Implementing effective cyber security involves a lot more than just applying the latest technology. You need to enact appropriate supporting policies/processes and ensure your staff are effectively trained to follow them. These factors taken together are what is referred to as a Security Management System.
To instill confidence that your Security Management System is working as intended and providing the protection the business requires, a security audit can be performed. A security audit is a structured approach to assessing the security measures that a company has in place, using a set of defined criteria. Typically, the criteria will be a security framework such as ISO 27001, NIST Cyber Security Framework, Cyber Essentials or a technology specific standard such as EIDAS (ETSI EN 319 411).
During the audit, the auditor will look to identify the policy and or processes that have been defined, then seek evidence that the policy/process is being followed. When looking for evidence, the auditor will typically use a sampling approach. Rather than look at every record to assert compliance, they will look at a randomly chosen sample.
Types of Security Audits
Security audits may be carried out through 1st, 2nd or 3rd parties.
A first party audit, often referred to as an internal audit, is where a member of your own staff, usually a CISO or equivalent looks at the controls you have in place and provides recommendations. These audits should be as comprehensive as possible, as first party audits are a great tool for finding areas in which your business can improve.
A second party audit is where your company audits a key supplier (or a key customer/partner audits you). These typically occur when you are looking to enter into business with someone and information security is a priority. One of the parties involved may audit the other to ensure that their Security Management System is operating at the desired standards.
A third party audit is where a fully independent organisation audits you against a set of criteria, such as ISO 27001. These audits are typically undertaken to achieve accreditation in the desired standard and have the benefit of being completely free from any of the conflicts of interest that may arise from the other two types of audit.
But who audits the auditors?
Typically, third-party auditors will themselves be audited to assert compliance to ISO 19011 – the international standard for auditing!
How can Nexor help?
If you are interested in a security audit for your business, but are unsure on the best way of going about it we provide the following relevant services:
A gap assessment (lightweight audit), which is a one-off exercise to assess an organisation against a benchmark or specified standard and then provide advice and guidance on the changes that your business needs to make.
A pre-audit health check to verify your security processes and procedures are up to the required standard. This will highlight any potential issues prior to the formal audit and greatly improve your chances of receiving your desired accreditation We can perform a health check against the following standards; ISO 27001, Cyber Essentials, 10 Steps to Cyber Security, Cyber Assessment Framework and BS 10754.
We can also arrange a formal 3rd party audit via our business partners.
About the author
Colin Robbins is a Principal Security Consultant, leading customer-funded research activities in secure interoperability and information exchange. He has specific technical interests in the Single Information Environment and Data Centric Security, as well as the processes of security, such as Secure by Design and Information Security Management Systems (ISMS). He is a Fellow of CIISec, and a former NCSC certified Security and Information Risk Adviser (Lead CCP).