Auditing compliance or confomity with rules defined in policies, standards, laws and regulations is just one audit approach, commonly and disparagingly known as tick-n-bash auditing.
The rule says X
but you do Y
……. BASH!
It is like being rapped over the knuckles as a kid or zapping a trainee sheep dog through its radio-controlled shock collar. It's a technique that may work in the short term but it is crude and simplistic. The trainee/auditee is hurt and ends up resentful. Strong negative emotions persist long after the tears have dried and the bruising has gone down, making it counterproductive. It’s best reserved as a last resort, in my considered opinion.*
Certification audits are ultimately compliance audits but even they can be performed in a more sympathetic manner. The trick is to combine bashing (where justified) with explaining the requirements and encouraging compliance. It means motivating not just dragging people, and a lot more listening and observing to understand why things are the way they are.
Sometimes there are genuine, legitimate reasons for noncompliance, like for example finding better ways to do things or competing priorities. Sometimes noncompliance achieves a better outcome for the organization and other stakeholders. Actively looking for and exploring such situations turns the audit into a more positive exercise, even if it turns out that noncompliance was indeed unjustified and problematic: the investigation will often turn up root causes that deserve to be addressed, enabling us to treat the disease, not just ameliorate the symptoms.
Competent, experienced auditors appreciate the value of downgrading relatively minor findings to ‘minor non-conformance’ status, or even on occasions ‘letting things ride’ with informal comments and motivational words of encouragement to the auditees. That then makes any remaining major issues stand out, focusing everyone’s attention on the Stuff That Really Matters – matters to the organization and other stakeholders, for legitimate business reasons. It’s no longer just a matter of “The rule says X”: there are reasons why rule X exists, reasons that deserve attention. Rule X is simply a means to an end, not an end in itself.**
From there, it’s but a small step towards effectiveness and efficiency-based auditing, a more sophisticated and intelligent approach than crude compliance auditing. The idea is to identify sub-optimal activities that might usefully be adjusted to improve the outcomes, ultimately achieving business objectives and success. The approach focuses on the positives, on finding creative solutions that most benefit the organization (and, by the way, the individual auditees: more carrot = less stick!). The very premise that some activities might be ‘sub-optimal’ implies a deeper level of understanding about what ‘optimal’ actually means in that context, and a wider appreciation of good practices and alternatives. Being able to recite the rules verbatim, and carry a big stick, is no longer the mark of a good auditor!
In the ISO27k context, the information security controls recommended by ISO/IEC 27002 are intended to address specified control objectives. However, they aren't guaranteed always to achieve those objectives in any given situation, nor are those objectives necessarily relevant and sufficient. Both the control objectives and the controls are generic - general advice intended to suit most organizations. Both need to be interpreted in the specific context of a particular organization. Both may need to be supplemented, extended modified or ignored in various circumstances. That complexity makes it too tough for straightforward compliance auditors, apparently, demonstrating a fundamental limitation of the tick-n-bash approach. That's why an ISO/IEC 27001 certificate confirms the presence of a conformant management system for information risk and security, rather than a secure organization with all the appropriate information security controls in place, fully operational, working exactly as needed.
ISO/IEC 27001 specifies that internal audits must be performed on the Information Security Management System but does a poor job of explaining them, in particular implying that auditing is compliance auditing:
Taking my own medicine, I ask myself "Why? Why does the standard equate auditing with compliance auditing?" The answer lies with the experts responsible for the ISO27k standards, in their biases and prejudices about auditing ... which in turn reflects their experience of auditing ... which I presume is largely compliance auditing ... and so the loop continues.
Breaking the committee out of that vicious cycle is an objective I have thus far failed to achieve but the current round of standards revision presents another opportunity, a chance to explain, persuade and hopefully convince. Not bash, oh no.
Longer term, I'd like to push ISO27k further into the realms of assurance and accountability, and beef-up its advice on governance, information risk management, business continuity, and business for that matter. The business context and objectives for information security would be fascinating to explore and elaborate further on. One day maybe. I've learnt to pick my battles though: it takes a winning strategy to succeed in war.
* PS I have the same philosophy in security awareness and training. To me, security awareness and training works best as a positive, motivational and inspirational technique. Dire warnings and penalties may be necessary to curb inappropriate behaviors and instill discipline but that's a last resort, best reserved for when other techniques have failed. Clearly, I'm no sadist.
** When upholding the rule becomes more important than achieving the intended outcome, that is - I think - a form of surrogation.
