Your organisation won’t be able to protect its systems for long without an information security audit. That’s because cyber threats and the way your organisation operates is constantly changing, requiring you to regularly take stock of your security practices.
Whether you’re trying to certify to an information standard, meet legal requirements or perform an internal assessment of your current practices, there are certain things you can do to make the process run smoothly.
1. Let the auditor know about recent changes to your structure
Information security audits are predicated on the challenges that are unique to you. Every organisation is structured differently, which is why security standards and laws often offer a degree of freedom when implementing security postures, requiring organisations to adopt “appropriate” controls.
The auditor must be familiar with the organisation’s context – at least when it comes to the parts within the audit’s scope – in order to understand what’s considered appropriate. They can gather some of this information from your current set-up and documentation, but this might not be up to date.
As such, we recommend providing the auditor with an update on any changes to your:
- Organisational structure;
- Business aims and objectives;
- Contractual relationships;
- Market and customer trends;
- Applicable laws and regulations; and
- Technological trends and innovations.
2. Assign someone to assist the auditor
The auditor will almost certainly have questions at various points. Some of those will be logistical, like where certain documents are kept, whereas others will relate to the organisation’s approach to compliance.
It would therefore be beneficial to assign someone in your organisation to assist the auditor as they work. The person in question should have a strong understanding of the audit process and will ideally have a relevant qualification.
Helping the auditor during the certification process also has long-term benefits for your organisation, as the person assigned to help will gain first-hand experience of the audit process. They can use this knowledge to plan and perform internal audits.
3. Keep your own notes
If your organisation has complex processes, it could take some time for the auditor to identify every relevant issue. Indeed, in many cases, the auditor will never be as familiar with the management system as the team that developed it.
Complexity is rarely a positive trait for an organisational process, but it’s sometimes a necessary one. You can ensure that your systems don’t become completely unmanageable by keeping your own notes, pulling observations, opportunities for improvements, comments and findings to streamline the process.
These notes should be reviewed and used to inform your continual improvement efforts.
Have you got what it takes to be an auditor?
The growing information security demands on organisations mean that expert auditors are in high demand. If you’re looking to gain the skills to fulfil this role, you might be interested in our ISO 27001 Certified ISMS Lead Auditor Training Course.
This four-and-a-half-day course is ideal for those who want the responsibility of overseeing an organisation’s compliance with ISO 27001, the international standard for information security, or reviewing others’ compliance practices.
Alternatively, you might be better suited to our ISO27001 Lead Implementer and Lead Auditor Combination Course. Over eight days, you’ll learn everything there is to know about ISO 27001, covering the steps you should take to adopt the Standard’s requirements and how to audit organisations’ compliance posture.
If you’re not ready to enrol on a training course yet, you might prefer An Introduction to Information Security and ISO 27001 (2013): A Pocket Guide.
This book provides a comprehensive introduction to the principles of the information security standard. It’s an ideal resource for anyone that wants a clear, concise and easy-to-read primer on the steps you must take to implement ISO 27001.