Audits and Risk Assessments – more than just box ticking…
However long it takes you to get all your policies, procedures, and documentation into shape, your first objective will be to tick boxes. However, you definitely shouldn’t stop there.
Being Put Under the Microscope
For 17 years, Krescendo has delivered very important services for large financial organisations. Approximately 7 years ago, we were suddenly put under the microscope by one of our largest clients as they overhauled their entire approach to IT risk management (ITRM). No stone was left unturned as they carefully scrutinised every aspects of our organisation.
- ☑ Application
- ☑ Asset Management
- ☑ Backup
- ☑ Business Continuity
- ☑ Change Control
- ☑ Cloud Technology
- ☑ Communications
- ☑ Connectivity
- ☑ Customer Contact
- ☑ Data Integrity
- ☑ Disaster Recovery
- ☑ Encryption
- ☑ Incident Response
- ☑ Instant Messaging
- ☑ Logical Access Control
- ☑ Media & Vital Records
- ☑ Offsite Storage
- ☑ Operations
- ☑ Organization Security
- ☑ Physical & Environmental
- ☑ Privacy
- ☑ Regulatory Compliance
- ☑ Risk Management
- ☑ Security Policy
- ☑ Standard Builds
- ☑ System Development
- ☑ Third Party Relationship
- ☑ Vulnerability Monitoring
- ☑ Website
Performing All the Correct Steps is Not Enough
Although we were doing everything correctly it was a very difficult exercise for us. We had always met every specified requirement, and we could provide positive responses to every question/control they put to us – but it was difficult to show we were doing everything correctly.
We had policies and procedures. But in several cases, they were accepted practice and in people’s heads not formally documented. Or where they were written down, they were in several different places with potentially out-of-date versions.
Due diligence just wasn’t enough, we needed to become much more organised. It took us a while for the realisation to sink in because the natural response to audits is one of defence. It’s very hard not to take criticism personally.
This was a huge eye opener for Krescendo, however after a challenging 18 months the result was worth it. The result being all the boxes ticked by virtue of us having well defined and well organised policies and procedures. Our company and staff policies were published and shared with clients, and our procedures were mapped to our policies via a well organised Wiki. Of course, the job wasn’t complete without defining an internal review schedule too and providing a way of documenting historical evidence of reviews being conducted.
A Positive Experience
In the end we were actually thankful to the client for putting us under the microscope, even though it was a gruelling experience. Not long after closing out 50+ risks, our other clients were auditing us in a similar fashion.
Standards
At this point Krescendo could have just stopped there because we were confident that we had everything in place to respond to whatever our clients asked of us. However, the realisation that due diligence and box ticking just isn’t enough gave us the motivation to explore industry recognised standards.
However long it takes you to get all your policies, procedures, and documentation into shape, your first objective will be to tick boxes. However, you definitely shouldn’t stop there.
In 2012 we decided to complete and publish the CSA STAR Self-Assessment. We continue to publish this on an annual basis. Although Krescendo are not really a cloud service provider, this self-assessment was a very good primer for embarking on the ISO27001 certification journey.
Now confident with our client-specific audits, and confident that we had good responses to industry recognised questions/controls, we were “ready” for ISO27001 certification.
Because of all our hard work, becoming IS27001 certified was fairly straightforward. We have now been certified for 5 years. For the first 2 years it can feel like just another box ticking exercise as you get used to the standard and the terminology. However, for the final year of the first cycle and the re-certification beyond there is definitely an expectation that you’re doing more than just ticking boxes and demonstrating continuous improvement.
Start of an Ongoing Process
Continuous improvement and going beyond box ticking should happen naturally when you’re in a good position. In many ways maintaining a good and scalable information management system (ISMS) should be treated no differently to delivering a client facing application.
We also has one “unfair” advantage, LiveDataset is an ideal tool for building our custom business processes. So of course we built our own ISMS in LiveDataset.
In IT, few things are ever “done”, and this is relevant to all organisations that work in the IT sector. When it comes to information security, the bars continue to rise as the number of threats continue to rise. If you’re pragmatic and proactive your ISMS will evolve with time to achieve the best level of security possible, and “just” ticking boxes should become a thing of the past!