SecurityLah - the Asian Cyber Security Show
SecurityLah - the Asian Cyber Security Show
S3E03. ISO Series - Reading the ISO standard
Team SecurityLAH introduces a series of podcast on international standards around cyber security. This is a year long series, with each episode airing beginning of the month.
In this episode, team #securityLah explains the standard structure and how one "reads" the standard.
Okay, so Doc, I heard that you've got your book. Yeah, I've been going through my library. I got this book some time ago. It's just that I never found time to read it and you know, I decided, okay, you know, what's the point of buying a book and keeping it in your shelf if you don't read it. So what I like about this book is the title of the book. Okay, so tell us more about it. You reading a book is not nothing new. You have always been an avid reader. But what is it so interesting about this book? Okay, so it starts with the title. Before I go to the title, it's written by Mortimer J. Adler and Charles Van Doren. The title of the book is "How to Read a Book". Welcome. You are listening to SecurityLah Podcast Season 3. So for those of you who don't know how to read a book, you can buy a book called "How to Read a Book". So the connotation is the classic guide to intelligent reading. So this book interestingly describes about different kinds of written materials and how best to savor these kind of written materials. So if I just read a few of the chapters here, one says how to read history. Another one, it says how to read philosophy. And it even has a section on how to read science and mathematics. So I'm like, okay, very, very, very interesting. And this comes under different kinds of reading matter. There's also a third level of reading, which is analytical reading. There is discussion about reading. There are three levels of reading according to this book. So the first one is elementary reading. The second one is inspectional reading. And the third one is, if I'm not mistaken, analytical reading. So that's just to give you a clue about what the book talks about from the perspective of how to read a book. Have you started or have you already finished the book? No, no, I just started. I usually like to savor my book. So I take my time. I read a couple of pages and then I do the rest. And that kind of echoes into today's episode where we're going to talk about how to read and understand the ISO documentation. Yeah, we're going to get you to put what you've read into practice. Yes, exactly. So we are going to start and look at the document. So give me a while while I load the documents. I know I should have done this before recording, but unfortunately, due to time, I'm just doing this while we're talking. So let's do a quick recap about what we've discussed so far. So we've gone through two episodes. The first episode is about standards. The second episode is about ISO specifically. We spoke a bit about the 27000 series. We dived into 17799 and BS7799. What are the standards? How do you certify yourself against these kind of standards? And covered quite a fair bit about all these very unique and interesting documentation. So today, let's look at the ISO standard itself, because just like how you have this book on how to read a book, a lot of people just look at the standard and go blur and it's like, OK, so I have the standard. What do I do now? Yeah, I see a lot of words, but I don't understand exactly what or how I'm going to apply it. It's very long and a lot of things. It's quite a difficult book to read. Yeah, there's actually quite a lot of things about this book, which makes it quite interesting. And I'm just hoping that this episode would give our readers a sense of what they can actually do with the documents that is there. So that way they know exactly when you have this document in front of you, then you know, OK, so these are the things that I can do with this document. This is what's important. What are the sections I should look at, how the sections look like and how you can eventually use the standard. Now, with that, I have to always put my standard disclaimer. ISO standards are copyrighted documents. You can get a copy for a reasonable price at your local standards department or government body. They usually sell it in the local currency, which makes it quite affordable as compared to getting it from the ISO master site. You can still get it from the ISO master site, the ISO store. But the only thing is you'll find that with the usage of a different currency, most likely Swiss francs. You find the document slightly more expensive than what you would have gotten from your local standard documents. So the thing is, don't worry about the contents. They are exactly the same. So usually the local body would just paste one or two pages up front and say, oh, this is a country X standard ISO 27001, 27002 and whatever not. Right. So that's about it. So that's the easiest way for you to get a copy of the documentation. If you're going to use it officially in your organization, you may request your organization to actually get a copy. So you have an official version of the document that can use within the organization. So no piracy, respect intellectual property. We are, after all, a cybersecurity podcast. So we will have to give you this message. Right. So let's jump into the meat of the matter. I think that you had a question, Prof. Yes. Yeah, I do. Actually, based on what we have covered so far, there is a very general question that I often get asked. That is, in generally, when we talk about ISO, is it a form of quality? And in a very broad and loose sense, does that actually give us some guidelines to help us manage the security systems? OK, we tend to equate ISO standards to quality because of ISO 9001. And ISO 9001 stands for quality management system. Now, in the previous episode, I don't know if I actually said this, but if I have, then please excuse me, because I