Over the past few years, I’ve led and been involved in many security audits on both sides of the table, which has helped me develop some insights worth sharing. Sometimes these auditing engagements are seen as something to just get through, however, there were a few organisations which really made the most of the exercise and applied the impartial information learned to gain a more accurate understanding of their real risk exposure. After all, that is the primary reason for performing these assurance activities, isn’t it? To ensure the implementation of the most relevant controls, for managing the highest rated risks, occurs within resourcing and budgetary constraints.
So, how can you ensure your organisation gets the most out of its next security audit? Here are my top 5 recommendations:
1. Auditor selection
When your organisation has a need to perform a security controls audit you may be lucky enough to have an internal resource, however, more often than not, an external resource will be required to perform the audit or to at least assist your organisation when it is being audited. If your organisation does have an internal security auditor(s) it is likely you will need to book this into their schedule well in advance and ensure that there is no conflict of interest or bias which could impact the objectivity of the review. Alternatively, the use of an external security auditor may be more appropriate and timely, as most small to medium-sized organisations do not have this capability in-house. Depending on the type of audit that is required, an organisation can opt to use specialist auditors to best meet their business needs.
2. Purpose of the audit
The purpose needs to be distinct and clear in order to be met. The purpose can also influence the selection of an auditor, as it is an important factor in what kind of audit is required and what will be done with the results. Many of the audits we do at Axenic are designed to assess the effectiveness of a defined set of security controls which have already been recommended to manage the risks identified by the organisation. This allows for a more accurate assessment of the current level of risk, such as for Certification purposes, and where to invest effort in further risk reduction (if necessary). Other audits may be in regard to an international standard, such as ISO27001, to assess the level of compliance to the standard and identify any potential nonconformities which need to be addressed prior to achieving (or to maintain) certification.
3. Scope of the audit
The scope of the audit needs to meet the business purpose from point 2. It may be for an entire organisation or limited to a system or a specific process. In defining the scope, you will need to consider the applicability of controls to the organisation as well as any security controls assigned to named third parties. The ability of your organisation to source assurance material from third parties will positively or negatively impact the scope, as more auditing effort may be required.
Many of our clients find that the prioritising of security controls to audit is a good way to achieve sufficient coverage of control assessments, based on an organisational risk management plan.
4. Providing relevant documentation and interviewees
Once the purpose and scope have been agreed upon, the gathering of evidence begins. The Audit Plan or Controls Validation Plan is your organisation’s resource for identifying the best documentation, interviewees, and demonstrative examples to show the implementation and effectiveness of the security controls. This is where having an internal resource at your organisation to correctly locate these documents and identify the right people is a real advantage. They can identify what and where the information which is being sought after is located, regardless of the generic example document name being asked for or what the typical role title may be.
I can’t stress this enough – ensure that the people being interviewed can talk to the documentation provided and processes described in the control description. This will go a long way toward supporting whether the practice has been implemented, and will more readily allow for a demonstration of its effectiveness.
5. Be honest
It is a really important decision when an organisation chooses to use its limited resources to conduct a security audit, so being dishonest would be a huge waste of that time and effort. I’m talking about misrepresenting or manufacturing evidence or being less than truthful during interviews, and yes this has been known to happen. In most cases, the best-case scenario is that this misinformation will become apparent as the control won’t be able to be demonstrated. In comparison, the worst-case scenario is that this fabrication won’t be identified, and any weakness which could have been highlighted to be addressed will continue to exist.
By helping to identify issues that are known to exist to the auditor, the audit report can then be used to raise visibility and promote investment in remediating these deficiencies – or at least succeed in escalating the decision to address it or not.
So there you have it, my top five tips on how to get the most out of your next security audit. If you have any questions on the points raised or are considering a security audit for your organisation feel free to get in touch with the team here at Axenic.