In this episode I have a conversation with Erin Casteel ( https://www.linkedin.com/in/erincasteel/ ). We talk about Cyber Security, Risk Management, Security Management and the need for clearly defined standards.

 

Ivanka: Hello and welcome to the Art of Services video series on Cyber Security Risk Management. My name is Ivanka Menken and today with me I have the wonderful and amazing Erin Casteel, who is passionate about helping organizations to run, build and improve resilient integrated organizational ecosystems to support their products and services. And I know that sounds like a mouthful, but I’ve known Erin for years and years and years, and she is passionate. She’s passionate about standards, she’s passionate about methodologies and she’s passionate about helping organizations. She’s actually very important because she works with the ISO organization in creating these standards and she just informed me that she’s also part of the new ITIL review. So Erin, thank you so much for your time and I can’t wait to hear your stories. So welcome to this video series.

Erin: Thank you, Ivanka. It’s so great to see you.

Ivanka: So tell me, what was the thing in your career, because the last time we spoke we were both very much focused on I.T. Service Management, ISO 20,000, ISO 27,000. What sparked your interest in ISO standards and specifically your move towards cybersecurity risk management?

Erin: Oh my gosh. Okay. It’s been a bit of a journey. Continues to be a journey, but I would say that I will, as you know, you and I have known each other for a very long time and I’ve been doing Service Management for several decades now and obviously information security management and cyber security are essential aspects of Service Management.

They need to be embedded in every part of service management. So, that has been something that I have been involved with for quite a long time. As you mentioned earlier, I have been involved with the 20,000 series. I was an editor of a few of the parts of the series and also the chair of the group within ISO developing the 20,000 series.

the next edition of 20,000 part one is going to be published any time now, likely in July.

By the way, the next edition of 20,000 part one is going to be published any time now, likely in July. So exciting, exciting times.

So, I’ve also been for many years, involved with 27,000 series for Information Security Management and I’m also an editor of part of that which is 27,013, which is for combined implementations. So I’ve been sort of working in this standards world for quite a long time as well as you mentioned, helping organizations to improve and evolve their capabilities and improve their risk profile, et cetera.

So, in terms of cybersecurity specifically, I think we need to just upfront, give some definitions. Because for different people as you would be aware, cyber security means a lot of different things. So, in an ISO, and you can understand the context of this, because the 27,000 series for information security management has the information security management system, the scope of information security management and the ISMS is the organization.

So when we talk about cybersecurity, we use a different definition. We’re actually working on that definition at the moment, but I’ll sort of tell you, our working definition is “cybersecurity is the safeguarding of a society, people, organizations, and nations from digital risks.”

And the way that we differentiate between…one way that we differentiate between information security and cyber security is that cybersecurity is public. It is not something that is able to be controlled within the organization. Right? So between organizations it is the security of the cyberspace. So, while there are overlaps between information security and cyber security obviously, there are also points of differentiation. So we need to look at both and we need to understand and we need to manage both.

Ivanka: Yeah. So obviously within the standard organizations scope is really, really important because if you don’t define a clear scope, you know, you can basically start doing things until the cows come home and there’s no end, there’s no beginning. You just do stuff. So with a broad…when you set the cyber security scope is like nations, and you know, I had like this, “the universe and beyond”… I had a very toy story kind of vision in my head. That’s a really broad scope. I mean it’s like the whole world and beyond. So how do you set standards for that? How do you manage that?

Erin: That’s a really good question and that’s actually something that we’re looking at right now. And we’re doing some work on that. But, I think it’s useful possibly to think of some examples or to provide some examples so that people can understand what we’re talking about. You’ve got the organization and the scope of the organization protecting the information of the organization, right? So that is the scope of information security management.

What if you have two cars that are communicating? So one car is – because we’ve got smart cars and they talk to each other. One car is telling the car behind it, “I’m going to break now”, right? That’s not in the scope of the organization. That’s what we mean by Cybersecurity.