find this an interesting point to note, especially when we're talking about ISO documents. And in reference, I will speak specifically about ISO 9001, which is quality management system. Now, the ISO gives you a standard methodical, repeatable way of getting an output. Right. So that means that you just perfected a way to repeatedly get the same kind of item that you get at the end of your process. So, for example, if you're manufacturing a phone, then you're based on your processes as per the ISO standards. You will get the same kind or I would say quality of the phone. So if you make very lousy phones that has poor reception, ISO 9001 states that your whole assembly line will produce the same low quality mobile phones. Irrespective. So when we say quality, quality can be good quality, quality can be bad quality. So quality is just an umbrella term. What's important is to actually have an identifier to say what kind of quality. I mean, of course, we tend to mistakenly say quality. It's supposed to be good quality, but you can also have bad quality. Precisely. So ISO gives you a repeatable way to produce the same kind of results, so to say. So my favorite ISO standard is 3103, how to brew tea. So if I follow ISO 3103, then I would be able to produce the same cup of tea year in, year out, provided all the ingredients that I use, the quantity and the brewing time and everything else remains the same. So if I obviously if I change the tea leaves, then the taste is going to differ. So then your whole equation of having an ISO standard doesn't really apply anymore. So that's one of the tweaks or problems that we have. I hope I've answered your question, though. Yes, very, very detailed answer that you've given me. And I think in some ways, the ISO does, at least to me, mean that it is some form of assuring quality in the systems that we can make. Now, whether it is consistency or not, then I guess there must be some baseline requirements or standards that we need to make in order to ensure a consistent performance. You're absolutely right. That means that as part of your ISO documentation, your process description and everything else, you would set parameters. So those parameters are the one that would determine the outcome of the output. So, for example, if you have a certain parameters that you set within your process, when you actually do your quality testing, your surveillance and all that, you should find that the parameters should match whatever that's been produced. You shouldn't be getting something completely new at the end of your assembly line, say for a manufacturing organization. In security or in ISO 27001, we are focused on having processes on how to deal with things related to cybersecurity. So, for example, if someone leaves the organization, there is a process that tells you these are the five things that you need to do to make sure that you have met the process requirements. Right. OK, thank you very much. Let's go back to our original topic for today. We talked about the ISO document. Can you tell us what it looks like and give us some description about it? OK, so specifically on ISO 27001, there are 10 chapters and there's a section called NXA. So if I were to quickly browse through the 10 sections, the first one obviously would be your forward and your introduction. And then we talk about the scope of this ISO standard. There's an interesting term called normative references. So normative references means that these are the sections that are mandatory as far as the section is concerned. So whenever you encounter the word normative, it essentially means that these are mandatory requirements. So if you look at it from Section 4 up to Section 10, this is actually mandatory. As far as ISO 27001 is concerned. So one of the things that you will find is that ISO 27001 implements management system specific to information security. So it's called ISMS, which is Information Security Management System. So Section 4 to Section 10 outlines how this information security management system is going to work in your organization. So that's 4 to 10. So Section 4 talks about the context of the organization. So in many organizations, like some of the examples I've given earlier, the context of your ISO certification depends on which section you want ISO certification to cover. In some organizations, you may not want to cover the whole organization. In some organizations, you may want to cover the parts that is providing service. That said, some organizations take the easy way out. Say, for example, if I'm an information security service provider, I provide services related to information network and cybersecurity. Now, if I were to go out to the market and say, hey, guys, just for your info, my organization is ISO 27001 certified. Yep, well and good. But as someone who's experienced doing ISO, the first thing I'll ask them is, which part of your organization is ISO certified? Is it the part that's delivering the service? Or did you just certify your admin department so that you can go around and shout, we're ISO 27000 certified? So context of the organization makes a difference because that would determine which part of your organization is covered under ISMS or Information Security Management System. So as I said, some organizations, they're very smart. They just want to go out to the market and shout, hey, I got ISO 27000 one. But when you look through the cert, you look through what section is certified. It even goes down to the point where you will know which data center for that particular organization is certified. So in an organization where, say, you're providing cloud services, you may have four data centers all around the world, but you certify only two. Guess what? Your ISMS only works for those two organizations. Sorry, those two locations. That said, it doesn't mean that you cannot extend it to the other two locations. Rightfully, you can. But when you certify these two