Implementing good cyber security involves more than just implementing technology.
You need appropriate supporting policies/processes and well-trained staff to follow them.
This typically all comes together in what is referred to as a Security Management System.
To be confident that the security in place is working well and providing the protection the business requires, an audit can be performed. An audit is a structured approach to assessing the security measures that a company has in place, using a set of defined criteria. Typically, the criteria will be a security framework such as ISO 27001, NIST Cyber Security Framework, Cyber Essentials or a technology specific standard such as EIDAS (ETSI EN 319 411).
During the audit, the auditor will look to identify the policy and or processes that have been defined, then seek evidence that the policy/process is being followed. When looking for evidence, the auditor will typically use a sampling approach. Rather than look at every record to assert compliance, they will look at a randomly chosen sample.
Types of Audit
Audits may be carried out through a 1st, 2nd or 3rd party.
A first party audit, often referred to as an internal audit, is where a member of your own staff looks at the controls and provides recommendations.
A second party audit is where your company audits a key supplier (or a key customer/partner audits you).
A third party audit is where a fully independent organisation audits you against a set of criteria, such as ISO 27001.
But who audits the auditors?
Typically, third-party auditors will themselves be audited to assert compliance to ISO 19011 – the international standard for auditing!
How can Nexor help?
We provide the following relevant services:
- Advice and guidance on conforming to a specified standard such as ISO 27001, by performing a gap assessment (a lightweight audit);
- A pre-audit health check to verify you are in a good place prior to an audit;
- Arrange a formal 3rd party audit via our business partners.
Author Bio - Colin Robbins
Colin Robbins is Nexor’s Managing Security Consultant. He is a Fellow of the IISP, and a NCSC certified Security and Information Risk Adviser (Lead CCP) and Security Auditor (Senior CCP). He has specific technical experience in Secure Information Exchange & Identity Systems and is credited as the co-inventor of LDAP. He also has a strong interest in security governance, being a qualified ISO 27001 auditor.
Be the first to know about developments in secure information exchange