Over the past few years, I’ve led and been involved in many security audits on both sides of the table, which has helped me develop some insights worth sharing. Sometimes these auditing engagements are seen as something to just get through, however, there were a few organisations which really made the most of the exercise and applied the impartial information learned to gain a more accurate understanding of their real risk exposure. After all, that is the primary reason for performing these assurance activities, isn’t it? To ensure the implementation of the most relevant controls, for managing the highest rated risks, occurs within resourcing and budgetary constraints.
So, how can you ensure your organisation gets the most out of its next security audit? Here are my top 5 recommendations:
Axenic is proud to announce that all of its consultants are now certified as Information Security Management System (ISMS) Lead Auditors (ISO/IEC 27001:2013) by BSI (British Standards Institution).
In my last article I spoke at some length about not just why a Security Policy is important, what its content should be, but also how it should be written. There is no default setting for Security Policy. Remember, what works for one organisation probably won’t work for another.
At Axenic, we have two ISO 27001 Lead auditors and perform a significant number of certification reviews for NZ government agencies. One of the common challenges of auditing is selecting which controls (both procedural and technical) to assess when a client has a limited time-frame or budget.
Axenic is proud to announce that we have been selected by the Department of Internal Affairs as a supplier for the all-of-government ICT Security and Related Services Panel (SRS Panel).