Image by DALL-E and Fractional CISO
“You’re going to be audited by the IRS.”
Is not a phrase most people would want to hear – so it makes sense that the word “audit” carries some negative weight. Being “audited” is something most people would normally prefer to avoid.
In the cybersecurity compliance world, “audit” is a common common phrase, and a cybersecurity compliance audit is something that most organizations willingly choose to experience every year, or even multiple times per year!
Auditors get a bad reputation, but working with an auditor to achieve a compliance framework like SOC 2 or ISO 27001 doesn’t have to be intimidating or scary.
Different compliance frameworks have different “standards” in terms of what technical controls they cover, but any framework will cover security best practices. Upon achieving compliance, your company is making a public declaration that it agrees to align with an industry recognized set of security practices.
The essence of any compliance framework is that:
1. ) You or someone at your company voluntarily chose to meet that framework’s requirements with support from top management,
2.) Your company has technical security controls in place to meet the requirements and supporting documentation (such as policies and procedures,) and
3) Your company can prove in some way that they are meeting the framework standards and following your stated processes through tangible evidence.
4) Your company works to ensure it is continuously meeting the chosen framework requirements and making ongoing security improvements.
So what “really happens” when you work with an auditor to achieve compliance? Auditors keep your company honest and provide an external 3rd party to ensure your customers that your company was reviewed objectively against your chosen framework. Working with an auditor is voluntary, so unlike a tax audit, it will not be a surprise.
We regularly assist with SOC 2 and ISO 27001 audits for our clients, so we are well positioned to pull back the curtain and look at what happens behind the scenes. Cybersecurity audits will vary for different frameworks but there are some general similarities and themes.
Choosing a Framework
Once you’ve decided which framework you are going to use and which parts of your business are covered by that framework (the scope), the next phase is to review your current security controls, systems and processes against the framework.
Preparing for a Cybersecurity Compliance Audit
Before embarking on an cybersecurity compliance audit, your company should take stock of your current security posture and maturity level. Which aspects of the compliance framework does your company already meet and which ones need to change or improve? Which aspects are met but lack documentation? For a successful initial audit, this process should start at least a year in advance.
Auditor Selection and Engagement
When you are ready to schedule your cybersecurity compliance audit, it’s time to engage with an auditor. Auditors are committed to being an objective 3rd party, but they are people, too! The auditors I observed have all been professional and courteous. Your company gets to choose which auditing firm it wants to work with.
The individual auditor or auditor(s) assigned will vary, but your company has more agency in the auditing process than one might think. Choosing an auditing firm that is a good fit for your company will help the auditing process run smoothly. For example, an auditing firm that primarily works with large corporations is not a good fit for a small to medium sized business and likely out of budget.
The auditor will work with your team to schedule a mutually agreed upon audit timeline. Audits take place over a period of time, not just one day. For example, a typical initial SOC 2 audit takes place with several activities spread out over 2-3 months. An ISO 27001 Stage 1 audit (a.k.a. the “documentation” audit) can last a few days, and a Stage 2 audit can be a few days to a week on-site depending on the scope, number of physical locations, and the size of your company. Stage 1 and Stage 2 audits are generally scheduled a few months apart.
In the lead up to the audit, you will begin preparing evidence for collection. “Evidence” is the content you provide the auditor to prove you are meeting the requirements of the cybersecurity framework. You will be creating and gathering documents and screenshots – this is a significant part of the pre-audit process.
The Cybersecurity Compliance Audit Itself
Evidence Collection and Review
After you have selected an auditor, the next step of the audit process is to provide evidence to prove your company meets the framework requirements. Some evidence can be submitted in advance and some will be collected during the scheduled audit in live sessions online or in-person.
Typical evidence collection with an auditor consists of sharing documentation, such as policies and procedure documents and screenshots or live walkthroughs to confirm technical controls through configuration settings. The auditor will determine what they consider to be sufficient evidence to prove a control is being met. If you provide something that is insufficient to prove it, they won’t automatically penalize you for it! You will have the opportunity to provide more fitting evidence instead.
Another form of evidence gathering is through interviews with key personnel at your company. Interviews are another area that can feel unnecessarily intimidating. It’s easy to get carried away and imagine them like an interrogation scene from a movie.
However, in reality, the auditor’s role is to confirm that the people responsible for securing your business understand their duties and are following through with your company’s policies and technical processes. They aren’t out to “get you” and generally want to see your staff succeed. You should prepare your staff in advance of these interviews by making sure they are confident about the topic being covered – this will ease some of the pressure.
Random Sampling in the Cybersecurity Compliance Audit
Another myth is that auditors will go through your entire company with a fine-toothed comb. The amount of time required by your company and the auditor to cover every little thing would be very high, which makes it unrealistic to do in-practice.
In reality, auditors use a sampling method to collect detailed evidence about select security controls.
For example, an auditor might ask to pull up a support ticket about a recent access control change to ensure it’s in line with your documented change management process.
Strive for Excellence, Not Perfection
A surprising myth about compliance is that you have to be 100% perfect in every minute detail of every single aspect of the framework you are going for. 100% is a great goal to strive for, but not realistic. Humans run security programs and it’s impossible to fully mitigate or predict every potential emerging threat. For controls that are incomplete or need some improvement, most frameworks require your company to accept the risk or document any mitigating controls. Some compliance frameworks allow for corrections to be made mid-audit, others will need to be made post-audit.
After the Cybersecurity Compliance Audit
After the cybersecurity audit is complete, the auditor will analyze the evidence provided and present a detailed report with their findings and suggested improvements. Upon passing your first audit, the initial certification or attestation is issued.
Now is the time to start showcasing your cybersecurity program to prospective customers! Proudly state your ISO 27001 or SOC 2 compliance on your website, and create a process for distributing the associated reports to customers. They contain confidential information about your security program, so a Non-Disclosure Agreement (NDA) is typically required from the receiving party.
Continued Compliance
Going forward, renewal audits are conducted to maintain compliance. Renewal time frames will vary across different compliance frameworks. SOC 2 attestations need to be renewed annually and ISO 27001 certificates are renewed every 3 years.
After completing your initial cybersecurity audit, renewals are a great time to demonstrate to your customers that you are continuing to adhere to your chosen framework and committed to continuous improvement.
Subsequent Cybersecurity Compliance Audits
Subsequent audits are easier because you’ve been through it before, have already created the necessary documentation, and have copies of the evidence you used for the first one. Some of it may need to be updated, but that is much easier than generating it in the first place!
Subsequent audits will include reviewing “periodic” controls that must be completed regularly, such as change management and cybersecurity incident response exercises, correcting noncompliance issues from previous audits, updates such as infrastructure changes, adding new business units to your scope, and addressing any updates from the framework itself.
The ISO 27001 certification is good for three years, though you must complete annual “surveillance audits” which are less rigorous than the initial audit. Every three years, you must complete a recertification audit, which is as rigorous as the initial.
SOC 2-assessed companies can expect the same level of rigor for every subsequent audit.
Your company can choose to retain the same auditing firm for renewals, adding the advantage of working with a known entity already familiar with your company.
Audits and Auditors Need not Be Scary
Bringing someone in to closely inspect your organization’s cybersecurity program is a daunting task, but you don’t need to be afraid of the auditor. They are professionals who want to do good work and see you succeed – though only a bad auditor will pass you when you don’t deserve to.
With the proper preparation, a cybersecurity compliance audit will be a relatively straightforward and positive experience – leading to better outcomes for your business.
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.