Raul Qais, Vice President ANZ, and Nathan Atkins, Head of Cloud Enablement, from inforcer are joined by industry expert, Jason Maricchiolo from ISO365, to discuss how MSPs can use ISO 27001 to ensure compliance, strengthen security, and build customer trust.
Watch our webinar with Jason Maricchiolo from ISO365 to understand how ISO 27001 helps to protect your business and build customer trust.
Raul
Hey everyone, Raul from inforcer here. We’re going to have people joining as we get going, but let’s start with introductions. Thanks so much for joining. My name is Raul and I’m the Director for inforcer Australia New Zealand.
For those joining our first webinar, we’ve been running a series based on the main topics of interest and talking points we hear from partners most often. Last month was all about service differentiation and how to productise your services. That leads us on to frameworks. We hear a lot of questions from partners about which framework they should align to, and the best practices for helping customers align to certain frameworks. For that reason, we chose to focus on ISO 27001 today.
In terms of the webinar’s goals, we’ll be looking at how ISO 27001 helps protect your business and, most importantly, how it helps you build customer trust. We’ll also talk through best practices around gaining and maintaining certification. From an inforcer perspective, we’ll focus on how this relates to keeping your clients’ Microsoft 365 environments secure and compliant.
Without further ado, let’s introduce our guest speaker. Jason, I’ll let you introduce yourself.
Jason
Thanks, Raul. Thanks, Nathan, and thanks everyone for having me. I’m Jason, for those who don’t know me. I’m Managing Director at ISO 365. I’m really looking forward to talking to everybody today about how ISO 27001 looks within their business. I’m keen to answer questions from the audience and have a good, informative webinar with you all. Nathan, over to you.
Nathan
Thanks, Raul. I’m the Head of Cloud Enablement for Australia New Zealand. I’m very much a Microsoft expert, particularly on the 365 side of things, as well as the inforcer expert.
Raul
Great. A bit of housekeeping: yes, this session is recorded. We’ll send that through afterwards, along with Jason’s contact details. We’re changing up the format today and trying something more like a fireside chat, so no death by PowerPoint. It’s meant to be interactive. I’ve saved up lots of questions from partners, mostly for Jason and some for Nathan. I’d encourage everyone to ask questions using the chat or Q&A throughout. We can also save some time at the end for questions if needed.
If we start at the beginning with ISO fundamentals: Jason, there are a lot of frameworks out there. If I look at our template library, Nathan is building an ever-growing list of templates in inforcer. Why does ISO 27001 matter to MSPs?
Jason
It’s a great question. It’s obviously a really hot topic, and it stays a hot topic. ISO 27001 is really important for MSPs because it’s what your customers know. It’s a framework or standard that everyone recognises.
It matters because clients are looking for assurance from their upstream providers. They’re looking for an even baseline and a way to compare everyone. Mainly, it’s about building credibility and trust with your clients, and hopefully being able to win new business and build trust with prospects.
Raul
If I think of inforcer, an MSP or TSP that is trying to consolidate around the Microsoft stack is a good fit for us. Which MSPs or TSPs can really benefit from ISO?
Jason
Of course, I’m going to say all MSPs and TSPs can benefit from ISO. It can sit across the top of any control base. There are lots of control systems people may align to: Essential Eight, NIST, CIS, and many others. ISO 27001 can sit over the top as the information security risk management system.
It’s relevant to everybody because, as I said before, clients know about it and are asking for it more and more. They have been asking for it for the last 10 years, but it used to be more at the enterprise level. Over the last seven years especially, we’ve seen that requirement trickle down. Even if you started an MSP yesterday, to play in some areas you need to be able to give assurance. One way to give that assurance is to implement ISO 27001, get certified, and use the certificate and logo to help drive business.
Raul
You’ve touched on other frameworks, which is interesting. How do you work around the fact that partners may have customers asking them about Essential Eight, while others are talking about CIS controls? How do you suggest ISO interacts with the other frameworks partners might be under pressure to align to?
