The Power of Audit
Today we have our first ever guest blog! Stuart Barker is an ISO 27001 practitioner at High Table. He has been in information security for over 20 years. In this blog Stuart explores what ‘audit’ means particularly in the context of the ISO standards.
What is an audit
When you break it down an audit is an independent review of what you’re doing. Of course, there’s a little bit more to it than that. The ‘what’ of what you are doing is often dictated to by standards, regulations, or laws. An audit will check you against those, make sure that you meet their requirements, and everything is working as intended.
Why do you need it?
There are many reasons that you might require an audit. The most popular reason being that it is a requirement of one of the standards, regulations or laws which apply to your organisation. There is an opportunity for businesses to have an independent audit just to see whether they come up to the mark or not.
Audit Types
There are two types of audits being an internal audit which is conducted by someone within the organisation and an external audit which is an audit conducted by somebody externally to, and independent of, the organisation. External audits most often happen when being assessed formally against a standard, regulation, or law. Of course, you may have an external audit to assess whether you are ready to be formally assessed. Consider this a gap audit. How close you are to the requirements. You may find that your customers themselves impose an audit on you to check that you’re doing the right thing as part of the buying process.
What does ISO 27001 say about it?
There are many standards that include audit as part of their operation, and ISO 27001 is one of the most popular. ISO 27001 is the international standard for information security and at its heart lies the process of continual improvement. A part of continual improvement is ongoing internal audit throughout the year. ISO 27001 if taken through to certification also has an external audit by an accredited certification body. Guidance from ISO 27001 is straight forward in that we need to plan our audits, conduct our audits, and report our audits to senior management.
Rightway Compliance
The level and rigour required of an auditor again is dependent upon the standard, regulation, or law. Neil Tyson and the team are Rightway Compliance have been doing audits for a long time and are highly experienced at conducting audits in highly regulated industries. They have specialisms in the financial services, legal, gambling, charity and social housing sectors to name but a few.
Audit Templates
Over the years as an active practitioner of information security I have just created my go to templates for internal audit that I make available as part of the ISO 27001 Toolkit.
It would always be my advice to seek professional help professional guidance and professional services from a qualified auditor such as Neil and the team.
Happy auditing from Stuart Barker.
Today Stuart is making information security templates available to business to help them do certifications themselves. This fits with the Rightway Compliance model of providing services through a hybrid of face to face services and self-service guidance and templates through our Fraud Management Resource Centre.