Ships at sea are not allowed to encrypt their location for obvious reasons. That’s not an organization, that’s cybersecurity. So when we’re talking about standardization, standardization doesn’t necessarily always mean requirements and it doesn’t always mean management systems. It can obviously be guidance because, when we’re talking about international standards, the idea is to establish a common understanding, common terminology and to be able to work together and particularly when we’re talking about cybersecurity, it’s essential that we’re working across those different parties. And we need to work together collectively to protect ourselves, to protect all of the different entities that I mentioned earlier.

Ivanka: So, if and when it goes beyond the organization, does that then imply that it needs to have a government involvement? Because when you’re talking about encryption of ships, you know, you’re talking international waters, so there’s just so many other external factors and environmental factors involved. Does that mean that cybersecurity, as a concept, cannot be a company or an organizational or a commercial entity anymore? It has to involve policies based on what governments decide together. Does it go beyond the scope of us mere mortals.

as an individual we need to be very conscious and we need to have controls. We need to manage and protect ourselves in that cyberspace

Erin: No, I wouldn’t want people to think that it is exclusively the domain of states, because that would not be correct. The cyberspace is something that all of us interact with as individuals and as organizations, and then up to, you know, nations. It exists in all of those levels. So as an individual we need to be very conscious and we need to have controls. We need to manage and protect ourselves in that cyberspace, you know. It isn’t a dependency on the motion in some cases the individual needs to protect themselves from the nation.

Ivanka: So how do you teach a person to take that personal responsibility? Because that’s what I’m hearing you say, it’s like it comes down to the individuals, it comes down to every person having that responsibility to do the right things in relation to protecting yourself from cyber crime.

Erin: Okay. So cybercrime is, again, we’ve got to be careful again to not make the assumptions that all of the threats are crime. Although that certainly is a big factor. Yes, of course individuals, but just to go back to organizations, that doesn’t mean that the organization can’t have control. In fact, it’s very much the opposite. So we talk about threat intelligence, right? Organizations share threat intelligence. It is in their common interest to be protected against cyber threats. So it isn’t something where, or it’s one area where it doesn’t pay to be competitive. We want their information, right? That’s an example of, at an organization level, having those controls in place. You know, a lot of the things that we already do and we already know about, in terms of information security management, are facilitate… , are having those protections, right? Yeah. So they’re not separate.

Ivanka: Yeah. Yeah. So what would you say to an I.T. professional that says, “cyber security or cyber security risk management, we already do information security management. So, we’re covered. We followed the ISO 27,000 standards or, you know, the company or the country equivalent of that. “? So where do you see, ( and it’s a bit of a leading question in the sense that you’ve already answered it with your scoping answer earlier today), but where do you see the biggest difference between the scope of information security management and cyber security risk management within the organization? How do they differ from each other?

Erin: Okay. So, as I was saying earlier, there are a lot of overlaps. We can leverage all of that goodness, as you were just describing, your organization already has an ISMS, you already have controls, you’re already doing a lot of these things. It isn’t something where we get there and we achieve it and we were there and it’s all wonderful. It’s always going to be an ongoing journey where we are looking at our current cybersecurity posture. We’re looking at what our preferred posture -or improvements to our current posture are, and then looking at what things we need to be doing all the time in order to improve that. There are something like 196 different cybersecurity frameworks that have been developed.

Ivanka: Wow.

Erin: And they have a lot of useful information that can help organizations. This is all already existing content. So for example, NIST cybersecurity framework. So, you can do, you know, follow those guidelines around understanding your scope, developing your current profile, doing an assessment and understanding the gaps and then addressing those gaps. And then this is an ongoing thing. It’s an ongoing journey. That is the short answer.

Ivanka: The long answer will take three months.

