The self-audit is the most basic form of cyber security audit. While it is no substitute for the impartiality and expertise of a professional auditor, a self-audit can add considerable value, particularly if you’ve never done any form of audit before.
Audits vs. Assessments
Before you begin, the first question to ask is: Do you want an audit or an assessment? The difference is important:
- A cyber security audit functions like a checklist to validate your policies and procedures and identify gaps, usually in relation to a cyber security framework like ISO 27001.
- A cyber security assessment is less formal, and more about developing a better picture of your security posture and its overall effectiveness.
Self-Audit Pros and Cons
If you decide a self-audit is what you want, you need to be aware of the advantages and limitations of the process. Let’s start with the advantages.
The key advantage you have in self-auditing is you really know the lay of the land. You know your company culture, your applications, your security controls (or lack thereof), your current documentation and policies (or lack thereof) and how to maneuver among leadership and gatekeepers to find things out.
These advantages can help you do a thorough job within the limits of your expertise and the scope of your access. An external auditor, in comparison, is dependent on the level and quality of communication s/he has with people in your company. An external auditor who struggles to acquire the right data in a timely manner can produce unreliable or incomplete results.
Likewise, your position as an employee and change agent may help you glean some advantage when it comes to applying the results of a self-audit to your environment—at least as it regards things you can control. For example, you will hopefully be in good position to socialize security best practices that you are aware of. You can also support implementing changes in a manner that yields acceptance and verifiably positive results for your security posture. Further, depending on your position and the resources at your disposal, you may be able to reduce or limit cyber risk for a business area that you are solely or primarily responsible for.
Now let’s look at the inherent limitations of a self-audit. Chief among them: you don’t know what you don’t know. Without broad experience auditing across companies and frameworks, you are limited by your personal view.
Is your perspective limited by “tone at the top”? Can you validate that your approach is the best approach? Do you have the skills and “moral fiber” to deliver an unbiased, detailed review of your current security posture? Does your expertise encompass all the security domains you’ll need to audit? Do you have up-to-date knowledge of ever-changing best practices? Do you have the time and resources to accomplish a self-audit and recommend next steps?
Answering “no” to most of the above questions doesn’t mean you won’t benefit from a self-audit. My point in illuminating limitations is to keep expectations in line with reality so you can identify issues on one hand, without thinking you’re covered when you’re really not.
Expert Third-Party Audits
Along with our ISO 27001 certification practice, Pivot Point Security also offers a full spectrum of assessments and audits to help you identify, understand, manage and mitigate information security risk and address gaps.
Contact us to help you develop an effective audit/assessment strategy, augment your in-house expertise, or ensure you can prove to stakeholders that you’re secure and compliant.
For more information:
- Those seeking to align with the NIST Cyber Security Framework may benefit from NIST’s cyber security self-assessment tool
- ISACA’s white paper and infographic on auditing cyber security
- The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) self-assessment tools