Simplifying ISO Standards: Insights and Best Practices | Interview with Jim Moran
Welcome to Secure and Simple podcast. In this podcast, we demystify cybersecurity governance compliance with various standards and regulations and other topics that are of interest for consultants, CISOs and other cybersecurity professionals. I'm Dejan Kosutic, the CEO at Advisera and the host of Secure and Simple podcast. Today my guest is Jim Moran. He's the founder of Simplify ISO and has more than thirty years of consulting experience with various ISO standards and is also the host of Simplify ISO podcast.
Dejan Kosutic:And as his actually company name and the podcast name suggests, he is really dedicated on simplifying ISO standards. So in today's podcast, you'll learn why is it important to simplify ISO implementation and also how to do it. And by the way, Jim was also a guest of mine already a couple of episodes ago where we spoke about integrated management systems. This is also a topic that we discussed in top in detail. So welcome back to the show, Jim.
Jim Moran:It's great to be back, Dejan, and I'm looking forward to sharing some ideas with you today on how to keep simple keep management systems simple.
Dejan Kosutic:Thanks, great to have you back. So Jim, when speaking about ISO simplification, what exactly do you mean by simplifying ISO?
Jim Moran:Well, as you know, Yan, there's so many different standards and so many hundreds of different clauses, especially one you work with, 27,001, has a whole additional standard at the end in annex a, another 93 requirements. And I've discovered over the years that the more complicated people make their management systems, the harder it is for employees to, first of all, understand them and secondly, actually use them. People tend to take the path of least resistance. And if your ISO management system has a lot of resistance in it, you really have no right to expect that anybody's gonna use it. And sadly, when that's the case, they're often much more expensive to maintain internally, plus you don't get any return on your investment or you get very little return if any at all.
Dejan Kosutic:Yeah. Yeah. I fully agree with you. And actually, I found it that this is a kind of a proportion. The more the implementation is complex, the less actually likely is it going to succeed, And the more complex it's it's actually getting more and more costly.
Dejan Kosutic:And and this is unfortunately always true.
Jim Moran:You know what's the saddest part of all this, Dejan, is that a lot of organizations think that more is better. And they they have this misconception that if they make their manual three and a half inches thick instead of an inch and a half thick, that somehow there's more value to it or anyway. So you've Yeah. Yeah. Seen this many times yourself.
Dejan Kosutic:Yeah, actually we used to joke that you know these consultants of this type actually charge the documentation by kilo, right? So the more kilos they produce.
Jim Moran:That's good. And I'm sure there are consultants like us out there that think that the more they give the the client, the better the the happier the client will be when we know usually, it's the opposite. Yeah.
Dejan Kosutic:Yeah. That's right. Okay. So you mentioned earlier that there are a couple of let's say key concepts when it comes to this simplification. So can you just go through them and just just to go into more detail and and explain what what is this?
Jim Moran:Absolutely. I'd love to. And and these are principles that I use to guide my own implementations. And I guess one of the first things to remember is for the when you're doing an implementation, figure out why you're doing it. The purpose.
Jim Moran:What's the purpose of having the management system in your own particular case? When you start with your purpose, the requirements will just simply fall into place. And this is where I think you probably do the same thing. We start with our clients and the standard, do this thing called a gap analysis and try to figure out what they have in place that will already be meeting the requirements of the standard. And it's not unusual for me to find that 80 or 85% of the requirements are already being met by a lot of clients.
Jim Moran:Typically, they're not doing internal audits. They're not doing management review. Many of them don't have a formal corrective action and program in place, nonconformance corrective action program. But if a if a business is running well and making a profit, it's they've probably got many of the requirements already covered. I don't know if you've had that experience before.
Dejan Kosutic:Sure. Yeah, definitely. And if I understood well, kind of approach contributes to simplicity by actually not pushing anything that is not needed for companies. Only actually this this differences that they're missing. Right?
Jim Moran:Absolutely. And I also have every everybody involved watch out for the phrase, I've done my day's work. Now I have to do my ISO stuff. We don't wanna add anything to the system that doesn't come naturally. As I said, there are some specific requirements that a few people may not be meeting.
Jim Moran:But the last version of ISO in 2015, ISO '9 thousand one at least, and the other high level standards or harmonized standards harmonized structure standards, they've they really leave a lot of it up to the organization to decide how much they want. Twenty seven thousand Mhmm. We mentioned information security is an exception because it has so many specifics in the annex a. But the others really leave a lot of it up to the organization.
Dejan Kosutic:And Actually, but I would, you know, argue that 27,001 is also a very flexible one. Right? Because it doesn't first of all, it does not prescribe which controls you're going to apply. Out of these 93, you can select which ones you will apply and which ones are not. And second thing is, you know, for each of these controls, it doesn't say really how to implement them.
