it's gotta improve it'll improve communication without a doubt between all the various departments. And I used to show videos when I was a a a college professor back in the early eighties before I started ISO. There was a really great line in one of the videos I showed. It it it goes like this.
Jim Moran:Communication is a synonym for life. So and if you take that to a corporate setting, anything to the can improve communication is gonna improve the the corporation for sure. No question about it. And integrating management systems, in my view, is one of the best ways to improve internal internal communications for sure.
Dejan Kosutic:Definitely. Now this kind of integration can actually go further. I mean, it it will, of course, enhance communication and in many cases actually you can integrate not only, let's say, documents, but you can integrate, let's say, activities between a couple of standards. Example, you can actually have the same internal auditor doing 9,001 and, let's say, 27,001. Of course, if this person has the knowledge of both of these areas.
Dejan Kosutic:But how do we actually manage these, I would say, smaller differences then? For example, if you have one procedure for management review, the, let's say, inputs and outputs for a management review for 9,001 are slightly different from the ones from twenty seven thousand and one. So how do you integrate, let's say, management reviews, but yet actually keep these differences separate and clear? How do you manage this?
Jim Moran:It's a good question. Thanks. First of all, management review is fundamentally the same, but have specifics for the specific standards. For example, forty five thousand and one has a requirement for top management to include workers in discussions having a a formal method for communicating. And so in a management review, after you're finished all the core ones, then you'd have and, of course, the vice presidents and so on will be around the table.
Jim Moran:You would just take the next step and say, so let's look at how well we all included workers in our discussions. Workers need to be included in the creation of quality objectives, for example, or not quality objectives, Health and safety management objectives, they need to be included in designing work and so on. So the the core is the same. And even even management responsibility, management shall demonstrate commitment. Quality now has has 10.
Jim Moran:Environmental has nine. Health and safety has 13. So as as it's but the core the core of everything is consistent across all these standards. And then you just add the the specifics for each area, AI, and information security as well. Back in the nineties, the late nineties, the automotive industry took ISO 9,000 and created a document called QS 9,000.
Jim Moran:And it was basically ISO 9,001, but then they had like we have today with the Annexes that had Chrysler requirements, Ford requirements, and GM requirements. And you could sort of think along the same parallel lines with your integrated management system that you've got the core is the same, but then some areas that would require, say, you know, specific require to be require being addressed slightly uniquely for their particular. But but every standard can learn from the other standard. All all all the standards could learn from clause eight in ISO 9,001 when it talks about the beginning, measurements, competent people, finding ways to eliminate, like, proofing, that kind of thing.
Dejan Kosutic:So, basically, have, let's say, one procedure for management review and then maybe separate checklists for each standard or maybe working instructions for each standard, something like that.
Jim Moran:You could could have the agenda, and the agenda would probably take be able to take care of that, have the core ones. Then the next item would be for health and safety. Next item would be or you could even look at, let's say, process effectiveness, so internal auditing. So you could have input from the the health and safety side, the environmental side, and the quality side, and the information security side have, you know, somebody from each area or have the person responsible for all of the integrated management system just reflect on were there any specific issues in in information security? Were there any uncontrolled areas of health and safety?
Jim Moran:And it's the language is so similar as well. Not only is it harmonized, but they haven't they haven't just tweaked little words to try to be different in all the different standards. They've really maintained a good, solid, consistent tone and message all the way through for sure.
Dejan Kosutic:Okay. And when a company per let's say that the company has both QMS and and ISMS, right, that they have this integrated management system. And and if they want to do the management review, do actually they do the management review for for both of these systems at the same time? Or is is it even is it better actually to do them as two separate management reviews?
Jim Moran:My clients, I don't know what yours do, but our my clients do them together. And what that what I've discovered happens is we get this thing that you're this term you're familiar with called synergy, where one plus one equals three. And the and as far as the information security goes, information, as you know so very well, when it's sitting still, it's not that hard to protect it. But when it's moving, it's it's it's a whole different story. So when you think about how any organization operates, they've all got data stored someplace, and they have lots of protection on it.
Jim Moran:But every organization that's in business is sending data back and forth constantly, internally and externally both, so that when we think in terms of reviewing how effective the data is being protected and how well we're doing quality, they're actually quite into they're really intertwined. Because when you're building either products or delivering a service, you're moving data constantly. So to have the two sides talking together in management review can be a huge bonus for any organization, the as we mentioned earlier, the communication part.
Dejan Kosutic:Because, you know, very often what I found what I what I found with the companies that have both QMS and ISMS is that usually they find that the targeted audience for management review are different for security and for quality, for example. For, you know, security, it's usually the CTO, the technology officer, I don't know, security officer, maybe CIO, chief chief information, officer, whereas the targeted audience for quality is usually are these officers who are more on the operational and manufacturing side. Right?