Erin: Well, it’s always a never ending thing, right? And it isn’t about just the organization, neither is information security because you have to look at and really have a clear understanding of your full ecosystem. So you have to understand your entire supply chain. You have to understand all your customers. So, if you’re a service provider, for example, every time you onboard a customer, you onboard that customer’s adversaries as well. And when you are a service consumer, you also have to be cognizant of the ecosystem of your service providers. So it is, as we said at the outset, quite an interesting and challenging scope, but there are quite a few things out there that can help you to improve. And all organizations and all individuals can improve.

Ivanka: So what would you say is the biggest myth around cyber security at the moment?

Erin: The biggest one? Oh, there’s quite a few.

Ivanka: Well, your three favorites.

Erin: Three favorites. Well, part of what I was saying earlier that there’s the myth that a hundred percent perfect security is possible. That’s a myth and that is not even remotely true because every organization has to sort of choose their point on the spectrum to aim for.

  • What is their risk appetite and tolerance?
  • What are their… what regulatory requirements they have?
  • What is their budget?

So, we live in the real world. We all have to address this. We have to understand how to deal with cyber attacks, but we have to do them within the constraints of real life. You know, they say that there’s two types of organizations. Ones that sort of have the basic skills in terms of how to deal with a cyber attack and ones that don’t know that they’ve been breached. Those are the two organizations that exist.

Oh, okay. Well, you’ve been talking a lot about cyber risk. I would sort of posit that cyber risk is not a separate category of risk. It’s just risk. So that’s also a myth. And I guess the other one that’s really an obvious one that comes up all the time is that, cyber security, or information security for that matter, is an I.T. issue. That is absolutely not the case. And luckily we have a…there’s far more visibility and there’s far more understanding in the boardroom now around Cybersecurity, a lot more focus. I’ve noticed a significant improvement on that front, just in the last four or five years.

Ivanka: Is it also because there is now the regulation or the law that you have to actually tell people when you’ve been breached, that there’s that mandatory reporting issue? Did that bring it further to the surface and the people really start to take notice?

Erin: Sure. So when boards know that they’re going to be responsible and accountable for something, obviously they’re going to pay a lot more attention and, if you think about GDPR, which is a big topic these days, there’s also the issue of all the fines that organizations can incur. So when you think about the boards having to pay these just the nominal fines, of course…

Ivanka: Yeah, they’re going to pay attention. Yeah, because after reading reports like up to four percent of global revenue or some insanely large amount.

Erin: Yeah. I think it’s 20 million euros or up to four percent, whichever is greater.

Ivanka: Of course. Yeah. That’ll, that’ll make people perk up and take notice and go, “maybe we should do something about this”. So, let’s unpack that a little bit more because like you said, a GDPR has been on the radar quite a bit, and a lot of people have been talking about it in the last month. You see all these articles popping up about GDPR.

Erin: Because it just went into effect the end of May.

Ivanka: Yeah so, 25th of May was sort of like D Day and everybody was like, “Oh, you know, you had this onslaught of email re-subscription communications.” So, from your point of view, what do you think these owners need to worry about? What do business owners need to know in relation to, specifically to, data protection and the privacy protection through GDPR?

Erin: Well let’s talk…Shall we talk specifically about Australian organizations?

Ivanka: Yeah, that’s cool with me.

Erin: Okay. Because I think that one of the things that some organizations in Australia understand, but not all, is that this isn’t something that just affects Europe. This is something that affects every organization that has any kind of interaction with Europe. So if you have customers in Europe, for example, right? If for some reason you are, you’re offering goods and services to them, you are monitoring the behavior of individuals, that sort of thing, the wording from GDPR, then this is something that absolutely affects you. So, it’s incredibly important to understand that this has global impacts. But it is, I think, the direction that the world is going to go, for a lot of reasons. So, this is a very useful opportunity; and some organizations are absolutely seeing it that way. They’re seeing this as an opportunity to really bed down the right behaviors, to make sure that they have the right policies in place, to make sure that they’re really doing this stuff properly and that they themselves, as well as their customers and their supply chain, will benefit from it. Other organizations are sort of taking a different tack which is, we’re actually not quite there yet. They really only started to take it seriously in May. Then there are some organizations I’ve heard about that have made a strategic decision apparently to ignore it completely and to be willing to incur the fine, which is kind of interesting.