Dejan Kosutic:Basically, it's up to you to decide if you decided that you will do the backup. It doesn't say how you're going to do the backup. So it's up to each company to decide what actually backup means in their case. So I would say it provides a pretty lot of flexibility.
Jim Moran:Oh, the flexibility. Absolutely. And I think that's one feature of all the ISO standards I've ever worked with. It tells you what you need to do, what requirements you have to meet, but never tells you how to do them. Yep.
Jim Moran:Yep. Guidance documents are quite helpful. In this case, as you know, twenty seven thousand and two has almost age and a half of for each of the 93 requirements. There's, in Annex a, there's about a page and a half of guidance. And most of the people I've worked with on that standard have have, sort of avoided the temptation to just duplicate what's in the guidance.
Jim Moran:It's and as we you and I both practice, just keep it to what you need to to meet the requirement. Make sure people know how to meet the requirement. And the other beauty is that you hire people who have skills. So if people are skilled in a particular area, there's really no value in documenting particular ways to do things. There are some organizations dealing in medical areas may have to meet regulations of their particular part of the country, and those might require a bit more documentation.
Jim Moran:But generally speaking, exactly as you said, the standard tells you what you have to do but doesn't tell you how to meet the requirement. And Okay. Great. And that's where clause four context and interested parties fits right in to get you started off. And even four point four point one part a talks about defining or determining the processes you need to meet requirements.
Jim Moran:And b four point four point one b talks about showing the interaction or determining action. That's where I always go straight to flowcharts for all my clients just to keep it simple. And we also remember from the study three m did many I think it was over thirty years ago. They determined or discovered through experimentation that the human brain processes visual information 60,000 times faster than text. And we're gonna come around we're gonna come up with that a little bit later in today's talk as well.
Jim Moran:So use it as your framework, maybe your skeleton, thinking about context. And, of course, the context is gonna impact what the management system looks like as well as the interested parties. So that gives as long as you can keep that as sort of your lighthouse in the fog, if you will, keep coming back. And then, of course, we all saw in 2015, ISO 9,001, the process approach and risk based thinking. And that when we use the process approach, inputs, activities, outputs, that helps us narrow down the scope of maybe a particular flowchart for your employees, which also reminds me another handy thing to keep in mind is to imagine you hiring a new employee off the maybe not off the street.
Jim Moran:But imagine keeping your documentation, if you will, or your your management system complexity, keeping it down to the point where you would imagine training somebody or bringing onboarding somebody new. I remember back in the nineties when I started, Dejan, I would sit in on some trainers' classes and the the with the old standard, especially the '87 version that had 20 clauses, 4.1 to 4.2. It said the supplier shall develop, document, and implement a procedure for and then went on for a while. And so many organizations built these two and a half or three inch thick binders full of pages and pages and pages thinking that that they had to do. And you might remember a now thankfully gone document called ISO 10,013, how to write a quality manual.
Jim Moran:And Yeah. Yeah. There and I saw more actually, I used one once back in 1993, I think, or four, five and a quarter inch floppy disk into an IBM XT. And all we had to do was change the word company in square brackets to the company's name, and it was all the words of ISO 9,001, and it spit out a half inch thick quality manual.
Dejan Kosutic:Yeah. And Okay. So are you saying that, let's say, simplifying documents is also a crucial part of of this simplification process?
Jim Moran:Absolutely. One of the phrases I use with our our services is you can get ISO certified with flowcharts and forms. So we try to keep it as simple as possible. Of course, you have to document the quality policy, and you have to have an org chart and so on. But apart from that, people come to you with skills in 7.2 confidence.
Jim Moran:They talk about determining confidence based on skills, experience, and training. So if you can keep yourself focused on the skill base that your typical new employee has, that can help you reduce the amount of SOPs or work instructions that you need. You have to give people credit for having a brain. That's for sure.
Dejan Kosutic:Yep. This definitely makes sense. But if you have, let's say, complex processes, and even though that you might have a skilled new employee or existing employees, how do you actually avoid documenting these kind of complex processes? Because they are simply complex. Let's say that they have, I don't know, 20 or so steps.
Dejan Kosutic:How do you overcome this problem of actually not having not documenting these processes?
Jim Moran:Well, sometimes you still wanna document them, but you can at least use a flowchart which documents it visually. And that also gives the employee an opportunity to see the process in its entirety rather than reading on a single line, another line, another line, another line, and your brain trying to process it linearly with a flowchart. You can see it all at once, and you can actually see where you as an individual fit right into that whole flow. I recommend people start with an end to end flow. Put some horizontal flowchart paper up on the wall, get some yellow stickies, and start with the phone call from the client and follow it right through till the invoice gets paid.
