What do auditors do, and for whom? [L O N G]
Once again, my day kicked off with a stimulating and fruitful debate on the ISO27k Forum as members responded to a request for help to find accredited Information Security Management System certification auditors who will add value to the organisation above and beyond the ISO/IEC 27001 conformity certificate.
The original poster copped some grief from the forum in appearing to seek certification auditors who would be kind on the organisation, supporting its business objectives more strongly than its conformity with the standard ... but a follow-up message clarified the position. Aris confirmed to us that he sought:
"advice on where (in cases of an ISO audit) and how (in cases of an Internal audit) our ISMS could/should be improved, but I need that advice to be meaningful, grounded, and delivered in a way that has the best probability it will be absorbed by the business. In other words, I would like this process to offer real value to the business, besides just being seen as a transactional, bureaucratic overhead."
... which seems entirely appropriate and ethical to me. Nicely put!
Fuelled by two strong coffees, I've been mulling over a further response from my pal Chris Hall - an experienced and respected auditor and consultant who expressed the opinion that the role of a certification auditor is:
"... simply to assess whether the organisation conforms to the requirements of clauses 4 to 10 of ISO27001. That is all. And to report on it, pointing out where the ISMS does not conform ..."
I see things a little differently and (as usual!) more complex/nuanced in practice than Chris indicates.
I feel the primary role or duty of any auditor - not necessarily the only one, but the primary one - is to provide independent, competent and hence valuable assurance to management.
In the case of ISMS certification auditors, specifically:
- The management they serve is primarily their employer, the certification body, which in turn serves the client management, providing a commercial service.
- They also have secondary responsibilities towards their accreditation body, plus ISO/IEC and the broader commercial community that values and trusts '27001 conformity certificates for business reasons, plus assorted authorities who impose information security and privacy obligations on the client, plus the client's supply chain partners with contractual agreements in this area.
- Finally and even more diffusely, certification auditors have tertiary (subsidiary) responsibilities towards human society at large that expects information to be adequately protected and legitimately exploited, and to the auditing/assurance profession (hinting at the loose assortment of expectations we call ethics e.g. integrity and trustworhiness).
- The assurance they provide is primarily confirming conformity of the ISMS with the mandatory main-body requirements of 27001, which mostly concerns the 'management system'.
- A secondary assurance goal is to confirm that the client's information risk management approach/strategy and its execution/processes including the selection of information security controls are in line with and are suitable to support the organisation's business objectives in this regard, hence the ISMS is serving a valuable business purpose, which helps ensure its long-term success.
- Tertiary assurance goals include confirming the efficiency and effectiveness of the information security controls in protecting information, potentially including aspects such as good practices, security culture, continuous improvement, resilience and business continuity, privacy and so on, which also contribute to the long-term success of the ISMS.
ISMS internal auditors, in contrast:
- Primarily serve the organisation's senior management (potentially a higher level than the ISMS 'top management') e.g. the Audit Committee, Board of Directors and the organisation's owners).
- Serve essentially the same secondary and tertiary customers as the certification auditors.
- Are expected and authorised to gather and analyse relevant information to provide whatever assurance senior management needs in relation to the ISMS.
- One obvious focus area for assurance (generally their primary objective in this area) is to check that the ISMS is certifiable, meaning essentially the same assurance objectives as for the certification auditors.
- However, senior management may well have other interests and concerns, and so may seek other/additional assurance, taking advantage of the auditors' independence, competence, experience, expertise, analytical skills, perspective, internal relationships, access to insider information etc.
- Their brief or scope can therefore include but extend well beyond conformity with 27001, or conformity with the organisation's own suite of rules, directives, policies, or compliance with laws and regulations etc.
- Checking the effectiveness and efficiency of the information security and privacy controls would be a typical secondary assurance objective.
- Another might be confirming that management's decisions to adopt the ISO management system approach, resourcing, building and operating a conformant ISMS and seeking certification, are appropriate and support the organisation's business objectives.
- In the context of the ISMS, there are many other aspects or concerns on which management might request assurance from internal auditors, such as:
- The governance arrangements e.g. Information Risk and Security Department's working relationships with IT, RIsk Management, HR, Legal/Compliance, Operations etc.;
- Programme management for the initial ISMS implementation and maybe further infosec-related projects;
- 'Risk and security culture' (a very diffuse concern);
- Relationships with other management systems and arrangements e.g. coordination, collaboration, prioritisation ...;
- Suitability and effectiveness of strategies and policies;
- Management reporting, metrics and all that;
- Opinions on management's risk tolerance/appetite and risk treatment decisions, plus the way information and other risks are being identified/raised, evaluated and monitored;
- Exploring root causes and finding creative, workable solutions for longstanding or intractable issues;
- Conducting, overseeing, participating in or simply observing and reporting on post-incident reviews;
- Mentoring/supporting the CISO and other information risk and security professionals;
- Perhaps even assisting management to find and appoint appropriate certification auditors, or helping confirm/refute and respond robustly to certification audit findings, providing a competent second opinion ...
- And, yes, I am drifting through IT auditing into management/business consultancy and advice, clearly going some way beyond audit's primary assurance role. Maintaining the auditors' independence throughout can be increasingly challenging, the further this departs from formal audit and assurance work.
Aris further pointed out the human aspects to auditing, and the negative perception that audits are dry, bureaucratic processes. I agree: we are all humans, with all that entails. We are individuals with personal strengths and weaknesses, fears and aspirations, expertise, knowledge, biases and prejudices, good days and bad days, other perhaps competing priorities ... blah blah blah. The same applies to auditors and auditees, by the way, plus the managers.
Furthermore, the business situations being audited can vary markedly from rotten to best practice, hostile to welcoming, simple to complex. Things often change during the course of an audit, partly in response to the probing and challenging. If an audit is 'going well', working relationships are easier than if serious issues arise. Maintaining a professional approach throughout, despite everything, is part of the audit job.
Auditor professional training and guidance, coupled with management support/direction plus policies and procedures, is meant to keep everything in line, despite the realities of actual audit work situations and the pressures/challenges that arise in practice. An auditor's inner drivers (particularly - in my opinion - personal integrity a.k.a. true grit) are fundamental to the job but hard to determine when initially selecting/appointing them (us!). Difficult personality traits or styles can become evident in the course of work, too late to affect the original decision, on top of which a key part of auditor independence involves the willingness to speak up, maybe criticising their own management. To an extent, auditors are expected/required to be assertive, perhaps even a little abrasive without becoming aggressive.
Balancing all this is a tough job, but rewarding too. I do hope I'm not putting-off any of you who might be thinking of becoming auditors. It has been a wonderful part of my career, complementing the information risk and security management parts.
PS As I review this piece, I notice the lack of IT content. IT auditors have a lot more technical work to do in the IT domain, including reviewing and evaluating cyber/system/network security controls, but as I see it, that's not really a focus for ISMS auditing.