Name: Avoiding Common Pitfalls in SOC 2 & ISO 27001
Uploaded: 2025-04-24T12:30:41.909Z
Duration: 59 min 8 s
Description: Avoiding Common Pitfalls in SOC 2 & ISO 27001

Transcript for "Avoiding Common Pitfalls in SOC 2 & ISO 27001": Good morning, everyone, and thank you for joining. We're just gonna give it a minute for people to join, and then I'm gonna run through the agenda and do do the introductions, and we'll we'll get into it. Good morning, everyone. We're just, giving people a a minute or so to join, and then we're gonna kick off. Thank you for joining us this lunchtime. Okay. So thank you for your time. My name is Andy Bryars. I've got the pleasure of running the customer success group at Drata for Amir. I'm joined by, Ali, who's a a practitioner and founder of Axipro. The purpose of this session is really to focus on the common pitfalls of SOC two and ISO 27,001. It's gonna be an interactive session. It's not around draft of the platform per se, but it's around things we see operationally that we wanna get ahead of, to make it more effective for you. So without further ado, the agenda today, if you can see that, is, we wanna do a quick recap on how Drata looks at the journey that you go through from when you onboard with us through to getting ready for audit. I'll share my perspective, and then Ali, from a practitioner point of view, will share what that looks like operationally. In addition to that, we'll then look at just a brief because people are on this call. You've been focusing towards ISO 27,001. Some of you might be doing SOC, and some of the lucky ones might be doing both. So we just wanna set the the the stage in terms of that comparison. But the majority of this call is gonna be focused on those common themes we see that basically create more work, make it less efficient for you. So we wanna get ahead of that to give you a better head start. So we come up with 10 topics that we see normally create a little bit of a headwind. We're gonna focus the majority of the time. The good news is this has been recorded, so you don't need to write too many notes. We have got the slides that we're presenting today and we shared with you. And more importantly, along with some supporting resources after this call so you can relax and ideally engage. If you got, questions, feel free to, yeah, put it in the chat window. We'll monitor that. And as we go along, we'll try and answer those questions. The ones we don't get to, we'll certainly come back, and, make sure we get those answered for you. So, with with that, I just wanted to give you a little bit of introduction. I've introduced myself. Ali, if you're okay, just a bit of an introduction for the people on the call. A little bit on your background would be great. Yes. Absolutely. Thank you, Andy. So my name is Ali Hayat. I'm the principal consultant and founder at Axipro. Axipro believes in simplifying compliance, and, we are the top, compliance consulting partner with Drata. Happy to be, having this webinar. And then supporting us on this call is, Hala. So she's a member of my team, a customer success manager. And one of Hala's roles is to make sure we've given you the right information and signposting you when you need that help. So in in, like, what I'd like to think about is Drata provides the platform, but you, the customer, provide the time and where you need that overlay of expertise that you might not have done SOC or ISO before. We try to thread in experts such as Ali and Axipro. And then ultimately, to get the certification, you need an auditor. So it's a real partnership between those three three areas that we talk about. Okay. So some of you may be familiar with this, if you've done the onboarding with Drata, but this is how we like to visualize things. So whether actually, regardless of what framework you're doing, doesn't have to be SOC or ISA, it could be HIPAA, GDPR. It all works the same way with data, and you follow the same basic principles. The key thing is once you've laid down that foundation, you build on that by the way that we've architected the product and in particular what we call the drought control functions. But starting left to right, I'll give you a quick overview of how we visualize things. So drought is a GSE automation tool. So whatever we can connect to, we can gather the evidence automatically and and store that against the control what matches the requirement. So you'll see here the technical integrations and the monitoring are the key areas that we focus on first of all because that's the bit we're automating. But, well, like a lot of technologies, it's not just the technology. It's the people and process. So the the second part of it is all the policy work that you need to do. And we provide you templates, but, really, that is just a start of a 10. So that's where, really, in the compliance acceleration program that actually participate in, they're giving their guidance and advice on how the policies might be modified and make it more appropriate to you as an organization, depending on your size and complexity. And then you gotta follow those policies as well. And then the final part of it, I'm gonna skip through a few things. I'll come back to those. But when we say non monitored controls, effectively, what we're doing is if you don't have Drata, you're having to email people to acknowledge policies. You're having to find out if they've done the security awareness training. There'll be controls where you need to upload evidence. And without Drata, you don't have a single area to augment that information. So that is where Drata is providing that augmentation. So I always use these examples. Copy of your architecture diagram that you need for both SOC and ISO. You can assign it to somebody, what we call a control owner. You can upload that evidence, and then you're reminded twelve months later to refresh that. So that's what we call nonmonitored control. Now in theory, once you've done those three areas, you pretty much got the evidence for audit. Sounds simple, but along the way, we gotta, you know, develop a risk register and a vendor register. So that's the way that we like to think about that. And, like, my role and Hal's role is to make sure that as you go through this, we can check on the configuration and work you've done in your tenant at Drata, and then we can help and advise you as you go along that process. But that's from our we envisage it as