locations, which means only these two locations fall under audit, the other two locations may not be audited, may not be validated to make sure that all these nice processes you've built and tested for your two primary data centers work for the other two data centers as well. So, yeah. So Doc, just to interrupt you a bit, you mentioned ISO 27000 standard and also ISMS a couple of times. Yes. How do we take these two together? Are they related or is it one for the other? ISO 27001 will implement ISMS. So what happens is ISO standards have this thing where we talk about management systems. Management systems is an ISO generic methodology that they promote as part of their standards. So if you look at ISO 9001, it would be QMS, quality management system. ISO 27001, information security management system. So you have a management system that talks about this. Okay. So that means the 27001 standards is mainly on the development and maintenance of the system. Maybe ISMS, which is the system, is the systematic approach for management. Yes, correct. Okay, good. And just now you were talking about context of organizations. Can you share more information on this? How do we relate that? Is it just based on the nature of the industry, the type of the industry? Yes, it depends on, to me, what's important is if you're going to certify a part of your organization on ISMS, the question would be how crucial is that section for the business that you're offering? So the example I gave earlier of an information security services vendor, then the service delivery part would be the one that's important in ensuring that services that is offered falls under the information security ambit. So you may be in any organization. So, for example, you may be in a construction organization. Okay, let's use this example. You may be a property developer. And you can say, okay, I think with the current world and everything going cyber, we need to do information security. Okay, very good. Which part shall we certify? Well, for a property developer, you critically have your new projects that's coming in. You would also have projects that are currently being sold. And for sales and marketing department, you're definitely going to collect personal information. So that means that you have personal information that you're going to take care of from your organization, from other people, third party, maybe even organizations. So to me, when I do a quick assessment, the maybe the architecture department, operations, sales and marketing, these would be the three key areas that would require information security to be part and parcel of the organization. Of course, it depends on the business. And some might say, hey, why are you excluding finance? They are handling money. Shouldn't they be certified too? Yes, they could. If they are part of your core business, sure, why not? But to me, finance and everything else is a supportive business function rather than core business function. In any organizations, you will definitely have finance, you will definitely have admin, you will definitely have HR. The point is that some organizations may want to start small. And as they go through multiple rounds of surveillance audit and full audit, that's when they want to see, OK, we have experience implementing it for this scope. Now let's enlarge it. There's no hard and fast rule to say that you have to only certify the whole organization. You can't minimize the scope. No, it's entirely up to the organization to decide what is the scope of the organization. That is why the cert will actually tell you all these things. What are you certifying? Which locations are you certifying? It can be a data center or it can even be a building location. Because in some instances, say, if you're a property developer, you may not have a data center. So then you might want to certify your primary HQ as the location where you have ISMS. And the reason why you certify a location is because there are physical security controls as part of NXA. So if you have a building or primarily where you work, because that's where you're going to store your data and information, then you should impose on physical security controls related to that particular building or floor or area, depending on how big your organization is. Yeah, there's also another thing that you mentioned earlier. In total, there are altogether 10 chapters and NXA in the document. But you're saying closest 4 to 10 are mandatory. What about the others? OK, so there's only 4 to 10 which is mandatory. The others are non-mandatory, meaning that they are just there for reference. They're just there for reference for you to understand. For example, let me look at this. Section 3 is about terms and definitions. So it's just going to explain to you what the terms are, what it means, and why do you have these kind of definitions in place. That's it. Oh, OK. OK, now just a quick side note on, we spoke about management system, right? For auditors, certified auditors, you will have to follow the ISO 19011, which talks about guidelines on auditing management system. So this document is what auditors use when we come to audit your organization on your ISO implementation, because we are looking at how well is the management system in place. Remember earlier I mentioned about the description of what a management system, the difference between ISO 9001, quality management system, versus ISO 27001, which is information security management system. So essentially the common theme is the management system, and ISO prescribes the document ISO 19011 to auditors. And that's what we use when we come in to audit your ISO 27001 implementation. So you can't simply just go in and say, yeah, I'm just going to audit the way I want to know. The auditors also have to follow an ISO process. Enjoying the show so far? Subscribe now so that you don't miss out on the latest episode. We are available on Spotify, Apple Podcasts, Google Podcasts, and