In any business — especially IT — security becomes more relevant and compliance more important every day.
Often, there is no other option than to become certified, such as ISO27001:2013 or ISAE/SOC. Companies will reach out and ask for these certifications as a means of assurance of your commitment to security.
To achieve certifications, you will have to pass various security audits. These can cause stress and confusion, not just within the security team, but across the entire organization.
While preparing for audits here at Eficode, we constantly learn and improve. And in case you and your organization also aim to be certified, in this blog post we will share some of the most important learnings, both for when you prepare for the audit and for when you are in one.
Learn from others and breeze through your audits.
Let’s start with what you can do before the audit.
Preparing for the audit
As we concluded the surveillance audit for our latest ISO27001 certificate, it was the end of a year-long process of iteration and improvement. It built upon the findings of last year, and will continue into the future with this year's discussion.
In essence, preparing for an ISO27001 audit is like preparing for a magic show. You spend a year working, preparing, refining, and practicing. You have to get into the minds of your audience, considering what you expect them to ask, and how you expect them to respond.
Lesson 1: Start small and expand
There are two mentalities when it comes to selecting a scope for auditing.
The first is a wide-eyed dream of "audit everything". It's a beautiful ideal, and in a perfect world would, of course, be the best course of action. It might even be possible in a small company, though the sheer volume of documentation required for the audit would strain all but the most dedicated of small companies.
The second approach is one that deals with the realities of business. It's much easier to apply an audit to a smaller section of the business and then, in subsequent years, expand the scope to include the rest. This worked really well for us at Eficode: beginning by certifying our sites in Finland (where our headquarters are) and our online presence, before expanding the scope in subsequent years.
Like any grand change, smaller steps are easier to take than including everything in one giant leap.
Lesson 2: There is no such thing as over-preparation
The amount of work in maintaining a certification leans heavily in the preparation phase. Our estimated ratio is 40:1 in favor of preparation. For every hour spent in the audit, forty hours go into this phase of data gathering and refinement.
This means preparation is a huge amount of work that involves almost a dozen personnel, required to generate the necessary documentation and supporting evidence. So it can be disheartening when you're asked a question for which you have not prepared.
The simple truth is: when you focus on certain requirements for your certification, you will have blind spots in the periphery.
During the audit, you will certainly be asked a question you have not prepared for. It is important to understand that these questions are not end-of-the-world. Your job during the preparation is to reduce the number of questions you cannot fully answer on the day of the audit, not eliminate them completely.
These areas will become your observations for the next audit, and your auditors will look for improvements, so make sure you generate answers for the next time.
Lesson 3: Break down the security silo
Security often operates in a somewhat strange position within companies. Always running on an adjacent trajectory that intersects with main company functions at different locations. So for those not working directly with security, it can feel a bit abstract sometimes. As if the security function is somehow external, operating quietly until one of these intersectional events occurs.
Since the security functions of the company may seem a mystery to non-security personnel, the audit preparations are a golden opportunity for you to introduce these controls to people. This preparation phase is when these controls undergo scrutiny.
Opening up the knowledge to more people in different teams can take you down paths that you never considered.
These sorts of ad-hoc “security champions”, who undertake this transfer of knowledge, can then take an insider approach to security back to their own teams. They can consider what they have learned, and improve company security at the grassroots level.
And when the time comes for the audit, you have valuable team members who know intricately the workings of their own team, and have a good understanding of the audit process.
During the audit
Once you've prepared, much like our magic show, everything comes down to your performance during the events themselves. There's just one problem:
The actual audit is nothing like a magic show.
The auditors are not a typical audience. They won't stay in their seats. They want to look under the stage, peek behind all the curtains, check your locks, examine your keys, and pat down your assistant. They don't want to be amazed or surprised, and will ask you plainly how all your tricks are performed.
They are your nightmare audience, and are exceptionally good at finding flaws. Because yours is not the first show they've seen.
- They know the dark corners where others may have hidden things they wish would not come to light.
- They've seen the rough areas of the theatre that might have been overlooked.
- They bring fresh eyes to something you've been looking over for months and are exceptionally good at highlighting the blind spots you may have developed during that time of focus.
But just like with the preparation phase, we have prepared three lessons that we learned during the process in the hope they might help you too.
Lesson 4: Avoid the adversarial mindset
The term "audit" makes people nervous. And that’s not surprising: an audit exists to ensure you're doing things correctly, so by definition, the opposite is that you're getting things wrong, and the idea of getting things wrong puts people on the defensive.
The most crucial thing you can do to ensure a smooth audit is to remove this adversarial mindset. The auditors are not your enemies. True, they exist to check your work, but if that work has been done with pride and is receptive to constructive criticism, it becomes much easier to approach the auditors as equals.
Once you can view the auditors in that way, you're no longer staring across the table at a person who exists to pass judgment. Instead, you're all standing on the same side of an obstacle discussing "how can we surmount this?"
As an immediate lifehack: try to sit on the same side of the table as your auditors.
Lesson 5: Line up your best talent, and let them shine
It is possible to have one superstar security person who can answer every question for every department. But as your company grows in size, this becomes increasingly unlikely. It is important to know who can speak to the security and practices of each department.
This is much easier in a company where security is considered and applied from the very start. Security is, to these companies, like cheese is to stuffed-crust pizza. And at Eficode, we bake security right into the dough (sorry for the cheesy comparison).
The advantages of this approach are paramount:
It shifts your security manager from trying to cover all departments, to acting as a conductor for an orchestra. A person who knows which instruments need to come in, and when, even when the auditors change the sheet music or start improvising entirely.
This way, the security manager ensures that your audit flows smoothly with a procession of documentation, personnel, and demonstrations to satisfy even the most fastidious of auditors.
Lesson 6: Be prepared to rally the troops.
Time for a sad truth: You will get notifications.
Regardless of how much you prepare, you will always overlook something.
This is never the end of the world. Have your people ready to react to any comments you receive. Use the grace time you will get post-audit to affirm your dedication to security in the eyes of the auditors. Look at the notifications and exceptions you receive as a possibility to learn and develop in preparation for future audits.
Audits can go one of two ways. You can approach the auditors like an enemy, act defensively and attempt to deflect and misdirect them away from any perceived shortcomings. But then, even if you should manage to pass the audit, you've failed to use the opportunity to learn and grow.
Or you can use the audit as a chance to exhibit. To parade your skills and knowledge, show off the blood, sweat, tears and coffee that have been poured into your ISMS, and use the expert skills of the auditors to generate a to-do list of your weaknesses to shore up for next year.
Guess which approach we opted for?
Published: February 16, 2023