Jason
The best part is that, from an ISO perspective, it doesn’t matter which control base you choose. I know plenty of MSPs, including ones that work with us, who have completely different methodologies when it comes to security. Some are all in on Essential Eight. Some are all in on NIST. Some use a hybrid approach and have built their own stack that they believe is most secure and that their clients trust.
ISO 27001 is the wrapper that sits across the top of whatever control base you’re implementing. It then allows an external presence to come in, audit, and assess your competence or alignment to the standard.
Raul
People might be shocked to learn we did some preparation. When we were preparing yesterday, you spoke about one of the main differentiators being how ISO can help build customer trust. Customers are sometimes audited themselves. Can you explain more about what that differentiator is for an MSP if they can say, ‘Yes, we are ISO certified’?
Jason
It stems from the fact that customers or prospects assessing a new MSP, going to tender, or inviting a group of MSPs in need them to hit a certain baseline. They need to make sure whoever they’re inviting in to look after their business is already at a secure level.
One way to tick that box is to achieve ISO 27001. It doesn’t guarantee that you’ll win the work; it’s what we call the ticket to play. I encourage everyone I speak to to put this on their roadmap, so if and when they’re up against a competitor that has it, they don’t miss out on the work.
Clients will always look for assurance because many need to get their own cyber insurance. It all comes down to the client’s risk profile. Insurers build a risk profile based on the business, and if a client is transacting with an MSP that cannot verify its controls, things can become risky for the client. That’s when we see prospects drop off.
Raul
So not having that certification can mean prospects drop off before you get past that stage.
Jason
Yes, I’ve definitely seen it. I can almost guarantee everyone on this call has probably seen it in some shape or form. They’ve either been part of it, or, if they’re certified, they may have won a deal because of it. It’s definitely happening and it won’t stop. I was speaking to a partner the other day who was talking about the way the industry is changing. There’s more stick coming into play when it comes to not being compliant with frameworks.
Raul
You said ISO used to be enterprise only, but now that’s changing. What, in your mind, is changing?
Jason
When I was first introduced to it about eight years ago, it was more for enterprise-level work. I first saw it in a government tender and had to figure out what it was. I’ve now built a career from it.
It’s no longer just government entities asking about it. Even everyday clients need assurance from MSPs. If you’re not playing in the full enterprise space or going for government tenders, your clients may still want the same assurances, and it’s their right to ask for that. They want to make sure whoever looks after them is as secure as possible.
I always use the analogy that your clients may love you. You may be the best people they’ve ever met. But the moment they need ISO 27001 assurance from you as an MSP is the moment that relationship can start to flex and become strained. It’s important to stay ahead of it rather than trying to solve the problem when it arrives.
Raul
There are quite a few people on the webinar and they’ve kindly given up their time, so we can assume they know ISO is important. The next stage is: Jason, how do I actually go about getting this certification?
Jason
It’s a great question. You need to start by either going for it yourself through self-implementation or partnering with somebody. There are people on the call I’ve spoken to in the past, and some are even clients, and that is something we do. But this isn’t about me. It’s about how we as an industry can achieve ISO 27001 so we can all succeed.
The best way to start is to figure out whether you’re going to self-implement or partner with someone. Those are the two forks in the road. We could spend an hour discussing both, but the short answer is to choose between self-implementation and working with a partner.
Raul
What are the common pitfalls or mistakes you’ve seen that you can help people on this webinar avoid?
Jason
A lot of people come into ISO 27001 and focus only on the technical controls. There are four areas in the annex everyone needs to be aware of: organisational controls, people controls, physical and perimeter security controls, and technological controls. ISO 27001 isn’t only about technological controls, even though that’s often what you hear about on LinkedIn, in the media, and elsewhere.
You also have the management clauses, which are the front half of the ISO standard. Without getting too technical, the same risks tend to come up. From a non-technical perspective, things like onboarding and offboarding checklists are common areas where people fall down from an HR perspective.