many other platforms. Visit podcast.securityla.asia to get the links to subscribe. So back to where we were, 10 chapters, Annex A. So I'll just quickly brief through the other 10 chapters. We will go into each chapter in much detail in the future lectures. Now, the other thing is that I do have to remind our listeners is that it's going to be difficult for you to recreate the ISO document listening to this podcast. So if you're hoping that you just take down notes and say, OK, I have the ISO document. I'm very sorry to tell you that we're not going to go through word by word. It is just a session for you to understand what the ISO document is, how it works, how you can apply in your organization. Because one of the key feedback we got is that I want to start security in my organization. Where do I start? What do I do? You know, there's so many things I need to get done. Well, the ISO gives you an international standard for you to follow. Hence our preference towards ISO. Yes, I agree. And along with that, there's also another question that I always get asked is that do you really need to have ISO in order to remain competitive? ISO is a tool for you to show your commitment towards a certain domain. So if you're committed in producing quality products, then you would go for an ISO 9001 certification. If you're committed to show that information security is important for your organization, it carries weight in your organization. And you want to show your commitment to your vendors, your partners, your customers, that you are an organization that places emphasis on security. Getting yourself ISO 27001 would give you that assurance. So let me put it another way around. If the board of director comes and asks you, say you're a CISO, you've just gone to an organization for some time. And suddenly the board gets this funny idea after listening to a podcast and say, how do we know that we've done everything that we need to do for us to say that we've done all the things necessary for cybersecurity? I know the question goes a little bit in the loop, so let me try to clear my thought and probably put it in a safe way. How do we know we've done everything that we needed to do for security? I think that's much more clear. Right. You need a checklist. Board of directors, you may feel free to use this question in your next board session. Right. And if they don't know how to answer that, ask them to listen to Security Lab podcast. We got the answers for you right here. So if I was the CISO standing in front of the board and I get asked that question, the first thing I would say is we have a methodology that we've adopted. If you don't have a methodology that you have adopted, then the first thing you would do is we need to adopt a methodology in order for us to be consistent as far as the approach that we take towards cybersecurity. And the ISO 27001 gives us that methodology and that approach and the ability for anyone to verify how good we are. Right. It also helps CISOs in a way where if you don't fix your methodology upfront, you have a lot of auditors coming in. You may have an external auditor doing your annual audits. You may have your internal auditors. The funny thing about auditors is that they like to pick one white paper or one blueprint or an audit framework and they'll say, OK, we're going to audit you based on this. If you have formalized your framework, then it forces your auditors to say that, yeah, I can't be judging you based on this because you've agreed to follow ISO 27001. Right. And any other recommendations would be a recommendation. And it's not a finding because a finding means that you didn't do your job. You say you're going to do it. You didn't do it, which is a bad thing when it comes to audit. Right. You get wrapped in the knuckle or you get wrapped in your head by the board members. So the first thing you do is this is the framework I'm going to use for the organization. Board members, can you endorse? This is the reason why I'm using ISO 27001. It's global. It's universal. No matter which auditing firm you use, they understand we follow the standards. The methodology is precise. And, you know, you can audit us and we can tell you how we're doing. Challenge comes in when auditors come to their own because, you know, when they sell you saying that, oh, we got a framework that we want to audit you. You know, we have 20 companies and all that that we've audited. So we want to benchmark you against 20 companies. Well, if you do ISO 270001, you have more than thousands of companies that you can use to benchmark yourself. So the benchmarking bit doesn't actually become is just a selling point for audit organizations because if they tie you into their framework, only they know how to audit you based on their framework. And obviously, their framework is proprietary. Right. The framework is proprietary, which means that only they know and only they can justify and only they would see how they would like to see you. How do I know what you say is what it should be and what it's supposed to be? Exactly. That is why you adopt a standard that's globally known that has a wider reach, which is why we recommend ISO 27001. Now, that said, in our previous episodes, we did highlight about legal and regulatory requirements. Now, the ISO standard is something that you would want to do yourself or in some instances, the regulators may push you and say, OK, I've come up with this new regulation. As part of this new regulation, you're supposed to meet this standard or you're supposed to certify yourself independently to this standard. Then that becomes a regulatory requirement. Well, that leads me to another thought. Maybe you want to finish first? No, no, it's OK. Go ahead. I'll come back. Yeah, because based on what you just said, then I think it raises some questions. ISO is supposed to help us avert some kind of threats and so forth. But all in all, to me, it is a list of standard is