Dejan Kosutic:Yeah. So the question is really, you know, how to bring them together and then how to show them this benefit of of, let's say, talking together.
Jim Moran:Well, if if if they're having a hard time getting together, it might be a little hint that there's some silos going on in a company like that. And I have to tell you, a a president of a IT or a communication company in Northern Ontario told me once that he'd hired a a consultant to come in and he billed himself as a silo breaker. And he said, what I discovered is that if you can punch a hole in a silo, it's actually a self healing hole. So any holes you can put in silos will heal themselves, and you're back to where you started. So the this would this activity we're talking about now is a perfect opportunity for any organization to start breaking down silos.
Jim Moran:And, you know, it wouldn't make as much sense if one division of a company was milking cows and another division was making chips, microchips. But most of the companies you and I deal with, they're kind of a unified company trying to get the the the service delivered or the product out the door. And once companies realize that information security and quality are they're really woven so tightly together that you can start making a case for those people, all those people to be around the table when you're eat and especially if you have interim management checkups, like maybe a quarterly review or a monthly review, the more the more representatives you can get from the different parts of the company, the more value you'll get out of that meeting for sure.
Dejan Kosutic:Okay. Now if a company doesn't have, you know, any standard and they they want to go for both, let's say, for two standards. Right? Yes. Let's say, okay, ISO 27,001 and then ISO 42,001, Of course, they would like to integrate them, but is it easier actually to start one and then complete the project and start with another?
Dejan Kosutic:Or is it better to actually start two standards in parallel and then integrate them on the go? So what is your experience there?
Jim Moran:My experience has been that if you start with quality in no matter what your what your organization is, if you get quality in place first, it increases the odds that you're gonna be more sustainable. And the as you pointed out, that the audiences are different, and there's a high risk that if you did both at one time that you could have some sort of political issues that you wouldn't have anticipated otherwise. Territorialism, that kind of thing, people not wanting to share information because they think it takes power away from them. There's there's a whole bunch of potential catastrophes waiting if you do them both at once. And I've the companies I've worked with have been small enough, although I did work with some larger gold multinationals.
Jim Moran:But the sort of, I guess, 97% of the companies in the world, at least in Canada, I don't know about where you are, Diane, but they are are under a 100 people, like most organizations. And then 80% of those are are fewer than 50. So when you have small companies, they don't have large well paid teams to implement these these management systems. I wouldn't say it's as bad as somebody trying to do it in their spare time on the corner of their desk. But, definitely, if you can stay focused on one standard just to get started, then that's again one more fantastic benefit of this harmonized structure or the high level structure.
Jim Moran:If you do one, it it would probably reduce the time for the second one by about 80%. But more importantly, they would definitely be much more harmonized and and much more integrated, much more powerful, really. And and you can the other thing that we haven't talked about is when you do a nonconformance or do a corrective action from a nonconformance to do the root cause. A lot of times, they're they are also when we're talking about quality and and information security, they can be linked. You find but you wouldn't find that out if you did it as a separate as two separate nonconformances.
Jim Moran:The and the other thing is that you can get that, again, that word I used earlier, find a nonconformance to a corrective action and quality, you'll likely be able to figure something out, some way to benefit from that effort in in information security as well and vice versa. So by having the systems well integrated from the do one, add the other one, use the same cross functional teams as much as you can, you just get incredible benefits.
Dejan Kosutic:Makes sense. Now let's talk a little bit about 9001, basically, new draft international standard is published for 9001, the, let's say, regular 9001 is expected next year.
Jim Moran:Yes.
Dejan Kosutic:So mean, reading this new ISO 9,001, do you actually see any changes in this high level structure or is the high level structure going to stay stay the same?
Jim Moran:No changes to the structure at all. And even the changes to the the requirements themselves, couple of little things like management responsibility clause five point one point one. In the current version, the very first statement is management shall take account accountability for the effectiveness of the system. That got moved down to number 11. For some reason, I have no no idea why.
Jim Moran:But because to me, that's the most important thing that management's re re right off the bat. Anyway, so there was that movement, and they added one new requirement. There are just little tweaks here and there. They've added the amendment, of course. They made it official part of the the amendment about determine whether climate change is a factor, that kind of thing.
Jim Moran:So the but definitely to the high level structure, no change whatsoever.
Dejan Kosutic:Mhmm. Mhmm. And it's And so the is this change going to I mean, usually other standards are are following what is happening in 09/2001. So do you see any similar changes in 14001, maybe twenty seven thousand and one, forty two thousand and one?
