Acsour
The final stage of the emotional response to changes is acceptance. Full acceptance of the essence of what is happening for us was the undergoing of a certification audit according to the ISO 27001 standard and obtaining the coveted certificate.
When preparing for an audit, first of all, look into the formal details of the auditor’s visit to the office. This is necessary for the process to be as effective and painless as possible.
Usually, the month of the audit is discussed in advance, during the approval of the contract with the certifying authority. Closer to the date of the audit, the certifying authority will most likely offer a choice of date ranges for the visit and you will need to link these to the schedule of key employees who will participate in the audit. If you are certifying several sites in different cities, carefully consider the logistics and coordinate them with the audit team.
This point may be useful from the point of view of business security. Of course, monitoring the independence of the audit team is, first of all, the task of the certifying body. However, mistakes happen to everyone, and therefore it is a good practice to check the biography of potential auditors at least on LinkedIn.
For example, we found out that one of the auditors was a current employee of a direct competitor of ours. Fortunately, this was discovered before the start of the inspection and everything went well, as he was excluded from the team. But the potential risks to the business in this situation would be significant.
This is necessary to understand which employees and departments will be involved in the audit, and on which days of the audit their involvement will be needed.
Usually, the plan specifies the schedule of each day of the inspection by the hour, indicating which parts of the information security management system and which services will be checked at a particular time.
When you know the approximate schedule of the audit team’s visit, you will be able to plan your colleagues’ time. As a rule, auditors want to hold meetings with the executive management of the company, with the information security department (obviously) and with persons who are responsible for the functioning of the areas subject to certification.
For example, in our certification area, 5 main services were declared and the auditor interviewed the heads of each of the departments responsible for providing these services. It is important to provide a replacement for heads of departments for interview (in case of illness, a business trip, a vacation, etc.).
This point seems complicated, but it’s really not that bad. All employees should be involved in the information security management system in one way or another and should comply with the rules established by the company’s relevant policies. However, the level of responsibility of employees for information security depends on the position and the specifics of their work. We have implemented this as follows: all employees, depending on their positions, can have one or more roles in the field of information security. Each role has its own requirements for the employee, but absolutely all employees of the company have the basic role of “User”. It is necessary to focus training and the subsequent oversight of knowledge on this role.
To oversee the knowledge of employees, we use testing. There are many systems of this kind on the market, but we used the functionality built into the corporate portal. In our experience, auditors actually check the results of testing and can ask employees questions from the tests.
By this point, a general training event for all employees should already have been conducted (so that they know for what purpose and why changes in processes are occurring in the company). However, special attention should be paid to those colleagues who will be directly involved in the audit. It is worth warning them that nothing criminal will happen during the audit – they just have to tell the audit team about their daily work, and if necessary, answer specific questions.
Remember that the audit will begin even before the certifying body’s team is in your meeting room. The entrance to the business centre is the first “line of defence”. Here, auditors assess how seriously the physical security of offices is secured. If you are renting office premises, then auditors will probably want to look at contracts with lessors for the division of the parties’ responsibilities in relation to physical security. And if the reality differs from what is written in the contract, problems may arise. In some cases, it is necessary to work separately with the security service of the business centre.
For example, our auditor noticed that in the contract with the business centre there was a clause that each visitor would be issued a pass, but he was not given any pass at the entrance to the business centre. To which we replied that the contract does not mention a pass being “handed over” – consequently, the pass had been issued, but not handed over.
If the certification perimeter includes data centres, make sure to issue special passes for auditors in advance. In addition, we advise discussing the forthcoming visit with the contact persons from the data centres and specifying which employees will answer the auditors’ questions about the physical security of the data centres.
TECHNICAL PREPARATION
Technical preparation for the audit is one of the most important and difficult points. Before the first audit, our IT team had to rack their brains. Let us start with physical security.
Of course, most of the physical security will be assigned to the security service of the business centre: access to the building, security and fire alarm systems, video surveillance, etc. Well, on our part, it was necessary to conduct an “inspection” of measures to ensure physical security in offices:
Next, let us talk about standardization – one of the most important steps towards quick modernization and the simplicity of subsequent maintenance. This approach has saved a lot of time in preparation. For example, we upgraded the OS (operating systems) on users’ working computers. Despite the cost of the process, this update was necessary to encrypt computer disks, as well as to optimize our services, hardware, and policies for a specific OS.
Of course, in matters of encryption, there are pitfalls: if the workstations have classic HDD disks (not SSD or M2), then working on such a computer becomes a torment. Therefore, it was also necessary to modernize part of the office hardware. The second difficulty was that hard disk drives on computers began to “live” significantly less. Then the third nuance is that there is a need to enter the bitlocker password when downloading. At that time, we had not yet managed to set up network unlock, and TPM was not everywhere; it is senseless to enable work with TPM without network unlock from the point of view of information security.
As mentioned above, we have transferred the main server capacities to a special data processing centre. We had a small equipped server room, but, in most cases, one’s “own” server rooms lose out in terms of physical security to specialized platforms.