Ivanka: Would be nice to have that amount of spare cash hanging around, you know?

Erin: No names, I’m not giving any names.

Ivanka: No, no, no, no, no, no, no don’t. What I really liked about your answer is that you started with behaviors before you talked about policies. So, obviously, the people in an organization, the behavior, the culture is really important if you want to have a strong cyber security and awareness of GDPR. What type of behavior is really conducive to cybersecurity risk management? What type of behaviors do we need to instill in our staff, in our teams, in ourselves?

Erin: Well we have to have a clear understanding in the case of, say an organization that is doing business with Europe, right? So, they need to really have understanding about what data they have in their organization and what does data protection look like and what is it that we’re going to need to do, right? So, that can mean a lot of things. There are some very simple behavioral things that organizations can instill as principals, for example, they’re going to minimize the amount of data that they collect to start with, right? So, that is a decision where you are up front deciding that you’re going to limit what data you have, as a means of, not entirely, but at least an initial way of addressing this. And then that also leads the organization to ask “What information, what data do we need? What is it that we’re actually going to do with that data? Is it just about accumulating data or is it about actually using it to deliver value in some way?”

And if what you’re doing is just collecting massive amounts of data but you’re not actually creating any value with it, why are you doing that? So those are, I think some ways that we think about the behavior of the organization as well as the individuals in the organization, can be considered and the organization can benefit on a number of fronts. If what you’ve been doing is just massively collecting data and you ask yourself “Why are we, why have we been doing that?”, it can actually be quite liberating and it can save you a huge amount of money.

Ivanka: Yeah, no, absolutely. I can totally see – because I’m just having visions of the discussions we had 15 years ago about configuration management. Like, do you really need to collect all the data? If you’re never got to analyze it, if you’re not going to report on it, if you’re not doing change management on it, why waste money on an activity and have resources and people and staff involved in the collection of the data, that’s absolutely useless because it has no value add to the corporate objectives. And, why do we need a shipping address for a person that we’re never going to ship anything to? It’s like the forms that we fill in on online will be a lot easier I think from now on.

Erin: Fingers crossed on that one.

Ivanka: You know, I have faith, I have faith in humanity.

Erin: It’ll become increasingly obvious though, which organizations have adopted a lot of these ideas because it’ll be quite visible in terms of things like that, in terms of our interaction, with those sorts of organizations. So, that’s quite interesting. And then that in fact has its own implications in terms of trust. Do we trust this organization over this other organization? Because, clearly, this one has its act together and this other one really seems to be living in 1989. So we need to be making those kinds of decisions. And that will happen; the ramifications of the choices that organizations make over the next couple of years. I think will be quite interesting.

Ivanka: It’ll be interesting to see which organization will be used as an example by the GDPR regulators on “This is what you’re not supposed to be doing and this is why this organization was being fined.” And so it will be a really interesting learning opportunity for the rest of us I think.

Erin: I think it will, absolutely.

Ivanka: I just hope it’s not us.

Erin: Obviously, you need to think about that. If you have customers in the EU, then…  you know?.

Ivanka: Oh yeah, yeah, no, we absolutely have had some heated discussions about all this.

Erin: I’ll bet you have! So, can I just add something? So, we’ve been talking about different aspects, they’re all really quite interesting. But one thing that I wanted to mention is that I don’t… I know that there are a lot of people, and many of my colleagues have a focus on cybersecurity in and of itself s the thing that they live and breathe for. I see it as a bigger part of a bigger, more comprehensive way of looking at organizations and their ecosystems and cyber space.