Jim Moran:The other thing that you can use instead of a documented procedure or text based procedure are videos. If it's really complex, like setting up a lathe or something like that, or for a service industry interviewing a new potential home care client, showing a video of somebody doing that can certainly give you an opportunity, first of all, to use the video for training, but secondly, find ways to improve. First Yep. Yep. Yeah.
Jim Moran:Is that worth thinking of?
Dejan Kosutic:Definitely. I found a similar thing in in this, let's say, IT domain, so to say. And and some actually procedures can be made through a video, you know, especially if you can simply share a screen and, you know, a person can actually record whatever procedure needs to be performed on a certain IT system, you know, and then you can basically show this as a video, right? Record this and then distribute this as a video, which is much more effective and it's better received by by the employees who have to follow this this procedure.
Jim Moran:Absolutely. And you can also use the video or the flowchart or both for doing internal audits. So it saves you having to create a checklist that just goes tick, tick, tick and becomes a pencil whipping exercise. You can actually ask the employees who are doing the video if if this method or this way of doing it is getting the result they want, instead of asking if they're following the procedure, find out if the risks are being managed and ask them if there's some way they, as the expert user of this procedure, if they can think of any ways that it could be improved for them. And speaking of
Dejan Kosutic:Can you elaborate a little bit on this? So the just for me to understand, so so how exactly does this this help, let's say, with internal audit, and how does this simplify the the whole thing?
Jim Moran:Well, picture a flowchart and imagine yourself starting with square one on the flowchart. We're gonna flow through it end to end. And you go to the person who does that first step. And instead of saying, do you have a procedure? They may not have a procedure.
Jim Moran:You may just have to observe them doing the activity. But if you focus on, is this process working as opposed to saying, are you following the process? Then it gives you instant information as an organization about how well things are actually going. And then you can ask the person if they consider that the risks or believe that the risks are being managed well. And this does two things.
Jim Moran:It reminds them that there are risks associated with this stuff. They may be very small or they may be colossal. But if the operator or the person who's doing the activity engages with you and you talk about risk, then between learning if it's working or not, examining the risks, you might come up between the two of you with some ideas for how to improve the system or the process, at least. And when you can come out of an internal audit with suggestions on how to improve a system, it's gonna make the audit pay dividends, financial dividends for sure, just because you'll be getting rid of waste. But I will add quickly, simplifying processes can be quite a challenge in some organizations.
Jim Moran:We love variety, but not everybody is happy about change. So that's why getting the user of the process to suggest the change works so much better than for the the team leader or the section leader or the shift leader. Better it's better to come from the person who's doing the activity than the one who is guiding that person or or the person who they report to. It's it's always possible to make improvements. It's some in some instances, it's quite it it's a little harder, I'll say.
Jim Moran:I wouldn't say quite difficult. I did some work in Canada's national microbiology lab out west at Winnipeg, and it was a 175 PhD scientists working there. And I have to say they are not easy to get them to con it's not easy to get them to conform to any particular processes. And in fact, every time they do a new a new or have a new sample brought to the lab for testing, it it's almost like starting fresh every time. So those are the rare circumstances where it's quite difficult to do this thing that you and I call standardized work.
Jim Moran:But Okay. Leaving them off to the side as the half percent that's the anomaly, for the most part, you can get lots of value out of the audits. Use the flowchart, follow it step by step, and just put down some evidence for each box that you found out that it's working, risks are being managed, and they've been explored for improvements.
Dejan Kosutic:Okay. Going back to simplification. So what other, let's say, principles do you think are important to to simplify ISO?
Jim Moran:Well, you you know, we all know that this the quality standard, at least, uses the phrase risk based thinking and process approach. Top management or leaders are responsible to encourage this or or at least support it. Sometimes those conversations about risk can get quite difficult. So the the best advice I could give people is to keep your talk about risk in in terms of, like, just, like, having a conversation about it. As I mentioned with the internal audit, is this getting is this process working?
Jim Moran:Do you feel the risks are being managed well? And you can talk about the risks and not necessarily turn it into those giant 300 column spreadsheets we see that some people refer to as a risk matrix. That's another thing you can do with the flowchart approach, Dejan, is take each box and rate the risks for each individual activity in the flowchart. And you'll see some are high highly dangerous or highly maybe high risk and high impact if we think about that likelihood and consequence little square. You can certainly keep it simple by by looking at the risks on the workflow.
Jim Moran:And that's probably where most organizations are gonna have most of the risks anyway. Sure. There are some risks with HR. There's some risks in maybe purchasing. But, normally, for most of us, the operation blow chart is the one that's gonna have the most, I guess, the highest risk areas if you'd re if you think of low, medium, and high.