the platform, but I'm gonna hand over to Ali, and he'll talk about it in terms of how they look at the key milestones from a practitioner's point of view. Absolutely. So, when it comes to the implementation part, we think that these are the key milestones for ISO and SOC two. Number one is policies and procedures. You need to develop, review, and approve all the policies, make sure that they they reflect the company's, scope and, structure. Then we have risk assessment. This is very important that risk assessment and risk workshop needs to be conducted in line with the scope of, the company security posture. Then we have control implementation in which all of the controls related to ISON software needs to be implemented. Audit readiness important for that internal audit needs to be conducted for ISO, and audit readiness needs to be done for for SOC two management review meeting. And then you're all set for the certification audit. Either you're going for ISO and SOC two different stages, and, accordingly, there will be a process. Fantastic. Thank you, Ali. Okay. And I think just to level set, in terms of terminology and how the two frameworks work, we got this, comparison between ISO, twenty seven thousand and one and SOC two. So, Ali, just talk us through this just so people sort of understand the differences and, and the the common trends between the two as well. Exactly. So this is, like, the quick, refresher between ISO and SOC two. So let's look into ISO 27,008. It's an international standard. It has an extra controls. It requires you to have ISMS, which is a management system, and a statement of applicability. It is certifiable, and the most important thing is it is risk managed. And it is a three year certification where you will have every year, there is a service already. On the other hand, SOC two, it's a US based framework. It has a trust service criteria. It doesn't have, statement of reliability, but it, has a requirement for service description documentation. And most importantly, it's not a certification, but it's a attestation, and, you will receive a type one or type two report. It is focused on controls effectiveness, and it is annual recertification. So this is just a quick recap between both of them. Yeah. What a couple of things I wanna point out here. So the scope of this is really important, and we'll get into this as we go through the common pitfalls. But, like, out of the box, based on the requirements for either ISO or SOC two, there's around about 200 controls for each of those that underpin it. The power of data is that once you've done one or the other, a 50 of those controls overlap between both. So it's all if you do it once and then you got the multiplier effect that you move to other frameworks and you've already done 75% of the work. The other thing is getting the scope right is is nailed in for ISO in the ISMS and statement of applicability. And in SOC two, the service description, so that sets the scene. And as a simple example, if you're a larger organization with HQ and you got factories and facilities, you might decide to only do it for HQ. If you're a multi if you got multiple products, you might decide to revise the scope for a single product. And the reason that you're doing either one of these is you're entering a new product or a new geography, and you wanna make sure you're reducing friction in your sales cycle. That's and then providing trust, with your customers. That's the the reality of it. And then just to bring that to life, a little bit, and, I think that's self explanatory, but, it's a three year, cycle in ISO. And so you got this concept to certifying and then doing what we call surveillance audits, in years two and three, and then you re recertify in years four. So it's a continuous process, that needs to be involved. And SOC is, annual, one off. There's a concept, in terms of, the, requirements and how it's laid out. And you can see that you gotta pick security, as a mandatory pillar, what they call trust service categories. But then you choose whether it's privacy, confidentiality, depending on the nature of your business. But by default, you gotta pick security. And you can see the majority of the controls are underpinned by security. But if availability is important for your business, then you might wanna pick some of these other pillars in there. Don't know if there's anything else to add to that, Alice. I will keep moving, but we're getting into the core of it now. So myself and Ali have put together some common examples of where we see, I guess, inefficiencies, what we're calling common pitfalls. But if you're new to this, we wanna give you a little bit more guidance, and this is where we'd love you to be interactive as we go through this. So we got 10. Sounds like a lot. Some of them have a little bit. But, Ali, why don't you go ahead and, introduce us to, the number one pitfall? Absolutely. This is, like, the most common pitfall. Most of the companies treat, compliance, either ISO or SOC two as a one time project, which is not. As said by Andy in the previous slides, this is a regular continuous process. You need to do the serve certification for SOC two every year, then recertification price. So happens every, third a year. But still you need to go for serverless audits every year for ISO. So common problem, organization view audits as annual events, not ongoing process. And let's say a company passed SOC two once but failed the next year due to lack of continuous monitoring. This happens very frequently. So the easy fixes would be, you know, you should have a implement a continuous compliance program. And absolute absolute favorite is at automate evidence collection using Drata that is just going to ease things off and will provide you the road map to make sure that you pass the audits every year. And I'll tell a little story here about how Drata came about, but our founders had a separate company running education. And for them to sell into the market, they needed SOC two. And so they hand carved that. So going through, like, a lot of organizations without an automation platform, gathering the evidence, getting things ready for the audit, taking a lot of time from their engineering teams to get the evidence for the audit. But there wasn't, like, a framework to put it under. So there's the automation, which is one thing, but the what I call augmentation. So putting it under that