The role of internal ISMS on-site audits

In today's increasingly digitalized world, where remote working and virtual meetings have become the norm, it may be tempting to move internal audits to the digital realm. But while some official audits, such as TISAX® AL2 assessments, can and may be successfully conducted remotely, there are valid reasons why internal audits should preferably take place on-site. In this article, I will discuss the importance of on-site audits and explain why they are essential to the integrity and effectiveness of the audit process.

Comprehensive assessment of physical security controls

One of the main reasons for conducting internal audits on-site is the ability to thoroughly review physical security controls. Remote audits can capture documentation and digital systems, but they cannot adequately assess the real implementation of security measures. An on-site audit allows the auditor to personally review important points:

• Access control systems

• Security of server rooms and sensitive areas

• Correct implementation of monitoring systems

• Compliance with clean desk policies

• Proper disposal of confidential documents

These aspects are crucial to the overall security of an organization and can only be reliably assessed through a personal inspection.

Assessment of structural conditions

Every building and site has unique structural characteristics that can affect safety and compliance. An on-site audit also allows the auditor to directly assess structural conditions:

• Adequacy of fire protection measures

• Security of windows and doors

• Presence and functionality of alarm systems

These aspects can easily be overlooked or misjudged in a remote audit, which can lead to security gaps and risks.

Recording site-specific aspects

Each site has its own unique characteristics and challenges that can only be fully understood through an on-site inspection. These often include:

• Local environmental factors affecting safety

• Specific workflows and practices

• Interaction between different departments

• Cultural aspects that can influence security practices

Only an on-site audit enables the auditor to take these nuanced aspects into account and make tailored recommendations.

Conformity with certification standards

Many certification bodies attach great importance to internal audits being carried out on-site. There are several reasons for this:

• It ensures a thorough review of all relevant aspects

• It demonstrates the organization's commitment to security and compliance

• It better prepares the organization for external audits

By conducting internal audits on-site, you ensure that your organization meets the expectations of most certification bodies and is well prepared for future external audits. Especially if the official audit is only conducted remotely, the auditors pay special attention to ensuring that at least the internal audits have taken place on-site. An often overlooked aspect is the risk that arises when internal audits are conducted exclusively remotely. Let's take a TISAX® assessment at AL2 level as an example:

• The AL2 exam itself can be done remotely

• However, if the internal audits were also conducted remotely, this means that no auditor checked the physical conditions on site

• This may lead to doubts about the reliability of the audit results, especially with regard to physical security aspects

By conducting internal audits on site, you minimize the risk that your security measures will be questioned later.

Improving communication and understanding

An often underestimated benefit of on-site audits is the improved communication between auditors and employees. Personal interactions enable:

• Clearer explanations of processes and procedures

• Immediate clarification of misunderstandings

• Building trust between auditor and auditee

• Opportunity for employees to directly express concerns or suggestions for improvement

This personal component can lead to more accurate audit results and more effective improvement measures.

In a nutshell

While remote audits have their place in certain situations, it is clear that on-site internal audits offer numerous benefits. They allow for a more comprehensive assessment of security controls, take into account structural and site-specific aspects, and minimize risks during subsequent audits. In addition, they meet the expectations of certification bodies and improve communication between all parties. As an auditee, you should therefore insist that internal audits are conducted on-site. This may involve more effort initially, but will pay off in the long term with more robust security measures, better preparation for external audits, and a deeper understanding of your organizational strengths and weaknesses. By prioritizing on-site audits, you not only demonstrate your commitment to security and compliance, but you also invest in the long-term integrity and resilience of your organization. In a world where security threats are constantly increasing, this is an investment that more than pays off.