An information security management system (ISMS) requires companies to conduct independent internal audits at regular intervals. These audits aim to verify whether the requirements of the relevant standards and the company's internal guidelines are being met, as well as to evaluate whether the ISMS is being effectively implemented in the company's practice. For many companies, conducting these audits is a challenge. This is particularly the case when the independence of the internal auditor from the area to be audited cannot be ensured due to a small workforce. In such situations, and especially when the focus is on identifying and exploiting opportunities for improvement, it is advisable to entrust the evaluation of the management system to an external auditor.
Auditor ≠ Auditor
In the information security industry, there is no legally protected professional title for the role of auditor. This regulatory gap allows individuals to call themselves auditors, even if their qualifications are based on a short training course that lasts only a few days. This carries the risk that the quality and depth of the audits may not meet the required standards, as theoretical knowledge from short courses is often insufficient to cope with the complex challenges of information security in practice.
A similar problem exists in the area of consultancy. There are consultants who have never had direct operational responsibility for IT security or information security in their professional careers. Nevertheless, they offer consultancy services, even though they lack practical experience. This discrepancy between theory and practice can lead to a lack of realistic, effective solutions. However, practical experience, particularly in the operational area, is essential for the evaluation and improvement of information security. Theory alone cannot fully grasp the diverse and often unpredictable challenges of the IT landscape.
The audit service providers have recently recognised this fact and therefore place clear requirements on their auditors before they are appointed and allowed to work on behalf of the certification body.
Advantages of an internal audit by an appointed auditor:
-
Unquestionable compliance with the standard requirements for conducting internal audits
-
High level of expertise and specialist knowledge
-
Objective assessment at the level of a certification audit
-
Efficient and routine procedure for conducting the audit
Continuous process: annual ISMS audit for operators of critical infrastructure
Companies and organisations that operate critical infrastructure are not only obliged to implement industry-specific security requirements, but also to establish and maintain an ISMS as the basis for comprehensive secure operation in all aspects of the critical infrastructure. This can be done, for example, by introducing and operating an ISMS based on an internationally recognised standard (e.g. ISO/IEC 27001). Regular reviews of this management system are necessary to ensure that the ISMS is effective and appropriate and meets the requirements of the standard, the industry and the legal regulations. During the annual internal audit, processes and procedures within the ISMS are checked for their effectiveness and efficiency and examined for possible weaknesses. The aim is to continuously increase the security of the critical infrastructure by identifying and eliminating risks as early as possible and providing the KRITIS operator's audit service provider with objective evidence of compliance with the requirements for the prescribed independent internal audits.