framework, and that's that's the power of what Drata provides. And that's multiplier effect. So going through the pain of that, and they ended up selling that business and moving on, and that's where Drata was born. He's like, idea of the Drata originally was sucking a box of Hector Blake. Like, how do we automate this? And then they realize that, oh, well, if you go international, then people are asking price of 27,001. And then there's a multiplier effect as you know because you're right in the the lens. The reason you're doing this is not for fun, I'm sure. And I will say you got your day job. You're doing this to remove friction in your sales cycle and get credibility as you go and sell to your prospects or customers coming back to you to ask to validate, are you still secure? So this is like, you know, a a multiplier effect. But so this this this pain that you're witnessing without or without an automation tool will incur, larger overheads. The more complex your business gets, the more you grow and the more products and markets you enter in different geographies. So being able to label this, like, lay it down in a foundation makes it really important moving forward and and keep that ongoing process. It improves your security posture, not just the certification is one thing, but diligence on all the other controls, what makes it meaningful to your organization rather than a tick bucket exercise is what we'd say. Okay. On to the second one, and feel free to ask any questions as we go along or if you got anything what you wanna share with us, that you're like, oh, how would this impact us? Just feel free to to chat away. But onto the second one then, Ali. Yes. Second one, keep the scope tight. Make sure that, you understand, that what is your service, what is your scope, and how many products you're going to include in this Octo ISO journey. So what happens is usually trying to include the entire organization or all system, which is unnecessary. So make sure that, you know, to understand the scope right. What we, what we have seen as a practical example is that our company included legacy systems in scope leading to remediation that cost hundred k. And we have also seen that the leadership team aiming to impress stakeholders initially included nearly every department, every system, every office location, which is not needed, which is unnecessary, and it will just increase the confusion and increase the timeline for your certification. So make sure that this this pitfall, you avoid it. And looking into the exam, the easy fixes, Andy. Yeah. So, like, this is so important, on on this slide as far as I'm concerned. And we have got a slide. I wanna talk about this a little bit there before I go into those. So, like, I'll give you an example. We got over 200 controls for each one of these, SOC and ISO. But if you take out, a good example for a lot of smaller companies, you don't have physical access facilities because people are working remote. You're not using your own data centers. You're using GCP or AWS. So there's elements of physical access control that are not relevant for you. So there's one example. Also, when you look at the, the trust, service categories in SOC two, If you do security and you drop the other ones, those come two under control, become maybe a hundred. So having that fixed, and I think so, the system's description in SOC two or the ISMS and statement of applicability in ISO 27, that's the one, are the places that you can, like, lay the foundation of what that scope is. And to me, that from what I see, Ali, that's one of the biggest recommendations is, like, that that then starts to define where you need to gather the evidence. And and bear in mind, auditors are are there to help you through this process. So start small. They'll say walk before you can run. Start small, and then you can grow at your next one as your business expands. But to get that, certification first under a tight scope, and then you can involve it. But so some of the things, we've got on the list here. Make sure you're involving senior management, your risk teams, operation leaders. I know we got small organizations, so you're thinking I don't have risk team. And make sure you involve your leadership so they're involved, and they're in aligned with, what you need to do. Definitely, in terms of, like talk about location where we got systems, processes. Make sure you're making it easier for yourself and clearly defining that. And then document those reasons why you're excluding things, which is perfectly acceptable. Certainly, if you think about if you got multiple products and you just wanna go for one product line, that then decides the text that you're aligned with and the process is what follow that. We got a lot of organizers who will have it's easier to do things in the cloud than it is legacy because of the controls you got in place. So, like, do you wanna start there and then move across, or are you migrating? That's a good reason why you don't need to look at your legacy. And then regular review this and update the ISMS or the system's description. It's actually a point of reference for both. Yeah. I don't know, Ali, anything from a practical point if you can see over and above what we've mentioned there. That's a all fixes are, very much, relevant. But what we have seen is that let's suppose there is a consulting company, and they would like to implement ISO or SOC two. There will be many controls in Annex a, which will not be applicable related to software development or change management because they are not doing any software development. So make sure that, statement of applicability is the key here, to start with this and make sure that you understand what are the controls need to be implemented, and you can go to the next stage. And just, operationally, I'm not gonna show you in this, in this webinar, but we can do that separately. But within the Drata platform, when you look at the framework, it actually lists the requirements on the left hand side, and then it'll list all the controls that Drata and map to those. So when you're taking things out of scope, you can clearly see those requirements. And when I talk about requirements, that's why I think of the auditor language, and then we've mapped the individual controls or mapped to those. So you can actually download at any point the, the requirements to controls or vice versa, and it'll put it out into