celebrating my milestones and learnings
To understand the most important decision I made in 2023, I have to provide some background:
Most ISO auditors (99%) are contractors. They work on non-exclusive contracts, meaning they can work for any certification body and often work for several simultaneously in addition to their own consulting. That's what I actually did in 2022 and early 2023. With one small correction:
I worked exclusively for the Lloyd Register, even though I was a contractor. My schedule was completely booked with back-to-back audits with no any chance to work for any other certification body. Don’t take me wrong: I had a good daily rate and conducted multiple ISO audits. Many other certification bodies wanted me to work for them, but there was no incentive to switch since ISO auditing requires individual qualifications, and there are only 24 hours in a day. I worked holidays and weekends last year because of the high demand and very interesting companies and famous brands (I couldn't say “no” to them) and decided 2023 should be different. The only way to change it was to take a permanent position and get paid time off, sick days, and weekends.
Most importantly, I wanted to transition from auditing ISO 9001, 14001 and 45001 to the information security family of standards. By the end of 2022 I was only qualified for ISO 27001:2013 with limited experience in that certification.
My goal was to gain more 27001 experience, re-qualify for the 2022 revision, and add at least one more information security standard. This depends entirely on the certification body, not the auditor. ISO auditors can't easily diversify their experience independently.
So, my goals for 2023 were:
- Work 40 hours per week
- Have guaranteed work/life balance with paid time off
- Expand my qualifications to other ISO 27 information security standards
By January 2023, I had three interviews for permanent positions. One was with DNV (Det Norske Veritas). Please don't confuse us with the DMV - we are not the Department of Motor Vehicles! I think our marketing team does a poor job distinguishing us on social media since many clients still mix us up.
Anyway, DNV is an international certification body that provides ISO and other certifications along with maritime inspections, medical auditing, and more. We went on and off in the job interview process… for six months (!) before I finally agreed to sign the employment agreement. I was really scared to sign the permanent employment agreement because it could mean that I would stick with those three ISOs I had in an unusual ISO auditor permanent position with no benchmark for salary or benefits.
Until in January 2023, I realized the ISO information security audit market was facing a crisis. Most of the certification bodies were slow and unwilling to participate in any changes or risks to going in the new direction. Most standards released new revisions, but there were few auditors, even for the old ISO 27001: 2013 version. This meant that despite my goal to add an ISO 27 qualification, I needed to work for a certification body that was prepared for the changes and was willing to develop that new area.
So, in February, I became one of the few permanent ISO auditors in the whole industry. I sometimes question if it was the right move, but it was undoubtedly one of my biggest 2023 decisions.
I will not be torturing you any longer. Yes, it was new for me and for the DNV, and this is why my goal was very modest: to add only one new information security ISO certification and maybe… Maybe… to do an upgrade to 2022 for ISO 27001. If the DNV has any clients who are willing to be audited for the ISO 27001: 2022, or even will be willing to step further in that direction.
And ta-dam! Here are the certifications I'm now fully qualified - only ten months later with two first months of the onboarding process:
ISO 27001:2022
ISO 27002 (not certifiable but some clients requested gap audits)
ISO 27701 data privacy - my favorite, given its complexity and scope and inclusion of 12 other standards
ISO 20000 family - 9 standards for internet/online services
ISO 27017 Cloud Security
ISO 27018 Cloud Privacy
ISO 22301 business continuity
I'm also the only Americas-based auditor qualified for:
TISAX Automotive Industry Security
WLA Lottery Industry Security
GWO Wind Industry Training (don't ask how I got that one!)
As you can see, I went from hoping to add one information security certification to gaining more than 12. I'm thrilled that DNV gave me this opportunity.
Most certification bodies aren't positioned to develop these new service lines
Just for you to understand: without new sales gigs, flexible planning, customized training programs, and cross-collaboration in at least five different certification body departments, auditors can't gain these skills on their own. DNV's willingness to invest in these capabilities makes them an ideal partner.
It’s not only rainbow and unicorn land. I do sometimes regret the intense schedule required to qualify for so many standards simultaneously. Contractors can decline half-day onsite audits involving long flights, but as an employee, I oblige. The downside of having rare skills is having no backup or Plan B auditors behind you. I am tired of the constant travel and shifting time zones with back-to-back remote audits.
As a lead auditor on complex, multi-standard audits, I'm accountable for deliverables even after my onsite duties end. My working hours don't reflect the end-to-end management of those complex audits. So, the expected work/life balance is far from ideal.
My unique expertise also means no comparable benchmarking compensation. Certification bodies desperately want these skills but can't accurately value the work. Those offering outsized salaries often aren't operationally ready to deliver.
Another 2023 achievement I didn’t plan: I started posting more regularly on social media this year, mostly scheduled posts in batches I soon forget about! My 2024 goal, however, is to finish two books - one on information security audit prep and another on entering the ISO auditing field. This is the only way for me to give some structure to all those posts I posted through 2023.
For those who don’t know me, I already have 4-5 published books in Russian and one in English. My first was a 2001 Russian tax and labor law guide - very outdated right now! But I haven't stopped writing since
The famous quote by Leo Tolstoy translates to English as: "You should only write when you cannot not write." Totally applicable to me!
Another goal for 2024 is to find a personal assistant who would know how social networks work, has not only native English but great grammar skills and wants to be an ISO auditor. I am totally lost right now of all the posts I posted. I keep forgetting whatever I posted on Linkedin or my website, if I reposted it or if it’s a different post, and when it is supposed to be the second part of that post I posted a month ago 😳🤣
Anyway, today, I'm proud to work for a true pioneer, the DNV, who leads ISO into new frontiers. I'll share more insights from our industry at the DNV Texas auditor conference in early January 2024. Follow me on Instagram for behind-the-scenes footage! Also, this year, I had more business and other trips than I can count, I promise to share all future ones in my Instagram: https://www.instagram.com/bobkova.online.usa
For those brave people who made it this far, here is a free ISO audit preparation checklist: https://t.ly/UdDZo
and opening meeting template:
PPT: https://t.ly/D6f9I
Keynote: https://t.ly/3ooWR
See my YouTube for the instructions (how to use the opening meeting template and why d you need one): https://t.ly/LsZZr
💚 Remember that it’s your comments and re-sharing - it’s that inspire writers and bloggers to keep going, keep writing, and continue to share more information