So, one of my primary areas of focus is organizational resilience and organizational agility and cybersecurity is absolutely essential to that, but it needs to be thought of in the context of how it works in an integrated way with everything else rather than something that happens. And it’s a strange thing to say about cybersecurity because as you said upfront, it is like the universe, but you still would not want to do that in isolation and you really can’t be ultimately successful with that, as with anything, unless you’re thinking about it in terms of how it integrates into everything else that the organization is doing or if you’re as an individual as well.

Ivanka: So, ultimately, it really is a business strategy isn’t it? I love that you focused on organization on resilience because that is such a strong word. So like how…it doesn’t matter whether you are a small, medium or large organization, everybody needs to be resilient. We all need to have that resilience to be able to be competitive on the short, medium and longer term. Like, you need to keep your ears and eyes open. What’s happening in the industry and outside; that whole ecosystem that you’re talking about. I really, as a business owner, that really resonates with me because I go like, you know, “Doesn’t matter what people throw at me. It doesn’t matter what suppliers throw at me or a accreditors or whoever, it doesn’t matter because we have that resilience building, we have our processes of policies, we have the culture.”, and it ultimately it comes down to your business strategy, your business direction. And I really liked that, that really resonated with me as a business owner.

Erin: Cool. Well, one thing that I do is, I differentiate between agility and resilience. And, the reason that I do that is, is I, we talk a lot about organizational agility and we talked about that, for me is, internal set of capabilities, whereas resilience is in terms of everything external to the organization.

So when I talk about resilience, I’d like to think about it in terms of, resilience from external things; resilience, in terms of economic and political and environmental and technical and all of those sort of external things that can influence our ability to be successful, our ability to survive and thrive.

So, by looking at the organization in terms of its internal ability to be agile, to be able to move and change in this incredibly fast paced world that we live in now, and then combining that with that external perspective, which is the resilient side, you’d get both perspectives. And, it’s much more robust, it’s more complete. So that’s how I look at both rather than just focusing on one or the other. Cyber security is essential to all of that and all of the capabilities that we put in place to facilitate that resilience so that we can be delivering value and not stumbling with all of these obstacles that we encounter on a daily basis. That is the goal, and it’s always sort of an ongoing challenge and an ongoing opportunity. But that’s what’s exciting.

Ivanka: Yeah. And it depends on what your focus is, I suppose. If you focus is on your vision, on your strategy, yes, you have obstacles along the way, but you just hurdle over them because that’s just part of your journey. But, if you’re really focused on those obstacles, it becomes so encompassing and it becomes so overwhelming that you forget to see what’s at the end of the tunnel. You forget to see why you’re doing the things you’re doing. You lose track of your purpose as an organization and the vision where you want to go.

Erin: Yeah. So, even the decisions that you need to make, like “are we collecting too much data?” Right? “Do we have too much waste and we need to work in a more lean way?” Thinking about it always in terms of what it is that we’re trying to achieve becomes that thing that can bring all the people in the organization together as well as all the other stakeholders.

Ivanka: Let’s talk about the people in an organization. What kind of skill level, what kind of knowledge do people need to have to help the organization in the goal of being resilient and agile in a world where cyber security is the new normal? What do we need to teach them?

Erin: Okay, well, if we think specifically around security professionals, so we’ll start there, and the normal skills and competencies that you would expect, right? So, somebody who has CISSP for example, certified information systems security professional certification, that is always a huge advantage.

There’s a couple of things that that person is going to bring to the party. One is, in order to get that certification, you have to have already been working in the industry for at least five years. You need to have experience in at least two of the eight different domains. So that person than it is giving you…and then you have to pass the exam and all that.

But, that person is giving you that combination of experience, and in order to get that certification they also sort of do background checks. You know, “Have you ever committed a crime? Have you changed your name?”, that kind of stuff. So, no, it’s really useful. If you’re going to hire somebody, then somebody with that certification is going to be, potentially, quite useful to your organization.