a a spreadsheet which allows you to look at the order to language and then the evidence and also what's in what's in scope and what's out of scope. I think that's a really good visualization. I'm quite a visual learner. So to be able to see that because the auditors come in and they talk about it in their language, they don't care about the control mapping that we've done. But that's our way of tying the two together. Okay. On to, pitfall number three. Over to you, Ali. Consider that you have fixed your scope. You know what are the controls that are in place. Now you have to develop your policies and procedure. And, usually, what happens is there is a mismatch between policies. They don't reflect the actual practices. So Drata provides all the templates, but it it is always recommended, to make sure that it is customizable as per your company scope and service. Let's take an example. Let's suppose the policy says passwords must be changed every ninety days. However, SSO logs show no enforcement. So there might be some changes. There might be some customization which you have to do to make sure that your policies match the existing service, existing scope, and existing controls, of your of your infrastructure. So the easy fixes, Andy, to, emphasis here is that review and align policies with operational reality and involve operations and engineering in the policy drafting. Yeah. Couple of things, and we got a question. So thank you for, posting that. We'll come back to that in one second, but let me just finish my thread of thought here. So, out of the box, Drata provides some templates. They've not just been written by us, but they've been written in consultation with auditors. But they are a catchall because we got organizations from one to two users all the way through to thousands, and they are it looks onerous. So when we drop in a framework, we drop in the policies associated what match that framework. That doesn't mean to say, I'll take the encryption policy, but you need to follow that by you need to modify it so it's appropriate for your organization, the size, and what you do operationally. I always think high availability is a good example in this one. So a lot of small organizations don't have, like, immediate failover. And now what I always recommend is, like, put the the policy in there, the VR high availability policy, reflect what you do. But if you think there's a risk, you can put that on your risk register, and you can accept that risk. You're not mitigating it. It's just the fact at this point in time in your company, like, with the funding you've got, what you're So, like, also, the other thing I've seen is people following these policies. They get them all that knowledge and approved and, and then it they're they're not actually following them. So making it reality of what's appropriate and what you're doing. That's the hard bit, I think. So, we got a great question here, Ali. So, so, basically, when an organization does not include things while we're in, you know, in scope, so they're taking something out of scope, but it should be important to their functions. Have you seen that? And, like, is that, like, an auditor that come and say, oh, you're taking this out of scope, but you actually need that? So we Yeah. It's it's funny. We have just a recent, experience which you happen with the recent audit. So we, took some some controls out of scope, but, they should be marked in scope and, vice versa as well. There there are some controls which are in scope and should be marked out of scope. So this is very important, to align with the auditor. What we do is that, we recommend, the client and the auditor to come on the same page and to have a do a planning call, to discuss that, okay, these are the controls which we are which we are in scope, and we are going to plan our stage one and stage two or SOC two in this timeline. So then, accordingly, it makes sense to make sure that we are all on the same page. All stakeholders, including audit company, Axipro, and the customer, making sure that we, pass the audit, we, cruise it, and, have a seamless experience. Yeah. And we always recommend, and it it seems strange for I know certain customers, are probably questioning, but we recommend engaging an auditor early, even though you might be, like, yeah, six or nine months out from readiness because the very reason you can start using them as a sounding board. And they there's a fine line between them giving you guidance and advice and actually point you. But they will they will give you they'll point you in the right direction, and they'd be able to help you, to a certain degree. They're obviously aligned there because at the end of the day, they're gonna then come in and mark the homework that you configured. But it's a bit like my example is a bit like I'm learning for my, for my driving test, but I'm not booked in the, the actual, exam. And in The UK, there's a massive backlog at the minute, and there is with auditors. So but when I book that in, I know I've got a milestone I'm working towards. That doesn't mean, say, I can't move it, but my recommendation is always to customers to lock in that partnership with the auditor as soon as possible and then work towards that day. You could leave it because things change. But, yeah. It's really yeah. Right. Okay. Onto number four. So I'll let you talk through this one, Alex. Yes. Risk assessments, this workshop, we sometimes, consider that a template will suffice the requirement. We just need to check the box and complete the risk assessment. However, a generic or outdoor decrease risk registers are not going to help, because the risk assessment is going to reflect, what are the controls need to be implemented, what will be the severity level of a risk, and how much, mitigation needs to be implemented accordingly. So we recommend, Andy, as well with the customers, that in the first two weeks when we engage, we conduct a risk workshop, make sure that we have a risk assessment and a similar applicability both aligned together, to have a plan, a road map of, implementation. So performing tailored risk assessment, is important, and it needs to be done on regular basis, either quarterly or annually to make sure that because your system, your scope, or your service will will change or will improve accordingly. Risk assessment needs to be improved, and you need to also understand the threats, incorporate