Then you move into physical security. Some organisations are hyper-aware and no one can get in the front door. Others realise that someone could walk straight off the street, up the stairs, into the elevator, onto their floor, and into the office. That has genuinely happened before, so the physical security side is important too.
Then you have the technological side. Many people on this call are interested in how technology can solve technical controls. There are many platforms and systems that can help with that. There are common characteristics, especially around the Microsoft 365 stack, application control, and similar areas.
Raul
Correct me if this is ignorant, but a lot of our partners would use inforcer to uplift their clients’ Microsoft 365 environment to be Essential Eight compliant. Is that also how you’d advise MSPs to help with their customers’ ISO compliance? How does the commercialisation of it work?
Jason
I see what you’re saying. inforcer as a tool solves a bunch of problems. Does it solve every control in the standard? No, we all know that. Does it solve a handful of really important ones? Of course it does. Being able to manage Intune and Entra is really important when we do our gap analysis workshop.
From the client side, you can start to prepare your clients in the best way possible. They don’t need to go through their own ISO 27001 certification, and they may never have a requirement to do so. But you can replicate internally what you build for ISO 27001, knowing that it can take them to a certain baseline. If they ever decide to trigger that process, they could commission an audit and get certified.
There’s also no problem with saying a client is aligned. I have a few MSPs that choose to do that. They build their service offering around being aligned and capable of being certified to ISO 27001 one day. It’s a real thing.
Raul
So it’s almost setting your customers up for something they might need in future.
Jason
Correct. It may not be something every client needs to go through, but bringing everyone up to a certain level is what everyone is talking about at the moment: raising the bar, lifting the tide, and getting to a point where we’re all as secure as possible and learning from each other.
Raul
Once you’re ISO certified, how do you continually maintain compliance, or is it a one-time project?
Jason
ISO is definitely not a one-time project. For anyone on the call who has looked into it, you’ll probably notice it’s more of a three-year cycle. In the first year, you do the implementation and then sit your certification audit, which is made up of two separate audits: stage one and stage two. At the stage two audit, you are ultimately recommended for certification. Your audit report then goes to a certification manager, who vets it and ultimately awards the certification. That’s year one complete.
That’s when everyone celebrates, posts on LinkedIn, updates graphics, and says they’ve done it. But in my opinion, that’s when the real fun starts. Twelve months after that date, auditors come back to do a surveillance audit. A surveillance audit is about half the time of your first-year certification audit, so it’s shorter. But if they’re looking at risks from 12 months ago, no updated controls, no corrective action, no internal audit, and no management review, they’ll issue a bunch of non-conformities. If those aren’t closed off, that’s when we see MSPs going into suspended status.
Some have done exactly that. They self-implement, get the certificate, don’t realise they need to manage it ongoing, fall into trouble 12 months later, and then it becomes a mess to unravel.
Raul
Understood. In terms of implementation, you’ve said there’s physical and technological. Today, we’re focusing on the technological. Someone has asked a good question: what is year three? You talked about year one.
Jason
Yes, absolutely. Year three is basically like year two. It’s what we call surveillance two. You go through it again, and that completes your three-year cycle. The next audit after your second surveillance audit will be a recertification audit, so the whole process starts again.
If you have managed and maintained the system and it’s a smooth, well-run ISMS, your recertification should not be a problem. But if you’ve struggled through your audits, you can expect recertification to be harder. Times change, technology changes, and auditors change what they’re looking for. What was good three years ago is not necessarily good now for an audit.
Don’t be fooled by the 2022 year on ISO 27001. It doesn’t mean we’re implementing technology from three or four years ago. Every ISO has a publish year and goes through five-year and 10-year reviews. We were due for the ISO 27001:2013 review, which is why we now have 2022, and that’s the version that will carry us forward.
Raul
You were telling us not to use AI to look for the controls, because it can pull through the 2013 controls.
