Rhonda Willert

When organizations first approach ISO 27001, they often head straight for the Annex A controls—the “flashy” technical safeguards like encryption and firewalls. However, as auditors, we find that the most resilient security programs are built on the bedrock of the ISO 27001 clauses (4–10). ISO 27001 clauses are the numbered structural sections of the standard [...]

As I was discussing cloud governance with a client recently, a recurring question came up: “We have ISO 27001, so why do we need ISO 27017?” It’s a fair question. While ISO/IEC 27001 provides the foundational framework for an Information Security Management System (ISMS), the unique risks of cloud environments, including multi-tenancy, shared responsibility, and [...]

When organizations pursue ISO 27001 certification, most of the focus is on building, maintaining, and auditing an Information Security Management System (ISMS). But who makes sure the auditors themselves are qualified and that the certification process is credible? That’s where ISO/IEC 27006 comes in. This standard governs how certification bodies (CBs) operate when auditing and [...]

In an era where organizations increasingly rely on the cloud to manage sensitive information, protecting personal data is no longer just a best practice—it’s a business imperative. ISO/IEC 27018 steps in as a purpose-built privacy standard designed to help public cloud service providers handle personally identifiable information (PII) responsibly and transparently. Focused on real-world challenges [...]

Conducting an ISO 27001 risk assessment is essential for organizations aiming to protect their information assets and comply with the international standard for information security. In this summary, you’ll learn how to conduct an ISO 27001 risk assessment step-by-step, including templates, methodology, examples, and tools you can use. If you’re wondering how to get started [...]

With cyber threats evolving at an unprecedented rate, everyone must adopt robust security frameworks to protect sensitive information. One of the most widely recognized and implemented information security standards is ISO/IEC 27001:2022 (commonly referenced as “ISO 27001”). This internationally accepted standard provides a systematic approach to managing sensitive company and customer data, ensuring confidentiality, integrity, [...]

Recently, a client asked if we could provide them some insight on the similarities, differences, advantages, and disadvantages of getting a SOC 2 Security versus an ISO/IEC 27001:2022 certification. [...]

As I pondered about what blog content may be interesting and useful to our current and prospective clients, I kept coming back to one interesting client discussion I recently had. I was working with a first-year SOC 2 readiness client, and they were asking for insights and my perspectives on best practices for conducting an [...]

Within this blog post, we will discuss the importance of knowing how to read an information security standard ISO certificate received from an ISO-certified entity. The knowledge gained from this blog will assist readers in determining that the certificates they obtain are valid. Receipt of a valid ISO certification certificate from a vendor or subservice [...]

Software supply chain attacks increased by 650% during 2021. In addition, Gartner® predicts that by 2025 “45% of organizations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021.” The need for users to understand supply chain processes and the controls that exist to minimize risks around supply chain activities [...]