In this Command Control Power episode, host Joe and guests discuss standards, policies, certification, and compliance with Michael Thomsen of Origin 84 in Sydney, continuing an ISO 27001 deep dive. Michael explains how policies are written to solve specific control problems (e.g., MFA) and can be reusable, while areas like data classification require tailoring based on a client’s industry, legislation, contracts, and workflows; key discovery questions include where data is stored and shared, and what obligations contracts impose. The conversation contrasts frameworks (NIST, Essential Eight) and notes auditors verify that policies drive processes and are followed, emphasizing continual improvement through audits, risk/incident tracking, and iterative remediation. Jerry and Sam share healthcare/SOC 2 experiences and discuss shifting solo consultants from tactical support to higher-value strategic advisory/account management, using fractional roles and partners. Michael outlines Origin 84’s fractional model (financial controller, HR, strategy officer, plus legal/CFO) and sourcing via professional networks, LinkedIn, and conferences like ACEs, where Michael will present on account management.

00:00 Welcome and Recap

00:45 Reusable Policies vs Tailoring

02:20 Data Classification Nuances

03:33 Discovery Questions That Matter

06:18 Building Trust Without Conflict

07:30 Insurance as the Trigger

08:47 SOC 2 and Framework Reality

10:50 Audits and Continuous Improvement

12:48 Breaking Down Compliance Work

14:07 Jerry’s Healthcare SOC 2 Case

15:49 Fractional Support Models

17:13 Move Up to Strategic Advisor