Jim Moran:We can't do them all, of course, and we know that's why we use the assessment tool to determine how dangerous things are. Health and safety, of course, has its hazards as well at risks. So if we can keep those in especially keep them in plain language, make it a, as I said, conversational and use the visuals. You could put a heat map on your flowcharts and make make people aware. I have one client that has both health and safety and environmental after they did the quality.
Jim Moran:And for the risks when they look at risks in the flowchart, if there's a box that has an environmental issue, they put a little tiny picture of a tree over top of the box. And if it's dangerous, if there's a step or an activity that's dangerous to humans, they put a little hard hat over top of the box. And sometimes in that particular case, they have both because a lot of times things that can harm the environment can also harm people. So you could keep it Okay. Keep it visual, keep it simple.
Dejan Kosutic:Okay. Just for me to to understand, how do you actually connect this flowchart of, let's say, processes with risk management, with risk assessment? So how do you connect these two things these two things together?
Jim Moran:Well, that would be one way. You could do it with color. If you had, say, blue for ordinary work ordinary working conditions, nothing unusual, no earthquakes or anything happening. It could be by color, but make sure you assess people for color blindness in the job interview. You could use hash marks diagonal.
Jim Moran:You could use vertical. You could use horizontal. So when you look at the map and when you look at the flowchart, you see all these steps. You might as I said with the other example, maybe if it's environmental, you could put a little tree above it, or you could color it green to make it make people aware that this is an environmental step or this step could harm the environment. So it's again, it's still visual.
Jim Moran:You can go further and make videos on the steps. You can even make a video following through each step of the process map and have the speaker explain what the issues are with each of the steps. Health and safety, of course, is something we need to really be aware of. And in the service industry, even home care we talked about earlier, some steps of delivering the care plan could have risks attached to them that could be harmful to the patient.
Dejan Kosutic:Yeah. In cybersecurity, typically companies go for this asset based risk management, where this kind of flowchart thing might not be applicable. However, there are some methodologies where we actually do go. What would it do start with the process as the, I would say, unit of analysis. Right?
Dejan Kosutic:And then you can actually analyze the processes for cyber risks, and then this kind of visual approach might make sense there.
Jim Moran:Absolutely. You just gave me an idea on the information security flowchart. If you're following a piece of information coming into your organization and flowing all the way through it and then finally ending up storing somewhere, You could have the organizational parts one color, the people parts another color, the building parts or the physical part another color, and then find the technological be could be a different color. There will be some that would need four color stripes into the box. That's for sure.
Jim Moran:Again, I just wanna caution people to make sure your employees are not color blind if you're gonna use color. And you also hover over the box and have pop ups if you're using something like Visio Draw.io, all those programs will have you, you know, assuming a person has a computer and they're reading it online, they could certainly get a lot of information. You can have a box connect to a form. If you get to a box, you're doing an assessment of what the outcome is, and then click on the form. It would open up, and you can file it. So there are lots of ways like that to simplify things for sure.
Dejan Kosutic:Mhmm. Great. Great ideas. Okay.
Jim Moran:Good. Good. Internal audits, I mentioned earlier. If you get away from just asking if the person is following a procedure and start asking those three questions, is this procedure giving us the output we want? Do you think the risks are being handled correctly with this procedure, and is there any way you think you can improve it?
Jim Moran:Which might be a simplification answer as well. Any anything like that will help keep your internal audits simpler and also give you much, much, much better information to use to improve the effectiveness of the management system as well.
Dejan Kosutic:So, basically, if I understood well, simplifying this internal audit, but basically asking, well, the same questions for all the areas that you want to audit the company. Right?
Jim Moran:Absolutely. Again, if you went through each box in the flowchart and sat with the person who does that activity or even maybe two or three people who do the same activity and and focus on those three questions, is are we getting the right result? Are are we managing risks? And are is there any way we can improve it? That will give you a very powerful, useful, and return on investment improving result from an internal audit. That's for sure.
Jim Moran:And we've talked a lot about, using visuals instead of words, and I'll just remind everybody that as what I said earlier, Dejan, is that the human brain processes visual information 60,000 times faster than text. Everybody around the world, I think, by now has adopted little symbols on canisters or cans or boxes, containers. And so you can instantly tell if it's corrosive. You know, you see that hand with the skeleton. Or if it's gonna explode, you see the little explosion thing.
Jim Moran:And, you know, instantly, they didn't have to print it in 32 languages all over the can. The the symbol is and you can use those same kind of symbols in your own organization. I I know here in in Canada and Ontario, we have a program called WHMIS, workplace hazardous information management sheet, symbols, and it talk and it's all symbols. And and all employees have to take training in that. So they don't tell people what the dangers are.