We should note that the choice of data processing centres for Co-Location is quite large: moreover, there are data processing centres on the market that are certified according to ISO 27001. In our case, we chose a data processing centre that is not officially certified according to ISO27001 or TIER III, but that at the same time has all the necessary technical solutions and competent specialists. Some of the risks associated with the main data processing centre were covered by the backup data processing centre. As a result, two “simpler” data processing centres cost less than a data processing centre with all certificates.
Working with server hardware has become a separate chapter of the certification epic. We had to seriously update the OS on the servers, which required considerable time resources from the team, since many of the services run on open-source software. Yes, we also use Microsoft services, but certification has stimulated the transfer of all possible services to open-source software. Thus, we began to actively implement the “infrastructure as code” approach. One of the significant benefits that we felt was saving space owing to the refusal to back up a number of services.
The main proof of anything in an audit is a record, in the broad sense of the word. From a technical point of view, these are a variety of logs. In preparation for the audit, we spent a great deal of time working with logs using the ELK log recording system. This system has become a kind of “sheet anchor”, which eliminates the need to collect logs manually. This is because, thanks to ELK, employees of the IT department save a huge amount of time when investigating incidents. Additionally, thanks to the system, the issue of backup logs is solved.
This is only the main work in terms of technical preparation. However, we press forward and move on to Day X – to an audit of the company’s information security management system (ISMS).
HOW AN AUDIT IS CONDUCTED
The main document that the controller studies as part of the certification audit is the Statement of Applicability (SoA). It should specify 114 controls from the ISO 27001 standard, whether or not they apply to the company and the means by which these controls are implemented. In fact, this document is a reflection of many months of work on the implementation of this standard.
As a rule, at the front of each SoA item there should be a link to a document (policy) that describes how a particular control is implemented within the company. The auditor checks that everything written in the SoA is true.
To do this, he or she looks at:
Compliance with your own policies should be confirmed by the appropriate “records” – documents, logs, requests in the ticket system, etc. – in other words, in any way that allows you to prove to the auditor that a particular action occurred at a certain time, as indicated in the documents.
If you refer to or mention a third-party standard in internal policies, it should be attached to the policies (i.e., an official copy has to be purchased). Thus, at the first stage, the auditor works with documents, and at the second, it goes to the sites.
The second stage, it seems to us, is the most insidious, but also the most interesting. Paradoxically, the internal team that was involved in preparing for the audit still had a lot of positive emotions. What is the reason for this? That is probably a topic for a separate article.
At the second stage, there is a “physical” verification of offices and data processing centres (everything that is stated in the certification perimeter).
When preparing for the auditor’s visit to the data processing centre, first it is necessary to agree with the data processing centre to have a person designated to meet with the auditor. Moreover, such employee should have a high level of training and knowledge about the operation of data processing centres. Auditors will be comprehensively interested in the security of the data processing centre: air conditioning systems, communication channels, power supply systems, generators, physical access, etc.
As part of the inspection at all sites, the auditor usually records the following in the report:
This is evidence that the auditor found during the audit of compliance with the standard.
This is something that companies should avoid in every possible way – a nonconformity that endangers the effectiveness of the entire ISMS. For such a nonconformity, corrective action should always be taken. The certificate cannot be issued until a major nonconformity has been closed. Therefore, another auditor’s visit will be required to check the closure of the nonconformity in question. As a rule, the company is given 90 days to do this. It should also be remembered that an additional visit of the auditor will be paid for separately.
Minor nonconformities do not pose a big problem for the company: based on the results of the audit, it will be enough to fill in a form in which you will describe how and in what terms you plan to eliminate the nonconformity. Their presence does not prevent the certificate from being issued. However, if they are not eliminated before the next audit, they will become major nonconformities.
These are elements of the management system (usually affecting its performance) that may prevent the company from meeting the requirements of the standard in the foreseeable future. They are not instances of nonconformity, but they require the company’s attention. As far as possible, it is better to eliminate them.
These are opportunities that the auditor was able to identify during the audit for the development of the company’s ISMS. They are pieces of advice from the series “how to make the system work even better”.
Here, the auditor notes elements of your ISMS that are “best practices”, that is, are particularly effective. It is possible to say that this is open praise for what you really did especially well.
As a result of the audit, you will receive a report with a detailed description of all the above-mentioned points identified, which should be used in preparation for the next audit.
HOW TO LIVE ON AFTERWARDS?
When you finally receive the long-awaited certificate, do not relax: it is necessary to confirm compliance with the standard annually. From now on, the audit will become a regular item in the company’s budget.
Consequently, the main task of a company that has received the certificate is to maintain the information security management system in working order and to accumulate records confirming the functioning of controls from the SoA.
But there is also good news: a full audit takes place every three years. During the two years following the certification audit, less significant checks are carried out, namely inspection audits. They differ in the scope of the inspection: during an inspection audit, the controls from the SoA are checked selectively, and the auditor may not visit all sites. In other words, these visits are usually faster and easier.
CONCLUSION
Certification according to the ISO 27001 standard is a useful event both for the functioning of the business itself and for the satisfaction of its clients. Despite the fact that the amount of time and financial costs seem huge, these are the investments that pay off in a difficult time from the point of view of information security. We hope that our series of articles will help everyone who has embarked on the exciting path to obtaining a certificate.
