AUDIT OF COMPLIANCE WITH PN-ISO/IEC 27001:2007 STANDARD
Information, processes, IT systems have long been key assets of almost every organisation. For this reason, they are exposed to threats from a wide variety of sources, including computer fraud, espionage, sabotage, vandalism, fire and flooding, among others.
ISO 27001 is a specific guideline to create an information security management system (ISMS) that, through the application of a risk management process, ensures that these assets have confidentiality (information is not shared or disclosed to unauthorised parties), integrity (ensuring the completeness and accuracy of information) and availability (that information is accessible and usable when requested by an authorised party).
Your organisation may have various motives for auditing ISO 27001 compliance, among which are:
- the desire to build an ISMS and then proceed to certification for compliance with the aforementioned standard,
- checking the effectiveness of the implemented ISMS,
- regulatory requirements,
- identification of areas requiring corrective action.
Regardless of what motivates you, an ISO 27001 compliance audit includes the following activities:
- conducting an inventory and asset analysis,
- defining the approach to risk assessment and carrying out an information security risk analysis and assessment,
- defining relationships with suppliers,
- analysis of information security incident management,
- developing business continuity plans,
- defining roles, responsibilities and authorities related to information security,
- defining ways to measure security effectiveness.
The planning of the audit (the creation of its programme) is a particularly important stage, as it requires careful preparation. This is completely different in a small company and even more so in a large organisation which, in addition to the head office, also includes branches and field sales offices. However, there is a common denominator in the form of specific information to be agreed upon at the audit preparation stage, in particular:
- define the purpose of the audit, i.e. indicate the motivations mentioned earlier,
- indicate the scope, duration (schedule) of the audit, which is of great importance for the audited organisation, since every audit to some extent disrupts the work of the staff assigned to work with the auditors,
- define the audit procedures, which includes, among other things, the method of reporting to the management e.g. in the case of detecting a critical nonconformity,
- specify the audit criteria, i.e. the benchmark against which compliance is determined, e.g. compliance with internal procedures, with legal requirements (this also translates into the manner in which non-compliance is described in the audit report),
- determine audit methods, e.g. audit interviews, completion of checklists, review of documentation, samples,
- appoint the audit team, i.e. identify the lead auditor and members of the audit team on the basis of competences and the distribution of tasks and roles,
- identify the necessary resources on the part of the audited organisation, e.g. appointment of a coordinator, provision of a room, etc,
- confirm confidentiality arrangements.
Once the planning stage is over, a team of dedicated iSecure auditors proceeds with the following activities:
- preparing the audit activities e.g. conducting a documentation review, analysing the organisational chart, analysing the material available on the website(s), allocating tasks, developing checklists,
- conducting the actual audit activities, which include an opening meeting (introduction to the audit by presenting the plan, objective, criteria, etc.), detailed review of documentation, collection and verification of information (e.g. by identifying the source of information and audit evidence), development of audit findings (identification of non-conformities), preparation of audit conclusions e.g. preparation of recommendations, closing meeting, i.e. presentation of findings and audit conclusions,
- preparing and distributing the report.
As you can see, when planning and conducting an audit at a customer's premises, our auditors fully follow the guidelines contained in the ISO 19011 standard. It is conducted at the level described in the ISO 27001 standard (therefore, it does not include the penetration tests and control of correctness of IT and software configuration).
It is also important to accurately describe the classification of the non-compliance. The report you receive will include the following descriptions of non-conformities:
- major non-compliance - a non-conformity of critical importance, which could cause significant consequences if it materialises, e.g. major financial losses,
- medium non-compliance - a non-compliance of medium importance that could cause significant consequences in the case of its materialisation,
- minor non-compliance - a non-compliance of minor importance, not causing significant consequences for the organisation.
Benefits of an ISO 27001 compliance audit:
- possibility to proceed to certification according to the aforementioned standard,
- identification of non-conformities and their elimination,
- reduction of the risks associated with breaching the principles of confidentiality, integrity and availability of information,
- good basis for implementation of the requirements resulting from GDPR,
- increased awareness of information security among staff.