Jim Moran:They show people what the dangers are. And if you can think of that phrase, show, don't tell, it's a pretty good guideline to use throughout your whole management system. Show, don't tell.
Dejan Kosutic:And is this principle show, don't tell more applicable, let's say, for health and safety or maybe quality management, but not maybe so much for cyber? Or do you think it's also for for cyber and IT domains?
Jim Moran:Yeah. That's a good question. We should probably have a a discussion about that, about how to specifically apply the show, don't tell to cyber. But, definitely, there are anecdotes that people could use in training when we're talking show, don't tell. And and, of course, when we hear of major companies having security breaches, like, say, the Chase Manhattan Bank was hit with ransomware or something like that.
Jim Moran:We had that actually happen in Canada two years ago, a large book chain that spreads across Canada, I guess, for Americans like Barnes and Nobles. But they were down for three days. They couldn't even take cash at the tills. There was no way to process it. So, you know, if you have stories like that in the world of cyber, your your area, information security, the stories might, in fact, create a visual in the person's head in the in the in the employee's head who's being trained.
Jim Moran:And if you can explain something to somebody and use stories like that, it it also has pretty much the same effect as showing them a picture. And so it's Mhmm. It's I you have to be creative as as a trainer. That's for sure. And there's certainly no hesitation for me to ask one of the AI tools.
Jim Moran:What would be the best way to explain the dangers related to information security to a new employee? And there would probably be lots of stuff come out from a question like that that you could use and and, you know, help bolster your training, improve your training approach a little bit.
Dejan Kosutic:Certainly. So in this cyber, let's say, not only for twenty seven thousand and one, but also for these other frameworks, basically, security awareness is is the way to to organize this this whole show show, don't tell concept. Right? Basically, awareness is usually done either through videos or or through some other visual methods.
Jim Moran:Yes. And and that could bring us to another point. If you can make training sort of automatic with little microlearning segments, maybe one minute, two minute segments perhaps that would show up. And whenever they get an email from HR or an email from anybody in the company, there could be a little pop up with a micro training. You're you know, don't click on any this.
Jim Moran:Look out for this phrasing and and phishing. I think we mentioned in our last interview that one of the major registrars in the world, the BSI, has a program for employees where they send out intentionally send out phishing letters. And if Yep. Yep. If they click on them, they have to take the training over.
Jim Moran:And some Yeah. Some people I know have had to take the training three or four or five times. So so if you have that kind of culture where people are vigilant about information security, And that can come from many, many ways. But this but microlearning can be a very good way to simplify a management system, but keep people competent, make sure their competence stays up for sure.
Dejan Kosutic:Yeah. Yeah. Well, I'm also a big believer in in these, let's say, bits of training or awareness raising and and actually sending them not too often, but let's say every one maybe one or two weeks. And then this way, people actually get this, people are, I would say, tolerant to this amount of microlearning and basically this shows the best effects. Yeah, certainly.
Jim Moran:Absolutely. I think I remember that we got the first TV in our house in 1956, and I was eight years old at the time. So you can calculate how old I am if you need to. And the shows the half hour shows were they'd run about fifteen, maybe thirteen, fourteen minutes, and then there'd be a commercial. So we kinda calculated or estimated that the intention spend for humans at that time was about fifteen minutes.
Jim Moran:So now we're down probably to about fifteen or twenty seconds. Yeah. So that's another thing to consider when we're thinking about training. How do we keep people engaged? And those micro, little micro training sessions, I think, are a really good way to, first of all, simplify your whole HR area, but then also, an a a great way to keep people's attention.
Jim Moran:Of course, any way any way you can get people involved. And when I whenever I do webinars for BSI, I always had it split into three pieces. Fifteen minutes at a time, then we'd have a poll, and we'd have some questions, another fifteen minutes, another poll, and some questions. And people seem to really like being sort of asked something every few minutes or every every fifth minutes anyway. And then I guess if I had to kinda summarize everything we've talked about Mhmm.
Jim Moran:I'd probably wanna end with to focus on for everybody building a system or even maintaining or improving a system, focus on value as opposed to wondering what the auditor will wanna see. Focus on how you can build your system. Trim it down as much as you can, but focus on how to build your system that's gonna give you the best return on investment. And, honestly, simplifying is always a good way to get more benefit from having a management system, period. And getting oh, another good thing to do in my view is to go through the standard, whichever standard you're using, and do a search for those two words, maintain documented information or retain documented information.
Jim Moran:And that way, you'll at least know what's the minimum you have to do to meet the requirements Mhmm. Standard.
