In the last month or so my views on Auditing related to ISO 27001 has changed a lot. I am pretty new at conducting audits. I have faced audits in the past when I was a Network Administrator and as a Security Administrator, however its only now that I am conducting audits for HR, Administration and the IT Departments.
I have never done an audit with a view of findings flaws just for the sake of it. Checklists have never impressed me either. If I find flaws I make sure there is a solution that I can provide or at least look around and find a solution. The final objective is to improve and move to the next level. Recently the people I work with have changed my view to approach audits more from a process point of view. How can I improve the process or tweak it so that the any non conformance is detected as early as possible and acted upon without having an external auditor point it out.
I am already seeing that this more effective. Not only does it need the extra effort in understanding the entire process from start to end, but when you look at it with security in your mind, you automatically end up finding things that used to get overlooked earlier.
The next step I have been told is to tie up risks around process weaknesses. Does the risk quantify change in a process or will the cost to change the process outweigh the actual risk you are trying to mitigate.
I love it when I get to learn new things at work. Hopefully I will capture some examples later on specifically showing the improvements of process and risk driven audits.
No comments:
Post a Comment