Many organizations seeking ISO 27001 certification face other cybersecurity compliance audits as well, like SOC 2, ISO 27701, HITRUST, FedRAMP and/or CMMC.

If that applies to your company, consider the benefits of consolidating your cybersecurity audits so they happen at the same time with one registrar/audit firm.

Streamline your activities to save considerable time and money.

“If I can go to one auditor versus six auditors, I think that’s a huge value proposition,” said John Verry, Pivot Point Security’s CISO and Managing Partner, on a recent episode of The Virtual CISO Podcast. John’s guest was Ryan Mackie, Principal and ISO Practice Director at leading audit firm Schellman & Company


Compliance with a fast-growing array of privacy regulations like the California Consumer Privacy Act (CCPA) and the EU’s General Data Protection Regulation (GDPR) is now a major concern for many companies. If your business stores and/or processes personal information (PI), chances are you’ll soon need to prove you can protect it.

As a trusted international data privacy standard, aligning with the ISO 27701 privacy extension to the 27001 information security standard could be “the silver bullet” to reduce the complexity of managing compliance with multiple, overlapping privacy regulations.

To shed light on how ISO 27701 can help your business prove…


The Cybersecurity Maturity Model Certification (CMMC) framework breaks up cybersecurity technical controls and best practices into seventeen domains. Each domain contains capabilities, processes and practices that fall within the CMMC’s five maturity levels. US Department of Defense (DoD) suppliers must prove CMMC compliance at the maturity level their contract requires, based on the sensitivity of the Controlled Unclassified Information (CUI) they process, store, or transmit, and the cybersecurity risks they face.

The Configuration Management (CM) domain focuses on defining consistent, controlled and audited configuration and change management practices, including eleven practices within two capabilities at CMMC levels 2, 3, 4…


The Cybersecurity Maturity Model Certification (CMMC) framework categorizes information security best practices and technical controls into 17 domains. Each domain includes various capabilities, processes and practices spanning the CMMC’s five maturity levels. US Department of Defense (DoD) contractors and subcontractors will need to comply with CMMC at whatever maturity level their contract specifies, depending on the sensitivity of the Controlled Unclassified Information (CUI) they handle (the cyber threats are generally similar in the DIB).

With a total of five practices organized into two capabilities at CMMC levels 2, 3 and 4, the Awareness and Training (AT) domain focuses on ensuring…


Defense Federal Acquisition Regulation Supplement 252.204–7021 (DFARS 7021) is one of three related clauses that the DoD’s new interim rule adds to the DFARS. These new regulations amend DFARS 252.204–7012, which has been used in US Department of Defense (DoD) contracts since 2018.

The interim rule, in effect as of November 30, 2020 after a short comment period, reflects the DoD’s determination to “address threats to the US economy and national security from ongoing malicious cyber activities.” …


Defense Federal Acquisition Regulation Supplement 252.204–7020 (DFARS 7020) is one of three interrelated clauses that the DoD’s new interim rule adds to the DFARS. These new clauses modify the original DFARS 252.204–7012 regulation that has appeared in US Department of Defense (DoD) contracts since 2018.

The purpose of the interim rule, in effect as of November 30, 2020, is to shore up lax cybersecurity across the US defense industrial base (DIB). The challenge has been that, under DFARS 7012, a high percentage of suppliers have been self-attesting to DFARS compliance without verifiably bringing their systems and processes into compliance.

DFARS…


Software-as-a-Service (SaaS) providers need to be alert to a uniquely broad and complex range of information security risks impacting every business area, from their hosted production environments to their application code to their project management tools to their networks to their people.

As a SaaS consumer, how can you assess a SaaS firm’s security and the vendor risk they present? What cybersecurity attestations, certificates and/or credentials should you be asking for?

On a recent episode of The Virtual CISO Podcast, host John Verry asked that question of our guest Ryan Buckley, a long-time SaaS security consultant and software security expert: “So let’s say Pivot Point is about to go out and license a SaaS, and we’re going to put what we call ‘client confidental’ information in there. If I…


SaaS providers face information security risk from every direction: from their application code to their software development tools to their networks to their employees.

One of the areas with the biggest potential for risk to manifest is a data breach or other incident of the hosted product/service that SaaS customers consume.

SaaS security expert Ryan Buckley noted on a recent episode of The Virtual CISO Podcast that many SaaS providers have overlooked significant security vulnerabilities in their production applications.

“It’s all over the map, and that’s why it’s so important to do good upfront diligence when you’re a consumer of software, whether it’s on-prem or in the cloud,” advises Ryan. “Kicking the tires of the vendor to understand how they develop is really, really important.”

“It’s very…


If your business depends on an Internet of Things (IoT) ecosystem to acquire data or deliver services, you already know that the number and complexity of your “things” and their interconnections has a huge impact on your IoT security testing requirements. At the same time, because IoT is changing and expanding so rapidly, it can be a challenge to have full confidence in a third-party (or even in-house) testing/assessment methodology.

How can you know that your IoT environment will be comprehensively tested, and that you’ll be made aware of any/all significant vulnerabilities?

This was a key topic of discussion on a recent episode of The Virtual CISO Podcast with two IoT thought leaders from the Cloud Security Alliance (CSA): John Yeoh and…


Whether the provider is in a startup mode or a well-established leader, cybersecurity is a challenge in the world of software as a service (SaaS). Companies often presume their SaaS environment is secure because it’s hosted on a robust public cloud platform like AWS or Microsoft Azure.

But is that really true? How good is security in the SaaS industry… really?

To get an insider’s perspective on where SaaS providers do and don’t measure up on security, we invited Ryan Buckley to join a recent episode of The Virtual CISO Podcast. …

Pivot Point Security

We are a trusted source of simple, practical, and actionable information security guidance.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store