Jim Moran:The only place that at this point and I just finished working with Howard, our host from last time. We just did a a a podcast earlier today on the and I went through clause by clause through all the the whole standard. And there's really no no reason for me to think that they would make any changes other than just the slight surface changes to the to common causes. There it's I we did see a big change, you and I, in the annex in twenty seven thousand one. That between the 2013 and then the 02/2022.
Jim Moran:I thought it was a great change they made instead of 14 sections, four sections. And, of course, you know me. Simplify. Keep it simple. Yep.
Jim Moran:And then to then to see them line up with the Ishikawa fishbone diagram concept was great. But I'm not I I wouldn't imagine that anything is gonna change as much this time as it did between the 2008 and the 02/2015. It's the same same thing happened with '87 and '94, just a few modifications. '94 to 2000 was a huge change. 02/2008, bit of modification.
Jim Moran:And 2008 to 02/2015, huge change. But having seen that evolution over the last thirty three years, this this model they have now to me is it's gonna take quite something to make a change to the structure. They could possibly in the future add a a whole section on ethics maybe, but it's it can already be built into leadership. Like, it's not and, of course, I think most of our listeners would realize or they likely know, you don't you can't have less than what the standard requires, but you can add whatever you want. And so other than that, it looks it's pretty good.
Dejan Kosutic:It's interesting that you mentioned this that maybe ethics could be something that that would be added. How about actually these new things like, you know, okay, cybersecurity and and AI especially, do you think that, you know, ISO standards in general will have to change because of these new trends?
Jim Moran:Well, they'll certainly have to address them somehow because, you know, twenty years ago, nobody had even heard of artificial intelligence. And two years ago, everybody has heard of artificial intelligence. And and I think top management needs to be aware that their employees are using AI. And I wouldn't say whether they want them to or not. I any enlightened top management is encouraging their people to use AI to become more productive.
Jim Moran:But along with that increased use comes increased risk. As you know, even things like developing bias on the side of AI, the way they answer your questions based on the questions you've asked. So there's there are some real challenges.
Dejan Kosutic:Definitely. Okay, let's try to wrap up today's conversation. What would you kind of give as a top suggestions for consultants and for practitioners when implementing these integrated management systems.
Dejan Kosutic:What would you say are the couple of main points to keep in mind?
Jim Moran:Number one point, a top management has to understand what's going on, and they have to say, yes. We'll do whatever it takes. The very first system I did in 1992, I had taught the owner's son at college, and I left my college position and started working on my own. And the president said to me, I know you're gonna do a great job, Jim, but I'm really busy. So don't bother me at all during the development of this system, but be sure to call me when they come to take the picture with the plaque up on the the building.
Jim Moran:And that's exactly the opposite to what people need to be thinking about when it comes to ISO. The the even the Japanese, they'll send in in they'll send the the top the president. They'll send the president to take the lead auditor course. Two days of intensive exploring the standard, a day of internal auditing, a day of lead auditing. And in North America, we tend to send anybody but the president.
Jim Moran:And in North America, we tend to get to give the president a three hour overview. So we in this in this side of the world, we need to be more aware of how critical top management's role is.
Jim Moran:That's right. For practitioners, I would say spend the time right at the beginning with the the team, the senior management team, explain to them everything. And if they don't like the idea, move on. Find another client because it's it's it's a world of hurt when top management isn't either understanding mainly, but also not supportive. They just want the certificate.
Dejan Kosutic:Great. Thank you for these insights.
Dejan Kosutic:It's been a great talking to you today, Jim.
Jim Moran:Thanks, Dejan. And good luck as you're moving ahead as well. And hopefully, we'll do one of these together again sometime.
Dejan Kosutic:Absolutely. I was enjoying this. So thanks again. And thanks everyone, for listening or watching this podcast and see see you again in two weeks time in your in our new episode of Secure and Simple, podcast.
Jim Moran:Thanks. Bye for now.
Dejan Kosutic:Thanks for making it this far in today's episode of Secure and Simple podcast. Here's some useful info for consultants and other professionals who do cybersecurity governance and compliance for a living. On Advisera website you can check out various tools that can help your business. For example Conformio software enables you to streamline and scale ISO 27,001 implementation and maintenance for your clients. The white label documentation toolkits for NIS2, DORA, ISO 27,001 and other ISO standards enable you to create all the required documents for your clients.
Dejan Kosutic:Accredited Lead auditor and Lead implementer courses for various standards and frameworks enable you to show your expertise to potential clients. And a learning management system called Company Training Academy with numerous videos for NIS2, DORA, ISO 27,001 and other frameworks enable you to organize training and awareness programs for your clients workforce. Check out the links in the description below for more information. If you like this podcast, please give it a thumbs up, it helps us with better ranking and I would also appreciate if you share it with your colleagues. That's it for today, stay safe.