them, understand, and implement the mitigations, and also consider the vendors. Yeah. And Drata does have a risk management platform, by default in, everybody's Drata tenant. And there's different versions, but there's a default one. And, if you're on the default version, there is a quick start guide for you because we've got a risk library of over 200 standard risks. So if you answer certain questions, and, as an example, off top of my head, are you using AI in your product, or are you using AI tools? It's a common one nowadays. If the answer is yes, then we'll take the appropriate risks that we see associated with that and bring it in from the library into your register, and then you can start to work on that. So there's there's an option there, but I always think about it. I'll try and give you another analogy, another one. But, if you've ever I went through, UK security clearance for, the Ministry of Defense, years ago. Andy the fact that I had a speeding ticket at the time, that wasn't an issue for him. The issue was if I didn't declare it. So it's almost like I say a risk register. Andy, Ali, you can correct me. But the fact that I declare it and I'm just laying that out there to say, look. In in that case, this is my history, my family history. There's my, yeah, speeding tickets. I'm laying it down. I'm not hiding anything. With a risk register, the fact that the auditor knows you're thinking about it, you're putting it on there. You might be, accepting that risk, but there's a process of how you're reviewing it. I can't I find it therapeutic in a way that is like, I'm not meeting the criteria quite there, but if I can drop it into this, that means I don't lose it. Andy then we can decide on what we're gonna work on and whatnot. But, yeah, I don't know if that resonates with you, Ali, in terms of that. The the purpose of a risk register isn't to catch anybody out. Right? Absolutely. Yes. I agree with this. Sometimes, it happens that there are some controls, which are not necessary, but those are reflected in the risk risk register and vice versa. So risk assessment is very important to understand, that what are what are the key controls needs to be implemented and how much level of, risk or toleration tolerate, can be done by the company, and, what are the next steps in terms of the implementation of controls and policies to open. Fantastic. Okay. Right. On to number five, per ISMS ownership. So, yeah, talk us through this one, Ali. Yes. Usually, the customers who, think that ISMS, when security comes in, and the we consider that this is done to be done by IT or security. However, it's not there are a lot of, policies are in place. There are a lot of, decision makings that needs to be done by the management. So ISMS ownership is very important. Poor ownership is is, a very, common mistake that happens on a regular basis. So we encourage, with our customers here regularly that, ISMS ownership is important. You need to manage your management system, include your, top management team within the process and meet with us on regular basis to make sure that everything is intact. So lack of cross function input caused, HR related controls to fail. This is related to a a common example for the HR that, usually, the we think that this is related to IT. So HR has, has controls that needs to be implemented, and there is a whole clause dedicated to, HR controls, people controls in ISO, and similarly in SOC two. So make sure that you assign responsibilities and roles across the departments and involve your management team. Top management team needs to take the ownership and needs to take the leadership here. And it is also recommended that you can delegate, a a person as a chief information security officer to make sure that he manages on regular basis, maintains the compliance, and, keeps everything in check? And one one thing I know, like, just, there's a lot of organization on this call that are small and you're wearing multiple hats. That that's quite common. And, like, as a default, we always want, like, ideally, somebody on the IT side and then somebody from the what I call the policy side, typically legal HR. But regardless, even if you're a single person, what you can do, a couple of things in draft, I recommend. So we got concept of control owners. So you can delegate out those controls to individuals within the organization or leadership to help you. Don't feel like you're alone in that. And secondly, when we're onboarding when we're onboarding, it's the concept of the personnel, the employees, actually accepting the policies, maybe doing security awareness training, going through that. You can take the opportunity to remind them how important this process is for the organization. They're not doing this as a tick box exercise. They're doing this to accelerate your ability to go and sell into your customer and prospect base and to give that assurance. So it's a really good opportunity, when we're getting the employees to accept these policies and do their awareness training, why they're doing it, the purpose to your business. It shouldn't be seen as a an inconvenience. And and if he's done wrong, we've seen this certainly for, like, people who are DevOps, who are there, like, developing your product, and and that's their most important thing. Having to then get involved in this type of thing is like let's say it's not their their job. So what we plan to do is remove as much friction as we can, but making sure people are accountable in the process. Okay. Right. We're we're pretty much on track. So, I wanna leave a little bit of time for q and a, but, we've got five more, to take us to our top 10. So evidence gaps over to you, Alan. Yes. Yes. Evidence gaps problem, inconsistent or missing evidence during the audit readiness or inability to prove background checks were completed. I take it it as maybe, there can be a, unawareness towards the standard requirement, unawareness towards the controls, understanding and implementation that what needs to be done. It's not a checkbox, that when there is a control within that says background checks and, it has a requirement that needs to be fulfilled and a proper evidences needs to be uploaded accordingly, to make sure that you, complete the audit and, have a seamless process. So what is recommended is to ensure that you have a control evidence calendar and you regularly check, the what are the evidences