We're excited to announce that we'll be joining the One Trust family! Together we'll help companies get certified, build trust, and win deals. Find out more about it here on the Helm or check out our official press release. Feel free to leave a comment or question regarding the big news.

Ask an Auditor Office Hours #1

Victor Mod
edited September 2020 in Ask an Expert

Welcome to the first Ask an Auditor Office Hours session!

Each Wed from 1-2pm PT, someone from either the Security Labs or Customer Success teams will be on deck for one hour to answer any and all Qs you may have.

And yeah, you'll really be chatting with a former auditor :) Almost everyone on both teams hails from one of the "Big 4" and has deep exp in security and compliance.

This week we have @Chika, Sr. Security Analyst on the Labs team, and a former auditor at two of Nigeria's largest banks. She's an absolute delight to work with in every sense of the word, and has so. much. knowledge. 💪🙌

Here's how to participate:

  1. Submit your Qs in this discussion thread, and go about your day! Or, you can stay on during the hour (1-2pm PT) and submit as many Qs as you'd like.
  2. Chika will write out an answer to you as soon as she can, and tag you in her answer.
  3. Submit your Qs even when office hours are over - Chika and or someone from Labs will answer your Q in 1 business day.

Meet Chika

Chika is the tireless badass of the Tugboat Security Labs team, having been the first and founding member. Since her first day at Tugboat, Chika has been helping demystify security and taming compliance for our customers.

To say Chika knows security and compliance is an understatement: she has over a decade of experience in IT and security, having started her career in technical support and then moving on to the enterprise security and audit teams at the two largest banks in Nigeria. When she’s not helping customers and thinking about all the security, she’s drinking fine wine, enjoying a good read, and no longer driving in four hours of one-way traffic just to get to work.



  • Hi @Chika what's a “statement of applicability” for ISO 27001? One of my clients requested that, and I can't decipher what it is from my Google searches.

  • Chika
    Chika Tugboat Employee Tugboat Team

    Hi Samiam, its nice to e-meet you as well and thanks for joining the helm. 

    I suggest you consider your customer base first, if majority of your customers are in North America then focus on SOC 2 and i would also recommend you go back to this customer and discuss what their needs and expectations are as the SOC 2 Report should satisfy their needs. 

    I hope this helps.

    Thank you!

  • Chika
    Chika Tugboat Employee Tugboat Team

    Hi @richardlee,

    Thank you for joining the helm.

    ISO 27001 has a list of controls which can be found in Annex A of the standard, there are 114 of these controls grouped into 14 sections (domains).

    The Statement of Applicability is the list of the controls in Annex A with details of applicable or non applicable controls in addition to the justification for marking them applicable and not applicable.

    Typically, It has a column with the list of controls, a column to mark these controls applicable or not applicable and another column with justification for the option selected in the previous column. Example: If I mark a control applicable or not applicable I should provide justification for any of the options i have marked.

    I hope this helps and the google search ends here😀. Do let me know if you have more questions.

    Thank you!

  • @richardlee check out this article @karlbagci (Head of Ops at Cronofy) wrote re: the 27001 cert process: https://medium.com/@karlbagci/delivering-iso27001-part-2-of-4-isms-scope-soa-and-application-letter-48fe251a2904

    It echoes what @Chika explained, and his series as a whole is a good explainer on 27001.

  • Thank you, @Chika!!! Yes, the Google searches end here - I very much appreciate your thoroughness.