Dejan Kosutic:Yep. Yep. Definitely. So when it comes to, let's say, maintenance of the the system. So once you set the the system up and and you want to maintain it, what would be, let's say, your suggestions on on how to simplify this maintenance so that it doesn't actually produce too much overhead.
Jim Moran:One thing I've done for years now is any any clients who use Word, Microsoft Word, as their tool to create procedures, I have them automate everything in right. And it's all part of the Word functioning. At the bottom, you can put authorized by and then have a field. And then the name that goes into the field is the name of the person who just made the changes to that document. And then we do a tab, couple of tabs, or one tab.
Jim Moran:You could say then last modified date and put another field in that and that and then that is the save date. So whenever you save the document, you now have the name of the person who made the change, and you have the date that it was saved on. And that becomes your rev. That's rev March 2025. And then just for fun, we'll have on the right hand side at the bottom in the footer, we'll have the number of pay page number and number of pages.
Jim Moran:I still see after four almost forty years that the standard's been in place, the '87 standard, I still p see people putting rev number at the top, and I might see reviewed by, might see effective date, you know, all kinds of stuff up there that has to be changed manually, and you're gonna miss one. It doesn't matter how good your your people are who are managing these documents. So automate everything. And if you can't automate it, see if you can actually eliminate it. And you'd be surprised at, for example, in ISO 9,001, they used up till 2015, they had a requirement that said you had to identify the changes.
Jim Moran:And that document, that requirement disappeared. Although clause 6.3, managing change, still has some opportunity to keep the old document and explain what changes you made. We have a form in our software that does that, but it's not as critical as it was for the first twenty years between '87 and 2015.
Dejan Kosutic:Speaking of automation, so do you think that various kind of tools can actually help with simplifying ISO, or are these actually tools contributing to making it even more complex?
Jim Moran:Well, I've seen some software for quality at least. The couple I've seen for quality are extremely complicated. I have a friend actually I'm having coffee with him on Friday who was hired by a software company to get the ISO 9,001 certified to start with. Sadly, I couldn't convince him to go on further to 27,001 but that's another story. Anyway, he was working full time nine to five, Monday to Friday, and it took him four months to get his head around this software.
Jim Moran:So I I hadn't since you since you bring it up, yes, it is possible that software can actually make things worse for some companies in terms of simplicity. That's for sure. There are there are a lot of good ones out there, and I anybody who's looking into it, I'd certainly suggest they have a couple of couple of sessions with the vendor and get a sense of how complicated it really is. And but on the end, they can save a lot of time in terms of, as I said, that document control authorization and and revision level. The you can say you can have an automated corrective action and nonconformance or nonconformance corrective action tool that can not only save you time but also give you good data if you if it's set up correctly and if you're using the right kind of tools.
Jim Moran:They don't have to be complicated. You can have people give send messages before the due date. You can send messages after the due date. There's all kinds of things you can do that just but, again, just to keep things simple is you you've probably been around this long enough to end to know that the three biggest issues I saw a survey in '96 and another one twenty years later in 2016. The same three issues came up.
Jim Moran:Document control was one. Not not closing out nonconformances was another. And then finally, there were issues with internal audits. And Yep. Most of the issues seem to be either having a finding in an internal audit and not have it get into your improvement activities or have it get in but then not get closed out.
Jim Moran:So if you can find software that kind of addresses those three key areas, that and then don't worry too much about the other bells and whistles. Sort of stick with your knitting and stick with the basics, and then you've got more time to do improvements. And that's what's really gonna add value to an organization's management system if they can stay focused on improvement.
Dejan Kosutic:Yeah. True. I mean, unfortunately, some software are are, let's say, so complicated. It really takes additional time to train only to to use the software, whereas some softwares are are much simpler and and really speed things up. Now, when speaking in general about simplification, do you think that all these principles that you mentioned are good, let's say, for any company?
Dejan Kosutic:Or maybe this simplification is only applicable to smaller companies whereas maybe larger companies are not so good for simplifying ISO. What is your opinion on this?
Jim Moran:Well, one thing I discovered, much to my amazement, was that in in Canada, at least, I don't know if the same in your country, but our government loves complicated things. And
Dejan Kosutic:I think all the governments like complicated things.
Jim Moran:So unless you're a government, you can definitely benefit from simplification. In fact, when you look at your country's business statistics, you can find out from pretty much any source how how many companies have fewer than a 100 employees. And it turns out about in Canada anyway, 97% of the Canadian companies have fewer than a 100 employees. And 80% of those have fewer than 50 employees. So the vast majority of people that you and I are looking at for our services or our software in particular have fewer than 50 people.
