I’ve been an information security auditor for almost fifteen years. I’ve performed internal audits as well as external audits. I’ve worked in a number of different industries, including utilities, finance, healthcare, and manufacturing. I’ve also dealt with many different frameworks, from HIPAA to PCI to GLBA to ISO 27001. I’ve seen what controls have worked well for different organizations, and which ones (frankly) just haven’t.
To sum up my focus as a cyber auditor I like to quote a former boss, who used to say:
“Achieving an information security certification is not about being a C student. You can’t expect every client to get an A+, but they need to achieve more than a C.”
So, what does that mean? It means a successful certification takes work and will most likely put you outside your comfort zone. Changes in organizations are always met with a level of discomfort but having robust controls can feel natural once it’s built into your culture.
Based on that view, I think a key part of my role as an auditor is to encourage clients to achieve the best they can. Yes, they might experience some “growing pains” along the way—but it’s all worth it once they’re certified or compliant and have robust controls in place.
How Cyber Security Auditors Help Businesses Navigate Cultural Change
The auditor must help the client fill in the blanks by critically evaluating how well a control is doing its job, and perhaps guiding the client towards a more effective approach.
But those can be hard conversations to have with clients. Every industry is different and every organization has a different level of risk tolerance, as well as varying levels of process maturity. Clients also have different motivations for achieving a certification in the first place.
At the same time, threats are continually advancing and intensifying. That’s another reason why, as an auditor, I encourage clients to work towards implementing best practices and not just “do the minimum” to get a certification.
I might be involved at the start of an ISO 27001 certification project, learning and growing with a client as we assess their controls and identify potential non-conformities. Or I might be involved near the end of the project, writing a report following the internal audit that precedes the actual ISO 27001 certification audit.
Either way, I’m looking to help the client implement what we believe is the best information security management system (ISMS) for their unique situation. I’m also doing my best to help the client make the most of the engagement, based on THEIR goals.
To work toward an ISO 27001 certification with a team that is focused on helping you get maximum benefit for your time and money, contact Pivot Point Security.