often very prescriptive. And first and foremost, you were saying, are we doing everything that we can? And the question that I'd ask is, is it even possible to do everything that we can, given that context is so different from one industry to another? And ISO 27001, it seems to me to be something very prescriptive. When you overly prescribe something, then it becomes less flexible. And then again, how do you adapt to changing circumstances? OK, so your question had multiple points. Let me see if I can gather all those points in my head and address it one by one. So the first thing is, how does ISO help to address issues like cybersecurity since it's very wide? The first thing is that you can come from any industry, that there's no limitations as to how is is implemented. And if you look at our previous episode, we spoke about the number of standards and guidelines that's provided by ISO under the 27000 series. Some documents obviously have been deprecated over time. But for example, there was a guideline on finance industry 27015. So if you're in finance industry, you might say, OK, so what are the areas that I should be primarily looking at? They are not mandatory for you to comply to. They give you an idea as to what you should have as part of your certification regime, so to say. So it gives you a starting point on what you want to do, which you can later on expand. That's the first thing. Secondly, will it help in potential issues? Yes and no. Right. So why did I say yes and no? Why did I say yes? Number one, having ISO shows your commitment towards ensuring that you have the right level of information security controls in your organization. That said, it doesn't mean that your organization is hacker proof. We've seen in the past and we've even discussed it in Securitylah, a number of organizations that were hacked directly, indirectly, supply chain, whichever methodology, even security companies that has been hacked. So then the question is, oh, so if I'm going to get hacked, why do I bother about ISO standards? Now, ISO standards is something like what I call as using the Pareto equation, the 80/20. It helps you solve the 80 percent of the problem, making you slightly harder to be penetrated. But you still have that 20 percent of what I consider as unknown because, for example, if there's a zero day vulnerability, look, nobody knows about a zero. I mean, there are hackers who knows about zero day vulnerabilities. The good guys, the software vendors may not know what the zero day vulnerability is. Hence, you are left open for attacks. And that happens in all kinds of systems, be it server, be it desktop or even your mobile phone. You may actually be carrying a phone that has a zero day that may or may not be exploited. Someone has to discover that there's a zero day, publish it, then it doesn't become a zero day anymore. Right. So the point that I like to emphasize is that having ISO 27001 does not make you hacker proof or hacker repellent. That's a myth. Right. I've seen a number of organizations that will still encounter some of these issues because it's like a cat and mouse game. I'm sure, Prof, you've seen the cartoon Tom and Jerry, how both of them will be going after each other nonstop in every single episode. And it's like no matter how old we get, they're still chasing after each other in the same form. Right. And that to me is a perfect analogy of how cybersecurity is. You always have the not so good guys who's trying to find ways to get into your organization, to get your data, to get money from you. Versus your internal or your vendors or security partners who's helping you keeping your walls and your fort against all these attacks. So it gives you an 80 percent chance of managing your infrastructure. But there is still that 20 percent that is unknown, which is why you have a section in the ISO document. If you look at it, the last section, Chapter 10, which talks about continual improvement. How could you improve your cybersecurity posture? You may start today with all these 10 domains and Annex A. But as the threat landscape continues to change every day, every hour or every minute, then you should have something in place to proactively look at these threats and mitigate them. Right. But it sounds like a very lengthy process to me. Well, lengthy is a bit subjective. Is it worth the preparation and the cost involved in getting this? OK, so you spoke about time. You spoke about cost. So let me look at the time bit. Now, I've been personally responsible in implementing ISO 27001 for multiple large organizations. And what I mean by multiple large organizations are both local and MNCs. And in implementing these standards, what I found is that a typical deployment takes about an average a year or maximum a year and a half. You can easily implement the requirements for ISO 27001. So in the event that, say, for example, if you don't have a firewall, well, I wouldn't imagine any organization not having a firewall in this day and age. It literally comes either built into your router or you can do something about it. Right. So that's probably not a good example. But never mind. I'll just play along with that example. Say if you don't have a firewall and you find that, oh, you need to manage your ingress and egress traffic, then what you could do is say, OK, can I implement an access control list in the router that we have? Or maybe just upgrade the router so that we could have some rudimentary access control list that would help us meet the certain requirements. So that way you can also say that, yeah, you know, you may not have what most other people have, but as long as you can show that you have a way to implement that particular standard, you're good to go. No issues. Right. So the next one is cost. So the cost depends on two things. Number one, if you're just looking at certification, the cost is really not that much. You probably spend a little bit more on a full