Jim Moran:So it's it's definitely I'm I'm not sure who the clients are. I know the one company in town here in Ottawa who has all the ISO 9,001 software their software and government agencies? It's because the government likes things that are complicated. They like things that are expensive as well. And they're the it's it's it's highly unlikely that that specific company, that specific software would ever fly in the private sector just because it's expensive.
Dejan Kosutic:This is true. Yeah.
Jim Moran:Yeah. So I don't know if that answered your question or not, but definitely, as I mentioned earlier, spend a good amount of time with the vendor and look at and I what I do is I always ask people, so tell me a little bit about your day. How does your day go? And then we would go through our software to see if it would actually help them get through their daily the the lot of the advertisements or a lot of the presentations I see on software, they start out with 16,298 features that the software has, and you might use 20 of them. What's important to make sure that you as the user are getting something that's actually gonna help you.
Jim Moran:That's a really good point you brought up. I hadn't thought of that. Yeah.
Dejan Kosutic:And I agree with you. I mean, large majority of companies can benefit from this simplification. Okay. Government could be one exception. And actually, what we see here in Europe, financial institutions, especially the institutions that are regulated by DORA is a cybersecurity regulation here in the European Union.
Dejan Kosutic:It's I mean, this DORA is very, very complex in itself. And when you start writing documents based on DORA, they actually come out also more complex than I would personally like. So, but the point being here is that especially larger financial entities tend to be, let's say, tend to go towards more these complex documents, and it's Mhmm. Simplification there might not really work. So there might be some exceptions.
Dejan Kosutic:This is my point.
Jim Moran:Yeah. I certainly agree. Simplification is usually the last thing on their mind. Complication. And that gives them a sense of security as we talked about right in the very beginning.
Jim Moran:If they have complicated documents, they they think or they imagine somehow incorrectly, I personally believe, that that they're they'll be safer. They'll they're safer when they build a culture of risk awareness and information security awareness. I think that'd be probably the best advice I could give those kind of organizations. And it's exactly the same here in Canada and The US and the whole Western Hemisphere. They have lots of additional requirements.
Jim Moran:There's NIST requirements. There's SOC two. There's all kinds of things that people oh, and it's there's a new organization, newish, anyway, security, CSA security cyber alliance security Cybersecurity Alliance, CS. And there are companies like that popping up all over that can help Yep. Smaller organizations.
Jim Moran:But I imagine the the larger organizations that you're talking about have their own departments probably that they have, you know, who who knows how many people, but that's their focus is just simply information security and it it probably makes sense for them for sure.
Dejan Kosutic:Mhmm. Okay. Let let's switch our gears a little bit towards consultants. So what do you see in terms of simplification? What do you see consultants actually make mistakes when it comes to simplification?
Dejan Kosutic:So do actually all the consultants understand this benefit of simplification?
Jim Moran:I I tend to hang around with the ones who do and tend not to hang around with the ones who don't. I guess we just support our own thinking. You know, we hang around with people who think like us. And it I think many are many are still back in the 8794 version, 20 documented procedures or more. And I think you suggested this in the beginning of this exercise and beginning of the the podcast that some consultants think they have to produce massive amounts of paper maybe to justify the invoice they're gonna be sending them.
Jim Moran:Yeah. Yeah. Could be any number of things. But you and I know that more is definitely not better when it comes to documentation and management systems. And but it's really hard to make things simple.
Jim Moran:It's it somebody asked Mark Twain once, Tom's the some Tom Sawyer author, why he didn't write short stories. And he said, I don't have time. But he didn't mean time because he was writing big novels. He he acknowledged it takes more time to write something shorter.
Dejan Kosutic:For three of them. Yeah.
Jim Moran:True of procedures as well. I think that's why the flowchart is so wonderful a tool because you're looking at it, you can see it, and and first of all, you're not gonna miss anything. But secondly, when you audit it, you might find out you can reduce a step or two.
Dejan Kosutic:I always tell my employees when they come to me with something very complex, I tell them always it's easy actually to write something that is long and complex. It's very hard to write something that is concise and up to the point. So anyway, but from the consultant point of view, what is actually the benefit of actually them pursuing this simplification idea? So why would actually consultants suggest to their clients the simplification? How is this better for a consultant?
Jim Moran:Well, a consultant can help an organization do what they're doing better, and simplification clearly would help them do what they're doing better, then the consultant is likely to develop a longer lasting relationship with that particular client. And people love getting good advice. They love simplifying things when it's gonna improve both the outcome of what they're delivering, but also when the outcomes are improving, morale is improving. And if you as a consultant can help a company improve its output, improve its morale, it's gonna improve sick in the staying staying lengths of stay that you have less turnover with employees, and that's turnover is a hidden cost that can cripple some companies. So if you can make things simple or simpler, people will be happier.
