ISO 27001, the international standard that outlines the requirements for an effective information security management system (ISMS), requires internal audits at planned intervals to determine whether the controls are working as necessary. A regular testing schedule should be conducted to ensure that your incident response plans function properly.
An internal auditor is responsible for conducting an assessment of the ISMS under the direction of board members, who determine the strategy and policies. The internal auditor reports their findings to the board, continually monitoring the ISMS to help senior managers determine whether the information security objectives are aligned with the organization’s business objectives. The board members respond to key findings throughout the internal assessment.
Once the board members establish the initial ISMS objectives, the risk assessor will help steer the program to better align it with business objectives.
Internal and lead auditors must be qualified and knowledgeable about the standards for information security (ISO 27001), business continuity (ISO 22301), and service management (ISO 20000).
Senior management establishes the blueprint for an effective internal review
Some might say that cybersecurity is merely a matter for IT. But data security is actually an all-encompassing business matter that lends itself not only to prevention, but also mitigation. Since all data breaches cannot be prevented, the purpose of an internal audit is to achieve cyber resilience by identifying and alleviating risk, while achieving business continuity in the event of a security breach.
The board will create a blueprint of the internal audit strategy, which should comprise these six steps:
- Include cybersecurity in board-level discussions: establish your cybersecurity risk committee or ensure the topic is covered at every board meeting to keep members engaged. Ensure that all directors are educated and articulating cybersecurity risk in terms of the business functions they manage.
- Consider cyber risk management organization-wide: map risk from the outset of all business initiatives, from corporate strategy to business development. Think about emerging cyber threats and risks associated with new digital business initiatives.
- Prioritize risk: consider your access to resources and prioritize your risk assets – what’s most valuable and what’s most vulnerable? Ensure quality control over policies and practices so that all data assets receive the appropriate protection.
- Implement cybersecurity awareness, education, and training programs: no matter what kind of technology you use for information security, your ISMS program won’t work without investing in enterprise-wide cybersecurity awareness, education, and training programs.
- Assess third-party relationships: review relationships with third-party data processors for cybersecurity vulnerabilities. Remember that each group that processes the personal data in your possession is accountable, although the data controller usually accepts full liability. Instruct IT to establish a secure information security protocol earlier in the development of business relationships.
- Incident response policies and procedures: the board review must make best-practice incident response mandatory. This should be organization-wide and continually evolving. The board should evaluate ISMS performance at least annually, but for larger organizations, it could be monthly or quarterly.
There are numerous steps in between, but these are the major milestones to move your project along. Don’t know where to start? With more than 400 successful certifications, IT Governance offers consulting services with deep technical expertise to fulfill your business objectives. Your organization will receive the documentation needed to support your ISMS business case and secure buy-in from board members. Our straightforward approach will provide you with the necessary tools to take ownership of your ISMS and ensure the data you process is secured.
Take advantage of our November Special. Book the November 14-16, 2017 – ISO 27001 Lead Implementer Live Online Course and get the November 13th Foundation course free (valued at $688.00). Simply enter promo code ISO17NOV to get your free ISO 27001 Foundation course.