audit, which you have to do the first time. And the next two years would be something that's called a surveillance audit. So surveillance audit means that they're just coming in to make sure that you're doing whatever you're doing and most likely not going to give you much of a hassle. The full audit is where they will check the whole ISMS in your organization and make sure that the controls are there, the internal audit is being done, your management committee is actually meeting regularly, you have status updates and all that kind of stuff. Right. So if you're looking at costs, audit is not so much of a cost. I guess where some organizations may spend a little bit more is to get a consultant or a lead implementer. We call them lead implementers or implementers who would come to your organization, look at your processes and help you put in the necessary controls and the safeguards based on the ISO 27001 and then get you ready to be certified. So, for example, they will go through, they'll create a document called the statement of applicability where they look at all the controls in NXA and they would say, OK, this chapter, this chapter, this chapter, this 15 to 20 controls does not apply because my organization doesn't do that 15, 20 things. It's not part of my business process. I don't need it. So then that 15, 20 things is out of the controls and you will only be audited based on the controls that you said you are going to do. Now, of course, the statement of applicability is also open for audit because in the event that if you nullify a lot of controls, the auditors may come and ask you to justify why those controls are excluded. And if they do find that, no, these controls should be there because there's a valid reason why your business needs it, then there can be a finding for them to say, hey, these controls should be there. You should put it in. Right. So that gives an idea from a cost perspective, how much an organization needs to spend. Now, I can't really quote the dollars and cents because that would vary based on the country you're in, human consulting costs and all that. So I really would not be able to tell you exactly how much it's going to cost you. OK, so one last question from me for organizations that are looking to certify their organizations and how what advice do you have for them? How do they use the document? Where do they start? So the first thing you start is buying the document. OK, I am not going to say whether ChatGPT can help you get the document. I'm very sure OpenAI has put in some logic to say this is a copyrighted document. Please don't ask me to regurgitate the document for you. I know now with chatGPT taking mainstream, everybody's using it for everything, you know, right up to writing the assignments, sending emails to their supervisors. So I would suggest, you know, this is a cybersecurity initiative. Please buy the document. That's the first step that you take. Right. I would suggest also for you to look at the requirements from Chapter four to Chapter 10. Look at the annex A controls. Right. And out of maybe for an average organization, you may have 60 to 70 percent of the things clearly laid out. And if you think that's a lot of initiative that needs to be done and you need someone to drive the project to be implemented. Then you may look at someone who plays the role of ISO 27001 lead implementer, come project manager to actually drive the process through. Because those kind of people would have the know how's as to how to build all these processes into the organization. And sometimes when they come in through the experience, they can see that you're actually doing it. It's just that you don't realize that you're doing it because some processes are not parked with IT security team hiring, for example, HR, physical security. You may have it separate from information security, may have a physical security team, the guards who's taking care of your building. Or you may have outsourced it to a building manager. Say you're just renting an office, but you have physical security. Then you may say that, yeah, the building is covered by this and you can work with building management for them to look through their process as to how they do it. Right. But that will not be part of the scope. You can make it as part of your audit so that you can identify if there's any shortcoming. But that wouldn't be part of the scope because you're not certifying the building. You're more likely certifying your tiny little office or your big office, depending whether you take a floor or you just take a tiny little cubicle. It depends on how you manage security for that particular area. So you won't be really going into the building management. Well, I think there's no denying the ISO 27001 is excellent tool for managing information security issues. But then it also depends on whether it delivers and also it fits our needs before organizations decide to embark on this one. It is after all not a quick fix for just any small issues. It has to be worth the time and effort to go into it. Yeah. So leading into that, in the next episode, we're going to talk about how to gauge your readiness for you to say, OK, fine, I'm going to start doing an audit and I want to make sure that I pass the audit process. So we're going to talk a little bit about the whole auditing bit. How is ISMS implemented in a 50 foot view? And for you to get an idea as to if your organization is ready, what is the next step to take? How do you know that your organization is ready? What are the indicators that will tell you that your organization is ready? So that we will cover in the next episode. Right. So look forward to the next one then. All right. Thank you, Prof. I'll talk to you soon. Bye bye. Thanks Doc. Bye. Thanks for joining us this week on SecurityLah. Make sure to visit our website at securitylah.asia where you can subscribe to the show in iTunes, Spotify or RSS so you'll never miss a show.[MUSIC]