Over on the ISO27k Forum, a member told us about having passed an ISO/IEC 27001 certification surveillance audit with a minor noncompliance. The auditor reported that the firewall's firmware had not been updated since a year ago despite the availability of a more recent update. The auditor was concerned that this left the network exposed to malware such as Wannacry.
While not disputing the facts, reading between the lines, the auditee was clearly disappointed that this had been raised because the information risk does not seem significant, given that the organization has other effective controls in this area. A negative audit finding, even something as trivial as a minor nonconformance, can be hard to accept if you genuinely believe you are doing a great job. There may not be fireworks but it's a challenge, for sure, a knock to one's integrity and credibility.
Leaving aside the certification aspects for a moment, if it were me in that situation I’d be inclined to ask why the firewall firmware was not updated. Was or is there a good reason for NOT doing the update, for not addressing the information risks?
- Did the organization not even know there was a firmware update? If not, that points to a possible lack of communication/coordination with vendors (possibly on other platforms too) or something else.
- Did the organization know about the update but ignored it? Why? Was there some higher priority, or a lack of resources, a lack of policy or a broken process, or what?
- Did this ‘fall between the cracks’, for instance if there are several people or teams involved, each of whom thought it was someone else’s problem (hinting at a governance issue)?
- Did the organization know about the update, assessed it and the associated information risks (which, by the way, arise from both doing and not doing the update, as well as how and when to do it) and chose not to go ahead with it for a genuine business reason (e.g. the update does not address the risk)? If so, is there evidence of the assessment and risk acceptance decision, properly authorized by management? If that wasn't properly recorded/documented, maybe the process wasn't being followed correctly or maybe it needs to emphasize retaining such evidence in future.
- Did someone misunderstand or incorrectly assess the risk? What actual or potential consequences might that have caused? How serious is it? Does something need to be fixed here?
- Is the organization in fact planning to do the update at some point? That begs the classic audit response: “OK then, show me the plans and the resources allocated”!
It would presumably be possible simply to update the firmware and close off the specific issue … but asking lots of questions in and around the area can help determine the real, underlying reasons for this little incident, and presents an opportunity to improve/mature your ISMS, which is of course A Good Thing. Taken in the right spirit, incidents (including audit comments) and near-misses are learning opportunities.
As an inherently optimistic former (reformed) IT-focused internal auditor, I heartily recommend taking nonconformances and other comments or concerns as prompts to at least openly consider and ideally make improvements. Try looking at things from the auditor’s perspective, responding positively to the audit and going a little out of your way to move things along in the right direction … unless you honestly feel the auditor is mistaken or misguided or whatever. That does happen (e.g. with naïve/inexperienced auditors, perhaps a junior obsessed with the Wannacry incident, and “jobsworth” tick-n-bash auditors who are only concerned about the tiny strip of the world they see through their blinkers) but it is unusual: be wary of going down that line, and be prepared to provide hard evidence to back up your assertions for what might turn out to be a full and frank discussion with the auditors.
In my experience, issues like this are more to do with the organization’s evolving relationship with the auditors and appreciation of the audit rôle than with the actual findings. Also, in my experience, there are lots of little issues of this nature in every organization: auditors are spoilt for choice! Usually, auditors are aware of other stuff too but, for various reasons, choose to ignore them (this time around) and focus instead on a few specific issues that they feel are either significant in their own right, or are potentially valuable learning/improvement opportunities, ways to force the organization to bring deeper issues to the surface and deal with them. There’s quite an art to evaluating the findings and preparing audit reports which may not be obvious if you have never been an auditor and only see the end product. The decisions about whether the issue is reportable and if so how to report it (e.g. a major or minor nonconformance, a formal observation and maybe a recommendation, an off-the-record comment/suggestion, or merely a subtle hint in passing) are quite complex and subjective in practice.
The auditor's risks, liabilities and professional obligations are a particular concern, especially with formal external audits such as certification audits. If for whatever reason something was spotted but not reported, and it subsequently turned out to be a significant issue (e.g. if a serious malware infection or hacking incident had subsequently occurred in this case, materially harming the organization), the auditors could face some difficult questions, conceivably even legal action. They have get-out-of-jail-free cards to play concerning various theoretical and practical constraints on the audit work and their contract or terms of engagement, but still it's an awkward position to defend.
By the way, it’s an excellent idea to build friendly professional relationships and chat to the auditors informally if you get the chance, preferably throughout the assignment. Most don’t bite and like to be consulted. Ask to see the evidence, check their understanding and risk assessment, and find out what particular aspects caught their attention. Talk through your options. Try hard to remain open-minded - suspend your disbelief and get over being affronted that they found something. Maybe they are indeed wrong ... but you might just find they are on to something (not necessarily what they think or state is the issue!), or there might be other/better ways to respond.