Jim Moran:They'll be more productive. They'll brag about the company, how good it is, and that'll attract better employees, higher caliber employees. It makes auditing easier. And, of course, when all that's working in your favor, the bottom line's gonna improve for sure. So if you're a consultant that can help people simplify and then result in a better bottom line, you're gonna be sought after by them for sure.
Jim Moran:Yeah. Become could develop a good relationship with them.
Dejan Kosutic:Mhmm. No. I fully agree with you. And and actually, I usually try to explain to other consultants this this logic in terms of scaling the consulting business, right? If they actually have highly satisfied clients, these clients will then recommend them to their friends, right?
Dejan Kosutic:And this is how they get this word-of-mouth promotion. And but I mean clients will do this only if they're really highly satisfied, right? And if they simply if the consultants are simplifying things, then clients will be satisfied. On the other hand, also if consultants are simplifying things, this also means that they will spend less resources in working with these clients, which means that they can also scale. They can actually handle more clients with the same resources.
Dejan Kosutic:It's I think for consultants, this definitely does have very, very important benefits. Well,
Jim Moran:and it's happened with me specifically at that very point, Dejan. I started seven years ago using a grant program here in Ontario for clients, and they would get 80% of my feedback from the government if they met certain criteria. So that made it cost benefit for them. But in order to get the grant, the course had to be a certain length. So it turned out to be just under a hundred hours, ninety six hours for ISO 9,001, for example.
Jim Moran:And then so we could do it in four months, two sessions a week so I could handle three clients. Then somebody wanted to stretch it out to six from eight four months to eight months, so went from sixteen weeks to thirty two weeks. So now that meant I could handle more clients because I was only using three hour chunks instead of six hour chunks. So I just worked Tuesday, Wednesday, Thursday, three six hour days so I could get three clients. Then we went to the sixteen week model.
Jim Moran:It didn't simplify it, but it made me now be capable of handling six clients instead of three. So the version and it and they because the program is winding down, and I think I may have just done my last one with them. But in the meantime, I've developed a an ISO 9,001 do it yourself approach where I show people how to use our software and use AI. So now what was ninety six hours is now about thirty hours. So it's brought my my capacity from three to six to now 12.
Jim Moran:So it's made Mhmm. Difference in my personal business, and then people are learning more on their own with this approach. And I and I'm convinced that the systems they're building, since it's more of them and less of me, they're I think they're gonna be happier with the system in the long run. The other thing is when they asked me a question, they got an answer from one person. When we use AI, we can access 1,500, 2,000, 3,000 people like you and me.
Jim Moran:So it's kind of a win win for sure.
Dejan Kosutic:Yeah, definitely. This kind of using technology to scale, well, our knowledge as consultants is very, very important in this in this business. Yes. Okay. To to wrap up the discussion, so what would be your top suggestions for consultants with regards to this simplification?
Jim Moran:Well, I think right back to the beginning when we talked about focus on the purpose. Why are you building this management system? How's it gonna serve the client instead of having the client serve it? Focus on the purpose. And that then we did a bunch of examples of how to do that.
Jim Moran:But the final thought, I think, is it has to be, and it ties in with what we're just talking about, focus on value. Don't get focused on what will the auditor want. Focus on what value can this management system bring to our company and how can we continue make it dynamic as opposed to static. If we have a dynamic system, it'll continue to to deliver more value year after year after year.
Dejan Kosutic:Okay great, so these were really great insights and thank you it's been a pleasure talking to you again.
Jim Moran:Thanks Dejan, good to see you again we'll get you back on our podcast maybe once winter gets kind of underway and we get used to adjusting.
Dejan Kosutic:Okay. It will be a pleasure. And thanks again, Jim. And thank you everyone for listening or watching this podcast and see you again in two weeks time in our new episode of Secure and Simple podcast. Thanks for making it this far in today's episode of Secure and Simple podcast.
Dejan Kosutic:Here's some useful info for consultants and other professionals who do cybersecurity governance and compliance for a living. On Advisera website you can check out various tools that can help your business. For example, Conformio software enables you to streamline and scale ISO 27,001 implementation and maintenance for your The white label documentation toolkits for NIS 2, DORA, ISO 27,001 and other ISO standards enable you to create all the required documents for your clients. Accredited Lead auditor and Lead implementer courses for various standards and frameworks enable you to show your expertise to potential clients. And a learning management system called Company Training Academy with numerous videos for NIS two DORA, ISO 27,001 and other frameworks enable you to organize training and awareness programs for your clients workforce.
Dejan Kosutic:Check out the links in the description below for more information. If you like this podcast, please give it a thumbs up, it helps us with better ranking and I would also appreciate if you share it with your colleagues. That's it for today, stay safe!
