When most people think of audits in general, they’re imagining mundane, cookie-cutter affairs that are about as interesting as watching goldfish. Yet I’ve never had two cybersecurity audits that followed the same path. There’s always some kink in the road.
And it’s how you recover from those unexpected glitches—both as an auditor and as a client—that makes or breaks the audit. Not only in terms of “pass-fail,” but in terms of the value a business derives from the audit process.
Approaching an Internal Audit
In the case of ISO 27001 internal audits, the whole point is for your business to validate the effectiveness of its information security management system (ISMS). Yes, an internal audit can help you prepare for an ISO 27001 surveillance audit or certification audit. But an internal audit is also very much about validating that your ISMS meets your business objectives for information security.
Recently I performed a security audit where our team was on site for three days. For all but half of one of those days, the person we were supposed to meet with wasn’t available. It was a case of “OK, we’ll do the best we can but we still need to follow up with you…” Meanwhile, our time on site was marginally productive and we still didn’t have the documentation we needed.
I call that a “catch-up audit.” We still have to do the audit… But it’s not going to be as straightforward as conducting a series of well-prepared interviews and ticking off what everyone does and how everything works and then validating what we learned with the provided documentation. And, unlike an ideal internal audit, it’s not going to be done in three days.
In the end, our absentee client provided documentation only in printed form; no electronic data. We had to read through all of it, understand it as best we could, make notes on it, and then prepare to eventually get back to it when the client was available.
Yes, we now had the documentation but we still needed to do the evidence check. Which meant I could start formulating the report, but couldn’t render an opinion until the client was available to follow up.
Internal Audit Reports
With any ISO 27001 internal audit, the deliverable to the client is an audit report, which basically tells them where their information security management system controls are effective and where they’re not. But if we have incomplete information, that report doesn’t offer as much benefit to the client. What’s the point of handing over a lightweight report and collecting a check?
I’ve also had clients at the other end of the spectrum who gave me everything I needed and then some, and then sat with me as I conducted interviews. In those instances, I’m alert to see if the staff seem “coached” or if they’re responding from knowledge and familiarity.
Again, even with subtle things like evaluating nonverbal cues, I’m looking to find out what I need to know to help the client see what’s working and what’s not working, so they can improve if they choose to.
Another thing that can make an internal audit go sideways is delivering “bad news,” especially to a C-level executive. How the auditor approaches this can make a world of difference. Once again, I’m looking to maximize the potential business value of the information. You might not like what I’m telling you, but I’m going to tell you in such a way that you can make the best use of it: this is what we found, this is how we arrived at our conclusions, these are our recommendations for remediation, and these are some of the ways we can follow up.
Improved Information Security is the Ultimate Goal
What it all comes down to is helping the client improve their information security posture. The internal audit is just one more tool I can use to help you see the strengths and weaknesses of your ISMS, educate you about various issues if need be, and talk about how best to proceed from there.
But at the end of the day, you may hear and understand my recommendations but still not want to act on them. Naturally, I want clients to be as enthusiastic as I am about building their programs. But, as a consultant, I understand that some firms aren’t ready to commit to creating and maintaining a robust ISMS: “Thanks for making my audit issues go away; don’t call us, we’ll call you…”
So that’s how ISO 27001 internal audits look to me as an auditor. You make the best plan you can make and you find out when you get there what you really need to do.
To work with an ISO 27001 internal audit team that is focused on helping you get maximum benefit for your time and money, contact Pivot Point Security.
It's a little more complicated than just checking off a few boxes.