There are obviously, within information security and cybersecurity, there are so many different areas of specialization. So, depending on what your requirements are, if you are looking for somebody who has the technical skills, that is potentially different, but sometimes you find it in combination with people who also know the standards and have used the standards or have a certification. That’s a completely different set of things. So, you need to, I mean, if you can find sort of that ideal person who has an architecture experience and operations and resilience and risk management and compliance, then of course you’ve absolutely found…

Ivanka: The Jackpot!

Erin: The ideal person! But often, that’s why we have teams where we have different skills and competencies within the team and the team works together and pulls all of those different specializations because it’s quite difficult to be at a high level of competency across all of those different things.

So, specifically in terms of information security and cybersecurity capabilities, there’s quite a bit of really good information out there to help organizations who are looking for people, but I just want to bring it back to what we were talking about a minute ago, which is around agility and resilience because in order to do that you also need to add in other skill sets, completely different.

So you need to look at the people side. You need to look at, people who have really good written and verbal communication skills, right? And again, ideally, if you can combine all of this in a couple of people, then that’s fantastic. So you need to think about training and communication. You need to think about people who are really good at policies, people who are good at measurements and doing the analytics. Which is a pretty massive aspect of cybersecurity for organizations, is around the analytics side. So having that kind of a skillset is incredibly helpful.

And then making sure that you’ve got balance. So you’ve got a focus within your team on people and organizations. You’ve got to focus on both information and technology. You’ve got to focus on your products and services and your supply chain. You’ve got to focus on your processes, et Cetera.

So you’re looking at it in that complete way as opposed to just making the assumption that, unfortunately, some organizations still do, that the technology is going to do it for you. There’s a lot of amazing technology out there. There’s a lot, there’s increased use of artificial intelligence and interestingly enough, not only by organizations that are wanting to protect themselves, but also by those that would do them harm are also using artificial intelligence. And artificial intelligence is interesting because it learns from things that didn’t work the last time, it learns to identify flaws and vulnerabilities and then to exploit them. So it is both a blessing and a curse, but it’s part of our world now. So, yes, there’s a full range of skills that we look for and that we want to try to deliver that balanced view. Focus on the governance, so making sure that the governing body has ideally some understanding of cybersecurity and has the ability to make decisions on behalf of the organization to support the right outcomes and the right improvements. We can talk about this for a long time!

Ivanka: Yeah! The thing that is going through my mind though is that … that’s amazing. I love the whole range, going from really technical training to soft skills and the analytics and measurements. I think that’s a whole new series of job titles that are coming out in the next five years. The thing that’s going through my mind though is a lot of the other people I’ve spoken with in relation to cybersecurity mentioned that 85 percent of businesses are small to medium sized businesses and they’re the target, maybe even more- 95 perhaps, they’re biggest target for cyber crime, for hacking, for you know, whatever people come up with in that creative nastiness, those organizations probably don’t have this skill set in house. So, what can they do? What can business owners do? What can people in small to medium businesses do, in your opinion, to protect themselves? Knowing that you can’t protect yourself 100 percent and it’s all within budget, I understand that. But what’s an easy thing to do to be better aware or to be better protected or to be a step towards that agility and resilience that you talked about?

Erin: So, let’s specifically talk about some really easy steps that anybody, and any organization can take no matter the size.

So, ISO standards, management system standards such as 27,001 are designed for any size any type of organization. So, what can be a really easy starting point is to just read 27,001 and 27,002, which is on the controls. And by the way, 27,002 is in the process of a revision right now. Those are not very long documents. They give you sort of that basic minimum set of these are the things that you need to be thinking about and these are the things that you need to be considering. Right?

I mentioned before that there are… so, I’m a great believer in organizations and individuals where, at all possible, taking some of this into your own hands and just reading a couple of things. So if you read even just those two standards to start with, if you read, the NIST cybersecurity framework, which gives you a nice set of tasks and it actually sort of helps you through the process of figuring out what you need to do in what order and identifies a lot of really sort of tangible things.

