Main content

Providing value

Providing value

3. What is an audit for business maintenance and advancement?
―Effectiveness audits in practice―

Three conformity components and the mechanism for those

Conformity with ISMS standards is the prerequisite for effectiveness in the management system. What then, constitutes being in compliance with standards and having effective results? The figure below illustrates that.

Figure 3-1 Three conformity components and the mechanism for those

Figure 3-1 Three conformity components and the mechanism for those
  • 1. Rules are established.
  • If rules are established but no measures are implemented, the system is considered to be noncompliant.
  • 2. Measures are implemented.
  • A situation where measures are implemented but no rules are established provides an opportunity for improvement.
  • 3. Monitoring is performed.
  • Whether or not rules are established and/or measures are implemented is unknown, regardless of the actual status, unless the situation is regularly monitored and reviewed. Without monitoring, there are no means to detect any discontinuation of implemented measures should that occur sometime in the future.
  • 4. A mechanism to maintain compliance is in place.
  • When rules are established, measures are implemented, and the situation is regularly monitored, the system can be considered to be compliant with standards. Such compliance can be ensured by a relevant mechanism. Internal audits assess whether or not compliance is achieved and in what way, and whether there is a mechanism in place to maintain those on an ongoing basis.

Internal audits assess whether or not rules are established, measures are implemented, and monitoring of the situation is performed; and a mechanism maintains those.

Auditing from a perspective of effectiveness

Another important role of internal audits is to audit whether or not the objectives of introducing the management system are fulfilled on an ongoing basis—in other words, whether or not the management system is effective.

Definition of effectiveness of a management system:
The extent to which planned activities are implemented and planned results are achieved

On the other hand, what constitutes a situation where planned activity results are not delivered?

  • The plan is inappropriate.
  • The plan is not appropriately designed and is thus unable to deliver its intended objectives or goals.
  • Activities are insufficient in terms of both quantity and quality.
  • The activities do not fully cover those planed, and sufficient time is not allocated to the activities.
  • Criteria to measure degree of accomplishment are unclear.
  • Management indicators, quantitative targets, evaluation methods, and other measures of effectiveness are not specific.
  • Results are not effective.
  • No or little improvement has been made or no root causes have been addressed.

This is not limited just to management systems. If the expected results cannot be obtained in day-to-day operations or in a project, it means they are not effective. Business therefore cannot be expected to be maintained nor advance.

Audits of the maintenance and advancement of business are required to assess whether events that threaten business security (in the three areas of confidentiality, integrity, and availability) are appropriately controlled. Without knowledge of what an “appropriately controlled” state is, auditing from a perspective of effectiveness cannot be done.

Effectiveness of an ISMS

Now let us take look at the effectiveness of an ISMS from the perspective of a process-based approach.

1. “Planned activities are...”

“Planned activities” refers to the control measures employed based on risk assessment results, taken as specific measures against risks. Therefore, at the time they are planned, control measures are expected to reduce risks once implemented. In light of this, planning is advisable.

2. “Implemented, and”

“Implemented” means that control measures are implemented as measures employed against risks. Implementation should be conducted with a planned reasonable budget and schedule.

3. “Planned results are achieved.”

The purpose of control measures is to reduce risks. Reducing risks means preventing incidents from occurring. Achievement is measured by using a planned evaluation method.

The effectiveness of the ISMS and the control measures of an organization can be evaluated when the achievement levels of ISMS objectives and goals and the number of incident occurrences fall within acceptable levels.

Figure 3-2  Evaluation of the effectiveness of an ISMS

Figure 3-2 Evaluation of the effectiveness of an ISMS

Whether or not control measures selected as outputs are appropriate cannot be judged from the control measures themselves. Rather, the appropriateness can be evaluated indirectly by checking inputs and process.

  • 1. Are the inputs, which are the risk assessment standards and procedures, logical and acceptable; and
  • 2. As processes, were risk assessment performed and control measures selected following the standards and procedures?

Evaluation of one of the three process-based approach components (inputs, processes, and outputs) can be conducted by checking the other two.

An effective ISMS must start with selection and introduction of appropriate control measures by risk assessment. Then, the selected control measures are implemented and the effectiveness of the ISMS is indicated by achievement of the objectives and goals.

Conclusions

As they are conducted within a limited period of time, internal audits are unable to confirm compliance of all information assets of all departments. Internal auditing always involves uncertainties. To assess whether an organization’s management system is effective, conformity of some of the organization’s information assets and mechanisms for ensuring the conformity are checked.

If the organization’s management system (i.e., the PCDA cycle) is operated appropriately and the system delivers effective results, the organization’s ISMS objectives and goals can be assumed to have been achieved and that an unacceptable level of incidents is not likely to occur.