Jason
That’s one of my favourite things when self-implementers come to me and say they’re going to use AI. They start referencing controls like 13.44, and I can immediately tell they’ve used AI and have the 2013 standard. That isn’t going to help. Be careful with that. If anyone on the call is thinking AI will do this for you, I’m sure you might figure it out if you really want to do it that way, but it’s a common pitfall people don’t necessarily see straight away.
Raul
Circling back to where we were, and zooming in on technology: based on what you’ve seen, what are some best practices for MSPs to maintain ISO compliance for both their own and their customers’ Microsoft 365 environments?
Jason
From a Microsoft 365 environments perspective, you need to make sure the fundamentals are ticked off. We’re always looking for an Intune deployment. It is infinitely easier if you have Intune rolled out and corporate devices. Sometimes MSPs have a mix of BYOD laptops, and that can be more work to overcome because you can’t control a BYOD laptop unless you’re asking staff to let you manage it completely, encrypt it, and apply all the necessary controls. That can be a pain point.
One of the best things I can say to MSPs is that if you can roll out Intune, use corporate devices, and have everyone enrolled and compliant, you’ll have a far better time starting this process than not. That’s a telltale sign for me.
The other one is MFA. Make sure everyone has MFA turned on for the Microsoft stack. I’d hope 100% of people on this call have that, so that’s a low-hanging fruit. Then there’s email: making sure Defender for Email, or your chosen platform, is scanning for malicious links and threats. Ultimately, we also look for patching to be completed on time. There is a lot more to it, but at a high level for Microsoft 365, that’s what we’re looking for.
Nathan
That’s good news, because if you’re already using Essential Eight or CIS, a lot of the Microsoft 365 controls are already part of that. From the Microsoft perspective, it isn’t too much of an uplift to move towards ISO certification if you already have those good practices in place.
Raul
There’s a question from John. In terms of documentation, is the inforcer portal enough as a document repository, or is it recommended to have documentation outside the software? He says he understands inforcer can export a JSON, but asks whether there’s another way to use this for documentation. Jason, I’ll come to you first.
Jason
Great question. We look at documentation in two different ways when it comes to ISO. We have policies and procedures related to the ISO framework. In our world, those sit in SharePoint. We use the Microsoft stack and don’t put you into separate platforms for that. We encourage you to use a platform you already have.
Then there is clause 8 of the standard, operations, which includes standard operating procedures. Those can live in other platforms. That’s where the documentation John is talking about may sit. There’s no need to pull it out, replicate it, and put it in SharePoint for an auditor. It would fall under clause 8. Whether you’re using inforcer for that documentation, or a mix of IT Glue, Hudu, or something else, that can be your document store and it doesn’t need to be replicated and copied across.
Raul
Nathan, to prove I haven’t forgotten about you: I know you and Jason are working on an ISO baseline to add to our policy library. What I’ve found with these frameworks is that they can be open to interpretation. What are your best practices for building standards for any framework?
Nathan
It’s making sure you have a good holistic approach to protecting the end user and protecting the data within an organisation. Those are the two big areas.
You need to look at protecting user identity: MFA, requiring compliant devices, and so on. These days, things like geo-blocking can be easily circumvented, so requiring a compliant device, which aligns with ISO standards around compliance, is a much stronger protection than relying on geo-blocking that can be bypassed with VPNs.
Protecting the end user, protecting the endpoint, and having good controls around your data are the key aspects of that protection point.
Raul
In your experience, let’s say an MSP has worked with Jason and has ISO controls they now need to implement. What is best practice for pushing those policies onto their internal tenancy?
Nathan
Using inforcer is one of the best ways to build out those policies. That was a great setup, but effectively it’s about building your baseline so you have a set of policies and a strong repository covering the main pillars.
Using frameworks, Secure Score, and other inputs all build on that framework. I like to think in line with Secure Score: identity, device, data, and applications are where you want to pivot and have policies in place to protect your environment. Look at the user: is the user protected? Look at the device: do you have restrictions in place for macros, USB storage device blocking, and other controls?