are required. We also recommend, just like Andy said in the previous slide, that awareness training is important. That's why it has a awareness training system, and all the controls are also very easy to understand. So make sure that you understand the, evidence requirements, which are, for each control, and use automation to collect and store evidences continuously to make sure that you have your audit ready. I've got a I've got a question for you, Ali, because it comes up quite a lot. Background checks, there's a lot often smaller organizations don't go through that or they don't use the third party tools that we integrate with. So they might do they might do some background checks, but it might be to, the certain different standards and levels. And then we've got a complication certainly in certain countries like Germany as an example. You gotta be very careful around that. So what's your guidance there? Because I have a customer speaking with auditors to get dispensation or to say, well, this is what we do, and they provide the evidence, but it's not always clearly integrated into data. So, yeah, I wanted to get your view on the guidance of background checks in particular. Absolutely. So, as for the ISO requirement, there are, some mandatory checks, that needs to be done, but those are, like, the best practices. You can choose which check you would like to do. So, for example, there is a national ID or a passport check, and there is an academic, qualification, and there is past experience, confirmation or check. So with this, limitation, in some part of the con some part of, the world that you cannot, do background checks. It is recommended that you, select one of the option. Let's suppose it is very easier to contact the previous employer and get the confirmation of the experience of the person that has, completed the job with them or to get a academic qualification, done as well. So if you're not using a third party, it's very easy as well for you to just approach, the reference provided by your employee and complete the background check and get the verification report. And, actually, we talked on the last slide about, delegation and bringing people involved even though, you might be coming from a small team. So that's a great example where that, in my mind, lay with HR and recruiting in that process as they go through it. So you can't really change what's happened, but you can look at implementing a process moving forward. I think the auditor would be happy with that if you declare it and you explain what that is. So that would be another way of dealing with it. And the other thing I'd like to say is when Drata connects to systems, we automatically gather that evidence in a JSON file, and we put it under the control. And, typically, we do that daily. So you're good with the, evidence on those controls, but where you're doing the manual with with assigning, a control owner, and that control owner's uploading the evidence. So what we see nonmonitored and they're not linked to policy. I always say that I could upload a picture of my cat. And that picture of that cat is not gonna mean anything to the auditor. It's not gonna help you. But the validity of the evidence that people are uploading manually, that is where you'd probably have certain checks in place and where maybe internal audit would help with that. Have have you seen that, Ali, where you've got got things uploaded, but it doesn't meet the the the evidence criteria the audit is looking for? Yes. That's, like, sometimes we complicate things and, provide lot of evidences, but those are not what the auditor is looking for. And, we need to make sure that we make it the right, evidence selection to provide it to the auditor. And that actually like, sometimes that's gonna happen. They're gonna they're gonna want more than what you presented, but that's not the audit process. They'll they'll they'll give you the opportunity to provide the evidence. That's how we like yeah. Yeah. Not everything's a %, and they're not looking for it to be a %. So then don't worry if that's the case. But I think the good thing with Drive, you got the needle what says, like, you know, how many controls. You can now we just updated it. So it looks the readiness on the framework and the requirements point of view or the control level. You always look at it on the control level if you're having a a bad day. You wanna see more progress because it it it obviously moves the needle more at the control level because you'd need multiple controls against the requirements. So if you look at it on the, on the requirements level, you it's the the needle is not as fast as the right. Anyway, right, next one then, overachiever. Interested to get your view on this one, Ali. I think this is just like, we were discussing on the same, that we try to upload many evidences, which are not required at the moment. Similarly, this overachiever, a company over engineered its control to impress the auditors, but it should not be the case, which result in excessive documentation and internal friction. So it happens. There is no project plan or, there is no understanding of the controls, so we try to make, prepare a lot of documentation, a lot of policies, a lot of procedure, then in turn, it kind of confusing for the team and creates a friction to implement it later on and actually pass the audit. So we recommendation is the same, is to make sure that you understand the controls within Drata and follow the same project plan, which is very easy to follow and align efforts with actual business risks. So at, I think, Andy, these all pitfalls are kind of interrelated. So they are all linked together. So risk assessment is also in is coming back to the same. It's important, to understand which controls and what are the mitigations and what will be your implementation accordingly. From from your experience, it's interesting because we talked about running before you can walk, but I get I get the aspiration when you start off. And then when you get into the detail, you realize maybe, you need to, dial that back. So, like, how often do you see this? That people trying to almost, like, do too much before grounding. Is this common, from your experience, or is it likely anomalous? It is. What we try to do with the customers when we engage with them as a consulting partner is to, give them the path, for each evidence that these are this is what will be the