If you read GDPR, I can provide the link and you can click through the GDPR document up on this site so that people, rather than just sort of wondering what does GDPR say, just go ahead and actually read the document. So, those are a couple of really sort of easy things that anybody can do as a starting point. I think even if you’re going to bring in external people who have those kinds of capabilities to help support you and if you are a very small organization and that’s a very common way to handle it, when you don’t have the in house capability, it’s useful for you to at least have your head around it a little bit, start to understand the terminology, start to think about this before you just go off and try to put this stuff in someone else’s hands or have them make those kinds of decisions for you.

Ivanka: At least know what you don’t know and know where you need help and have a base idea of your scope and what you want to approach.

Erin: That’s right. And, then take it in stages. You’re not going to be able to do everything at once, but there’s a lot that you can do that’s really not that difficult upfront. So, you know, it’s just starting on that road and taking it extremely seriously is always the first step for everyone and for every organization, regardless of where they’re at.

It’s definitely worth it. What you can do is you can minimize your exposure and considering, as we say, 90 percent of organizations are very small, that is going to put you in a good place compared to the rest of the 90 percent.

Ivanka: Yup. Yup. Absolutely. So, let’s wrap it up here, but I wanted to give you the opportunity to talk about something that I didn’t ask or where you sort of go like, “I can’t believe Ivanka didn’t ask me that because that is so obvious and is so important around cybersecurity risk management or resilience and agility of organizations.”

Erin: Gosh, we’ve covered so many things. Is there anything left to discuss? No, I’m joking. There’s always so much.

Ivanka: There’s always something!

Erin: There’s always more to say. I think one thing that I would say, just one last thing that I would say around how an organization can think about cybersecurity as a component of something bigger, that I also recommend and you know, I’m involved with ISO standards, so I kind of have to say this.

There are other things besides information security, cybersecurity that an organization needs to consider. So one really useful way for an organization to approach this is to think about the different ISO management system standards that exist for different domains.

There are other things besides information security, cybersecurity that an organization needs to consider. So one really useful way for an organization to approach this is to think about the different ISO management system standards that exist for different domains. So, we have management system standards for social responsibility and for quality of course, and for environment and for business continuity and for asset and for a whole bunch of different areas that are important for organizations. And all ISO management system standards now have a common structure and they have common requirements between them. That’s really useful thing to know because what that means is that it’s much easier to integrate different management system standards because no one of these management system standards is going to do everything for you.

So, regardless of whether you’re interested in certification, if you have identified in your organization that there are different things that you need to care about and you need to have some control over, then you can look at these different standards for these different domains, and you can say, all right, we know that we’ve got this common set of requirements and a common structure for every single one of these management system standards. That is sort of our core. That’s really our management system. And then we can just bring in specific requirements from these other standards that can help us to address these different areas that we have. And over time, as we evolve, as we are doing continual improvement, we can add things. We can rationalize the ones that aren’t necessarily as important for us. But it’s a way for an organization to not be completely overwhelmed with the question, “What do we do? And how do we approach this?” So it’s kind of a common sense way to use management system standards, which obviously then you can augment with lots of other resources because the world is full of fantastic resources that can help us on just about every problem and even also help expert ask experts in different areas who could help to support that too. So those are just a few things that people in organizations can do and I’m happy to answer questions or for help as required. So, what I’ll do is I’ll send you that GDPR link.

Ivanka: I’m pretty sure I have it because it ends with a dot EU, but send it anyway because I might have a different one, and I’ll add that in the notes underneath. So again, Erin, thank you so much for your time. It was amazing to listen to you and to really absorb what it is that all the standards can do for us. And I think organizations don’t utilize that resource enough. So thank you for putting that front and center of our mind again tonight.

Erin: Thanks so much for inviting me. It was really, really fun to talk to you.

 

The GDPR document: eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679

 

Categories: Articles