Build out your policies in that way so you can support tiering. Some users don’t want as much security, so you need a bare minimum policy set that you choose and build into a separate tenant that is out of the way. Using a platform like inforcer, you can deploy those policies across your own organisation and your customers, using the same tiered approach.
As Jason said, when you want to go for ISO certification, you know you have protection and policies in place. Your customers do too, so if they ever want to go on that journey, you’ve already done some of the work and can replicate it. You can still charge them appropriately, and it allows you to make extra profit from the hard work you put in during the initial stages.
Raul
Jason, you talked about the different Microsoft 365 admin portals with regard to ISO. Why is Intune so important for ISO?
Jason
It plays a massive part in onboarding and offboarding, which we care about a lot. It’s one of the biggest issues I raised at the beginning. Intune is a good way to manage a device in one place. In the older days, it wasn’t possible to do that with Intune, but it’s now much friendlier.
In an audit, we’re looking for a nice green bar showing compliant devices based on the policies listed in Intune. It helps manage account characteristics, such as how many failed login attempts lock an account, how long the account is locked for, and inactivity lockout when someone gets up and walks away from their computer. All of these characteristics come into play.
When we have a clear way to manage that and an auditable way to show everything is enrolled and compliant, it makes everyone’s life easier, including the MSP going for certification.
Nathan
The other good thing about Intune is that it works with Windows, Mac, Linux, iOS, and Android. You can have compliance across your full device spectrum. If you have Macs in your organisation or your customers’ organisations, you might have used Jamf or other applications to manage them, but Intune can do it all now and it’s quite simple, even on the Mac front.
Raul
Nathan, as one of the biggest Microsoft enthusiasts I know, why, in your opinion, is it easier to standardise or comply with a framework if you’re using as much of the Microsoft stack as possible rather than third-party tools, if you agree with that?
Nathan
Secure Score is an interesting one. It’s very Microsoft-centric and it’s good at making you want to sell more Microsoft products. I’m a big believer in frameworks. Whether it’s Essential Eight, CIS, ISO, or another framework, they all work together to achieve the same goal of protecting and securing your environment. Secure Score only looks at certain aspects.
I came from an MSP before inforcer, so I know MSPs don’t always use everything Microsoft. They may have third-party applications. For example, if you’re using third-party antivirus and not Defender, your Secure Score may look poor. To your customers, it might look like they’re insecure because they’re not at the level Secure Score says they should be.
But if you’re aligned to a framework like ISO, you can show that you’re compliant without being tied only to Microsoft products. Defender is great, but there are lots of good products out there. A framework highlights security posture in a more standardised way. It doesn’t matter what licensing SKU your clients have, what products they use, or whether they’re a full Mac house with a Microsoft tenant. If you rely only on Secure Score, it could look bad. Frameworks allow for a better overall picture of where your customers sit.
Raul
Pretty much everything we talk about seems to come back to reporting. It’s not just doing the work; it’s proving your value, especially if you’re delivering an ongoing service. If you’re doing a good job, people might not even know you’re doing anything.
Jason, nothing to do with inforcer, but from your side, if one of your MSP’s customers is going through ISO certification and the MSP is helping, how do you advise they audit their clients first and then report on the work they’re doing?
Jason
Reports in their truest nature, like end-of-month reports, are exactly what we look for in an audit. We need to show consistent evidence that something is being looked at and managed. Threat intelligence reports are something that often comes up, and we need to have them handy.
Documentation and records are always really important. From the client perspective, if you can provide these reports, you’re making your own life easier in the audit. Ultimately, the MSP will usually be called up to represent the client from the technical side. Good reporting makes the MSP’s life easier and helps the audit go more smoothly.
I’ve worked with many great MSPs who are doing the right things from day one but aren’t necessarily recording everything. Then there’s no evidence that X, Y, and Z has taken place. Reports are huge for us.