acceptable criteria for, each control and what will be the, what will be acceptable for the auditor. So overachieving or trying to impress the auditor or overworking or excessive documentation, it's not going to help. It's just going to complicate the stuff and the process. Got it. Okay. But you had a great question, Michelle. Now Al has answered that. I just wanna talk about it for the the wider audience. And this comes up a lot. So you got contractors in place. Certainly, certain countries as well, you you gotta be very careful because they've got the bring your own device. So, like, you gotta be careful about what you can and can't do there. And, like, can we force temporary consultants to install, you know, agents on on their devices? This is what I always say, but I'll be interested to get your practitioner view. So if those third parties are accessing information that is in scope for your audit, they've got to adhere to the same principles as you're holding your employers to, however you decide to do that. So it might be that if they're a contractor, then there needs to be some agreement as they come on board if they're accessing information that is in scope for that audit, and they're effectively gonna follow pretty similar principles to the employees. The other way would be is where you could mark them out of scope if they're not involved in, like, in the access to systems that might be better. Yeah. Well, I'll get your view on that, Ali, because I know that comes up a lot when we're talking to customers. Yes. Exactly. So this is a great question. Two examples. So one is that, just like you mentioned, there's a high risk employee. You can either provide the conditions in his contract that these are these are going to be the checks, which will be, we need to implement in your device. So in that way, you can, conform towards the standard requirements. The other thing is, that you need to have a proper BYOD policy, for your employees and your contractors and, inform them that these are the checks which we need to do and we these are the controls or these are the agents which will be installed. And we're and, accordingly, there is one control, Andy, in ISO that talks about installation of softwares. So I would like to reflect back to the risk assessment. So let's suppose your risk assessment says that there are certain softwares which should not be installed in the device, which will be of high risk. So, then you have to discuss with your employee during the hiring process that this is our process. This is what our protocol is. Ideally, you should provide the device to your employees, but in the in case it doesn't happen, then BYOD policy is recommended. Got it. Thank you. And, yeah, great question. It does come up a lot. So okay. Neglecting vendor management. So, yeah, this is, quite a common one as well, Ali. But, yeah, if you give your view here, and then I'll, I'll talk about some of the, actionable solutions against that. Absolutely. So many organization overlook third party risk, assuming vendor compliance automatically aligns with their own, which is not. Vendors are often gateways to breaches, considered a fintech company achieved ISO 27,001 certification, but neglected a proper vendor due due diligence. And and their cloud hosting vendor experienced a security breach, exposing a customer data and resulting in a regulatory penalties despite the fintech's own compliance status, which is going to hurt their, reputation. So, this is important, to have a third party risk assessment. Make sure that your high risk vendors or, any of your vendors, which are other severity levels, have a proper system. If they don't if they have, if they are not ISO 20 SOC two certified, then they can follow you the your own company, ISMS. But it needs to be there, in the contract. It needs to be there in the agreements. They should be aware of it. Maybe you need to run a proper awareness campaign for them to understand the ISMS rules and regulations. This is very important. Vendor management. We have seen this in the in our experience. There are customers using vendors who are not ISO and software certified or who doesn't don't have any ISMS in place, and it going to hurt the reputation later on in case of any security breaches or in case of any incidents that happen. Yeah. I think in, I call it the modern world, but in the in the SaaS world, in the cloud world, this becomes more and more important because most organizations now are reliant on what we call subprocessors. So a Drata and this is where we've got a trust page. So it's like your your public page of honor where we, you know, we put all our certifications, but we put all our subprocesses there as well because we're dependent on running on AWS as an example. We're dependent on the encryption and availability of that. And if that goes down, that's got customer. So we've gotta declare that. But to at this point, we've gotta go and prioritize those vendors in criticality, and we gotta go and make sure we've got the right checks and balances. Now it's AWS. They're never gonna fill in your own security questionnaire, but they will public publish their SOC two and ISA standards that then you can go through. It's a matter of going through that. So Drata has got a vendor register just like a risk register that you can use, and it's there to make sure you're, yeah, you're putting this information in the right place. So, so when I ask a question about we are recording this video, so we're gonna share this later. Yes. You missed the intro, but, yeah, we're definitely gonna do that. Yeah. Before I go through that, there's a couple of other questions come in. What should a small company do in the case that they're using vendors, which much larger corporations unlikely to answer? Yeah. So AWS and Microsoft go to their public trust page, and they will, provide access to those accreditations. They're never gonna fill in your, your own security questionnaire. And they're probably gonna be more critical to your organization based on the services they're providing for you. So, hopefully, that answers that one. There's another one there. I'm just checking this. There's one another one here, Ali. During the implementation of the document record control procedure under ISO 27,001, employees often perceive it as an additional burden and not to follow the proper process. How should this be handled as a g asset consultant was