hEyFoundeR
Get started
hEyFoundeR
Get started
Home / David Forman | Mastermind
Add Your Heading Text Here

Founder of Mastermind
David Forman didn’t just learn ISO 27001 — he memorized all 114 security controls.

At that time, he was part of the staff at EY, and the only one who knew every control by heart. Decades later, David is now a go-to expert in a field that defines how companies protect their most critical information.

  • ■ ISO 27001 isn't one-size-fits-all. You can adapt it to your business.
  • ■ Engage auditors early to save you from mistakes later.
  • ■ Start with a scope and risk analysis. Then, map your controls.
  • ■ ISO 27001 isn't one-size-fits-all. You can adapt it to your business.
  • ■ Engage auditors early to save you from mistakes later.
  • ■ Start with a scope and risk analysis. Then, map your controls.
The Evolution of Security Compliance (From AWS to Snowden)
The Best Path to ISO 27001 Certification
ISO 27001 vs. SOC 3
How to Get the Most from Your Auditor

David Forman remembers the first time he encountered ISO 27001. He printed out all 35 pages, made flashcards, and memorized all 114 controls. “No other partner at EY had them memorized. And I wasn’t even a partner, I was staff,” he laughs. “You can become an expert at this stuff if you just invest in it.”

Now, Forman is one of the go-to experts in ISO 27001, a framework that touches everything from HR to legal to procurement. “It can fit a two-person organization, but also a two-million-person organization,” he says. “That’s why I think it has its popularity — because of its flexibility as a management system.”

In the U.S., ISO 27001’s rise is just starting. Forman traces its ascent to a few key inflection points. The first was in 2010, when AWS became one of the earliest companies to get certified. “It created this network effect,” he explains. “If the largest cloud provider was certified, everyone else started to think about it too.”

 

"The first major company to get 27001 certification was AWS. They started a network effect where [companies] said, 'All right, the big cloud service provider has this certification. I should think about it too.'"

Then came the breaches — the Target hack, the Equifax disaster. “Whenever it becomes a consumer issue, that’s typically good for security,” he notes. “Your typical board members or C-suite don’t have a security background. But when it becomes a consumer issue, it flows up the chain. They say, ‘Hey, we should be proactive around measures and not just have a crisis plan.’”

And, of course, there was the Snowden disclosures. “For a long time, U.S. companies said, ‘Oh, we follow U.S. laws, you don’t need to worry.’ After Snowden, international customers started saying, ‘We don’t care about U.S. standards. We want you to adopt ours.’”

Despite its rising profile, Forman is quick to clarify that ISO 27001 works best as a baseline. “I see so many organizations just spin their wheels,” he says. “They spend 18 months implementing a management system for the first time. When it’s perfectly normal to have gaps in the system during initial certification, and you can still get certified.”

His advice? Engage your auditor early. “There’s this myth that you shouldn’t reach out to the audit firm until you’re ready for certification,” he says. “But the auditor can clarify what the ISO standard is saying and do check-ins as you get closer to the stage one audit.”

For Forman, the real value of ISO 27001 lies in what he calls “staying power.” A certificate isn’t just a pass/fail document. It’s a signal that your organization takes trust seriously.

𖥔