Internal auditors for an ISMS tend to be very precise because of their strong commitment to ensuring conformity to ISMS standards. It is of course essential for us to ensure conformity to the standards through internal auditing, but in order to identify any unrecognized risks, we must take one extra step forward, shifting the focus of the internal audit from "conformity" to "effectiveness."
1.1. Standards vs. Facts
For ISMS internal auditing, auditors check whether the organizations being audited are conducting their daily operations in conformity with information security-related standards and in-house rules in an effective manner.
However, auditors often cannot decide whether their findings imply conformity or nonconformity to the standards, because they:
It is true that the purpose of the auditing is to decide based on the findings whether the audited organizations meet the audit criteria; however, if the auditors cannot identify the facts or cannot correctly understand the purpose of the audit criteria, they will be unable to point out the issues that need to be corrected in a manner effective enough to attain the true goal of the auditing.
1.2. Understanding the Essentials
An auditor might decide that the audited organization does not meet the criteria based on their findings, and he/she demands that the organization take corrective action by saying,"This fact implies nonconformity to this criterion. Please make corrections."
In this case, however, the audited organization tends to resolve the problem without really recognizing what the essential cause(s) were. As a result, similar issues arise again, and again and the audßitor is forced to repeatedly point out the same issues to the organization.
For example, an organization not keeping some necessary records might be due to a lack of recording procedures, a failure in clarifying roles, or the lack of education necessary to make employees aware of the importance of keeping records.
Both the auditor and the audited organization should recognize the primary causes of the problem so that necessary corrections will be made.
As implementation of the ISMS is encouraged and relevant rules are applied towards the more appropriate management of information assets, the number of visible or easily detected problems identified in audits will gradually decrease as more audits are performed and necessary counter measures are implemented by the audited organizations. This results in auditors becoming too fussy and reporting on any issues they can identify.
What are essential causes of the following findings:
Auditors cannot help but become over precise if they only focus on "conformity" in the audit. Does a decrease in the number of issues pointed out in the audit really imply that the information security level of the audited organization has improved?
1.3. Questions Raised by the Management Team
For information security, the return on investment is not easy to calculate, as much cost is necessary for personnel expenses for the development of internal auditors, implementation of risk assessments and internal audits and management reviews.
It is therefore natural for a management team to have questions concerning information security in their company, including questions on the effectiveness of information security management. Specifically, the following questions may be raised.
The cost effectiveness of information security is not easily demonstrated.
1.4. Shift of Focus from "Conformity" to "Effectiveness"
Assuming that the acceptable risk level is fixed, the number of noncompliance issues identified in the internal audit will decrease over time and conformity-related risks will no longer exceed the acceptable level. The internal auditors, however, will become more precise. On the other hand, if anti-risk measures are left as they are without being updated in response to changes in the environment, risks will increase and approach the limits of what is acceptable, making it impossible to ensure appropriateness of the management. To ensure that risk-measures lead to an acceptable level of risk, one needs to shift focus from "conformity" to "effectiveness".
The following figure illustrates the shift of focus from "conformity" to "effectiveness."
With ineffective internal auditing, invisible risks will be overlooked and no measures will be taken until such risks cause actual incidents.
1.5. Importance of the Findings
Auditors may not understand the business operations of the departments they audit. It is indeed desirable for each auditor to examine the business operations of the audited department and make an auditing plan by focusing on the department’s key operations and the security of related information assets.
In reality, however, auditors tend to perform audits in haste in their bid to avoid interfering with business operations so the audits tend to be superficial, without details being fully examined.
The audited departments, however, deepen their understanding of internal audits as a result of repeated executions of the PDCA cycle* for the ISMS, and will no longer be satisfied with superficial audits or superficial identification of problems. If there is no clear understanding of why issues are being pointed out, to what extent corrections are needed, or whether it is necessary to consider cost effectiveness, departments may feel that auditors are just disturbing their business operations with ineffective and inappropriate auditing.
Auditors who do not understand the actual business operations of the audited organizations tend to make decisions on the findings by lumping them all together as equally important; however, if auditors understand the features of the organizations they audit, they can discern differences in the importance of the findings.