the most effective approach to ensure the successful implementation of document document codes, naming conventions? Right. This is, I'm just thinking that, the document control procedure will just align your documents and, will provide a structured approach to all of your policies and procedures. Let's suppose there is a new document that is, going to be developed. It should have a proper naming system. It should have a proper revision history. So this needs to be enforced. What we what, this is a common challenge that when the new policy or new procedure is implemented, the employees tend to, take it as a challenge. And, it's it's basically a change management. I would I would like to recommend that you, implement or activate the change management process and consider providing awareness to the team that why it is important, what is the purpose of this document control, providing them the, relevant, consequences that if we don't follow, what will happen during the audit process and what will happen during our internal process. So awareness is important. Making sure that your team understands it, the importance of this procedure, importance of this process, and maybe to use some tool that automates, the naming and the revision history. I know, Andy, like, in Drata, we have a policy center, and, all of the policies, if they are published, they have, automatically, a revision history updated. They have it there. The dates are updated. So that works, in terms of the document control. Yeah. One one thing we get is often, we don't align it with the document naming conventions that separate. So when you publish the author, the document, and the date, you still got version control. What we do is, yeah, do v one, v two as you update those. But sometimes customers get, yeah, confused out of thing. We're gonna match their naming conventions, which we don't. So you gotta do your own policy management, but we'll do the version control as well. Conscious of time. So we got six minutes left. I've got a couple of things. So, this is number nine then. So over reliance on generic templates and policies. So I think we covered that a little bit. They're all out of the box, but what's more appropriate is, how it's covered, actually, how it's appropriate to your organization. So do you wanna talk through a few other fixes here, Ali? Yes. Make sure that you customize the policies, and, they should reflect the processes. And, they should reflect the controls which are in place. It happens that during the audit process, your controls are mismatched with your policies. Overreliance on the template is is not what is recommended. Does provide, the templates, but those are very easy to be customized. So this is, as a a common pitfall, and then we have the solution here. Yeah. I think I think that's a common, theme we see where people do take that. And that the I think the struggle with the enormity of, like, if you're a small organization, they really need all these policies. So it's just making it appropriate, and, we do try and make it easy, but I I'd like try and cut down the the size of those policies sometimes. They look onerous. So, the last one, we've actually covered already. So, like, this is the the concept of, yeah, compliance is just for IT. For sort of purpose of time, I think we've said try you know, involves HR, legal, leadership. So the more people that we can, involve in those decisions, the the better. But I wanna just, take the next four minutes to to wrap up. So in in summary, the way we look at things, is, that compliance program has gotta be ongoing. And, that's why I drafted him around, so that is continuous. So that's what we believe in. Gotta be cross functional. So we talked about how we can delegate and get other people involved. We've got to synthesize your organization. Obviously, what we wanna do, we wanna make it easier for you. So the automation in that part that we can leverage when we connect to systems, but there's a lot of things we don't automate just because there's not a system we can connect to, and there is a manual element, but at least we augment that into one place for you. Definitely, the customization and the documentation is appropriate to your organization. And then that continuing monitoring, which is gonna improve your security posture, not just your GSE posture. So, that's the summary. Now as we wrap up, couple of things I wanna just leave you with is you may already have been involved with what we call the CAP program. So it's a compliance acceleration program. Something that Drata provides, you can see on the left hand side where Ali and the team, and we got other CAP partners. It's not just Axipro. But we're we're bringing in practitioners to help you if it's the first time you've done ISO and SOC and to give you that guidance in particular around the policy area. So there's, like, depending on where you are in your journey, if you're not already engaged, reach out to Hala, and she can introduce you. So that's something that's free of charge to all our customers. If you needed additional assistance and so this is not taken away from what me and Hala do. We're gonna be there to signpost you and guide you and always support you. That's what we're here for. But if you needed more hands on, I would say we signpost. We don't get on the keyboard and help. You can use Ali and Axipro, but it's a separate agreement. So Ali's got something called an achievement plan. It takes you all the way through, including internal audit and gets you ready for the audit. And, if you're interested in that, we've got some resources on the next slide here as the final slide where we've got links, to what's publicly available. Now Ali would be quite happy to go through that separately. But, I think that wraps it up with, one minute to go. We are gonna send a recording of this. We're gonna send the resources out and a copy of the slides. But if you got any other questions we've not managed to cover, and thank you for everybody for participating, asking questions, and joining. Reach out, to myself or Halla or Ali because all our details are at the beginning of this slide. And we're really looking forward to supporting you in your GRC journey and hopefully making it a little bit easier and, giving you more time back so you can focus on your day job. Thank you so much for your time. We appreciate it. Absolutely. Thank you. Alright. Thank you. See you soon.