Help us better tailor our content and Tugboat Logic services to you by filling out this survey. And as a bonus we will be entering all survey participants into a draw to win 1 of 3 $100 visa gift cards!

We're excited to announce that we'll be joining the One Trust family! Together we'll help companies get certified, build trust, and win deals. Find out more about it here on the Helm or check out our official press release. Feel free to leave a comment or question regarding the big news.

Ask an Auditor Office Hours #4

Welcome back to our weekly Ask an Auditor!

Each Wed from 1-2pm PT, someone from either the Security Labs or Customer Success teams will be on deck for one hour to answer any and all Qs you may have.

This week we have @Conrad, a member of our Customer Success team. If you don't know him from your interactions with the CS team already, he is extremely knowledgable, personable and ready to answer your questions.

Here's how to participate:

  1. Submit your Qs in this discussion thread, and go about your day! Or, you can stay on during the hour (1-2pm PT) and submit as many Qs as you'd like.
  2. Conrad will write out an answer to you as soon as he can, and tag you in his answer.
  3. Submit your Qs even when office hours are over - Conrad and or someone from CS/Labs will answer your Q in 1 business.

We look forward to hearing from you and hope we can help you out!


  • Woohoo, @Conrad!

  • Hi @Conrad thx for hosting this week. I have a 27001 question I'm hoping you can help me out with:

    My team and I are not Tugboat customers (we really should buy a license), and we've been handling all of our 27001 work manually.

    But, there's a lot of moving parts that we find it hard to keep track of. Aside from buying Tugboat (we plan on it this year, just need approval), are there any good tactics and free templates you recommend for managing 27001?

  • Conrad
    Conrad Tugboat Employee Tugboat Team

    Hi @richardlee

    Thanks for joining me at the Helm.

    Great question!

    For ISO 27001 a key component is demonstrating that you have an operational ISMS (information security management system). A fully functional ISMS compromises of numerous building blocks such as Asset Management and Control, Cryptography, Operations Security, Incident Management and Physical & Environmental Security to name a few. I will use the ISMS building blocks as the basis for my research and look at reputable sources such NIST, OWASP, CSA, Octave, ISO27002 etc.. for appropriate guidance. These sources also contain useful templates that can be leveraged during your ISO27001 journey.

    However to summarize, I would recommend to start by developing a project plan - Treat your ISO 27001 initiative as a project that needs to be managed diligently. Followed by performing a risk assessment (RA) - the objective of the RA is to identify the scope of your ISMS. Develop and implement policies and procedures required as per ISO27001, followed by design and implementation of controls required to remediate the identified risks. 

    Last but not least, monitoring against documented policies and procedures by performing regular internal audits and assessments.

    For our current customers, Tugboat Logic has prebuilt policies, controls, and implementation guidance (with templates) that are mapped against ISO 27001 so you can instantly visualize gaps in your security program, and assign and track implementation of missing controls.

    Warm regards,


  • @richardlee you should hit up @karlbagci, Head of Operations at Cronofy. He's a wicked smart and wickedly funny dude who's gone through three 27001 certs (and got Cronofy 27001 certified in 6 weeks!!!), and might be able to share some tips.

    He also has an excellent, concisely written series (yeh, there's none of that legalese double-speak lol) on how to get your 27001:

    Part 1: 27001 Overview

    Part 2: ISMS Scope, SOA, and Application Letter

    Part 3: The Devil is in the Details

    Part 4: The Audit