Raul
Nathan, at your MSP or when advising partners, how deep into the data do you go? Do you provide a summary for the board, technical detail, or something else? What data would you advise reporting on?
Nathan
It’s important not just to show that a policy exists. Having a policy in place is good, but you need to show whether it has applied to users. Intune is great for that kind of information, and you can pull it into Power BI to build custom reports.
It can show a breakdown of devices: whether they’ve been patched, what patch versions they are on, what versions of Microsoft Office are installed, and more. You can choose to show everything and list all devices, but that might be too much information for business stakeholders. It may be better to show only devices that are non-compliant.
For example, there might be seven or eight machines in a company that are out of compliance for that month or quarter, and you should have explanations. Perhaps they have been offline because someone has been on holiday. If customers can see not just that you deployed something, but that you are actively monitoring it, showing value, and highlighting what has changed each month or quarter, it creates stickiness. Customers aren’t in the dark; they’re actively involved and on that security journey with you, which shows you’re helping them move forward.
Raul
What are the most common misconfigurations or blind spots in Microsoft 365?
Nathan
The big ones I’ve seen over time, including in my years at an MSP, include MFA being misconfigured. It can happen easily, especially if you’re changing users in and out of groups, managing international trips, or creating exceptions. I’ve seen policies deleted by accident or switched into report-only mode, which meant no one was actually being protected. Having visibility and reporting on MFA status is important.
Devices falling out of patching are another major blind spot. If a computer has a glitch and hasn’t patched or updated, the user may never know because they’re still working fine. Their operating system could be a year and a half out of date. In the early days of Intune, when things weren’t as reliable, I saw that often. We had to deal with it, report on it, and maintain visibility because it was a critical part of security. The user wasn’t aware and may not have cared that they didn’t have to restart every few days. Those two are probably the big ones.
Raul
To tie everything together on the ISO side, Jason, can you think of a partner you helped with ISO and some actual benefits they saw over time after implementing it? You don’t have to name the client, but real-life examples are always interesting.
Jason
There’s an easy way to answer this. I get two types of phone calls every week. The first is: ‘Jason, it’s happened. What do I do?’ When I say ‘it’s happened’, it usually means a number one or top-five client has requested ISO certification from the MSP within the next six to 12 months.
That is what I call the defensive ROI. We do this project to defend the work we’ve already got. Going back to what I said earlier, clients might love us, but they may still need to leave if they can’t get insurance or satisfy their own requirements. Defensive ROI probably makes up a good 60%, possibly pushing 65%, of our business.
Then we have the ones that are preparing and looking forward. They don’t have a burning need right now, but they want to play in areas they haven’t played in before. They want to be invited to RFPs and RFQs. They want to proactively search tender portals and put their names in the ring for work. That is the offensive ROI: trying to build a business and an engine based on ISO certification.
When someone asks, ‘How much is ISO 27001 going to make me?’, I say they’re thinking about it the wrong way. It depends on how good you or your sales team are at selling it. If we do the project, get you certified, and you do nothing with it, don’t expect anything. From an ROI perspective, there is defensive work, where we keep existing clients happy and show value, and offensive work, where you use the certification to play in new areas and build the business.
Raul
For the people on this call who focus on certain verticals, are there verticals that open up more often once you have ISO certification?
Jason
We do a lot of non-MSP work through our channel programme when working with MSPs’ clients. The typical sectors that come through are financial services, professional services, and, funnily enough, marketing or creative agencies. They’re holding a lot of PII, personally identifiable information, or a lot of client data.
Financial services, law firms, and professional services are very aware of ISO 27001. Their regulators are asking them to look at it themselves and asking their supply chains to look at it. If you see questions such as, ‘Do you have a risk management platform?’, ‘Do you have a risk management system?’, or ‘Do you have an information security management system?’, and you’re ticking yes, ISO 27001 is often what they’re asking for. That is the translation.
Raul
Brilliant. Great answer. To wrap up, I have a question for both of you. Jason, you first: what are a couple of takeaways you’d hope the audience takes from today?
Jason
I want to see the percentage of calls I get that start with ‘It’s happened, what do I do?’ drop from more than 50%. I want to see a more proactive approach from people on the call who believe this will help their business. It won’t be everyone.
I do have a mission in my mind to see all of Australia’s MSPs achieve this at some point, because Australia has goals to become the most cyber-secure place in the world by 2030. We’re not going to get there by twiddling around the edges. We’ll get there if we come together and do this holistically.
A key takeaway for me would be: don’t be scared to talk to someone who knows this stuff. It doesn’t have to be me. Have a conversation with someone who understands ISO 27001 and figure out how far away you actually are. A lot of clients are surprised when they have that conversation and realise they already have Intune, MFA, and other telltale signs of maturity. Start thinking about what the next six to 12 months looks like for you as an MSP, and whether ISO 27001 will factor in.
Raul
Thank you. Nathan, same question.
Nathan
Make sure your security is tight and that you understand where everything sits from the Microsoft 365 tenant perspective. If you don’t already have one, think about building a baseline and a standard set of policy sets within your organisation. Then you’ll need something to distribute it, whether that’s inforcer or another method.
Build that baseline and have a set of policies that can align to ISO 27001 or any framework. Make sure it’s in place, because it will make your life much easier when helping customers.
Raul
All right, great. We’ll send a recording round to everyone who joined. We’ll also send the transcript because usually there’s a slide deck, but today there are no slides. Jason’s contact details will be in the email, so get in touch with him if you have any more ISO-related questions. Thanks so much for joining. I hope that was useful. Any feedback is always appreciated. Next month, we’ll cover sales best practices for MSPs, and we’ll send emails around about that. Thanks everyone for joining.
Nathan
We’ve got a question.
Raul
We do.
Jason
I think I can answer this one, Nathan.
Nathan
You go for it.
Jason
To answer Shawantha’s question: if you don’t have servers or data stores yourselves outside partner platforms, do you as an MSP need to be certified if you have proper controls and baselines in place?
The short answer is yes. It doesn’t matter if you have servers or data stores, or if you are a one- or two-person MSP that is fully cloud-based. When you say you have proper controls and baselines in place, your clients cannot verify that. Although you know you have them, your clients don’t. You need external validation that you have those proper controls and baselines in place.
Raul
We’ve got another one. Daniel asks: ISO can be quite a significant investment for SMBs. Do you have any advice on presenting it in a way that feels more achievable and approachable for smaller organisations?
Jason
I definitely do. It’s why ISO 365 exists, to be honest. I’ve been trying to change the significant investment piece. It used to be a large amount of money upfront, then auditing fees, and then you were left on your own.
Find a partner if you want to make it economical. We do ISO as a managed service, and a lot of people on the call know who we are and what we do for MSPs. We solve that problem from a significant investment perspective. I’m happy to have a chat and see if it lines up internally.
Raul
It sounds like Dino doesn’t know that you can use an external ISO business. The next answer is: yes, speak to Jason.
Jason
Definitely. Dino, you can use a consultant to help with ISO. Absolutely.
Raul
We’ve got a nice technical one back to the BYOD discussion: can BYOD laptops exist under ISO 27001 if they’re not compliant?
Jason
The short answer is yes, although I’d probably need another 40 minutes to explain how. We have MSPs with BYOD programmes. They need to be mature and need a lot of finessing from our perspective to satisfy an audit, but BYOD is not a disqualifier for ISO 27001. You need to talk to someone who knows what they’re talking about.
Nathan
You would definitely need to look at using MAM app protection policies for your work-based applications as a starting point. That would be my recommendation, but you would need consultation on that one.
Raul
Super. Everyone was polite waiting until the end to ask questions. Thanks a lot, everyone, and goodbye. See you soon.
Jason
Thanks, everybody.
Nathan
Thanks, everyone. Bye-bye.