Auditing
compliance with rules defined in policies, standards, laws and regulations is just one audit approach, commonly and
disparagingly known as tick-n-bash auditing.
The rule says X
but you do Y
……. BASH!
It is like being rapped over the knuckles as
a kid or zapping a trainee sheep dog through its radio-controlled shock collar. It's a technique that may work in the short term but it is crude and simplistic. The trainee/auditee is hurt and ends up resentful. Strong negative emotions persist long after the tears have dried and the bruising
has gone down, making it counterproductive. It’s best reserved as a
last resort, in my considered opinion.*
Certification audits
are ultimately compliance audits but even they can be performed in a more sympathetic manner. The trick is to combine bashing (where
justified) with explaining the requirements and encouraging compliance. It means motivating not just dragging people, and a
lot more listening and observing to understand why things are the way they
are.
Sometimes
there are genuine, legitimate reasons for noncompliance, like for example finding
better ways to do things or competing priorities. Sometimes
noncompliance achieves a better outcome for the organization and other
stakeholders. Actively looking for and
exploring such situations turns the audit into a more positive exercise, even if it turns out that noncompliance was indeed unjustified and problematic: the investigation will often turn up root causes that deserve to be addressed, enabling us to treat the disease, not just ameliorate the symptoms.
Competent, experienced auditors appreciate the
value of downgrading relatively minor findings to ‘minor non-conformance’
status, or even on occasions ‘letting things ride’ with informal comments and motivational words of encouragement to
the auditees. That then makes any remaining
major issues stand out, focusing everyone’s attention on the Stuff That Really
Matters – matters to the organization and other stakeholders, for legitimate
business reasons. It’s no longer just a
matter of “The rule says X”: there are reasons
why rule X exists, reasons that deserve attention. Rule X is simply a means to an end, not an end in itself.
From there, it’s but
a small step towards effectiveness and efficiency-based auditing, a more sophisticated and intelligent approach
than crude compliance auditing. The idea
is to identify sub-optimal activities that might usefully be adjusted to improve
the outcomes, ultimately achieving business objectives and success. The approach focuses on the positives, on finding
creative solutions that most benefit the organization (and, by the way, the individual
auditees: more carrot = less stick!). The very premise that some activities might be ‘sub-optimal’ implies a deeper level of understanding
about what ‘optimal’ actually means in that context, and a wider appreciation
of good practises and alternatives. Being
able to recite the rules verbatim, and carry a big stick, is no longer the mark
of a good auditor!
In the ISO27k context, the information security controls recommended by ISO/IEC 27002 are intended to address specified control objectives. However, they aren't guaranteed always to achieve those objectives in any given situation, nor are those objectives necessarily relevant and sufficient. Both the control objectives and the controls are generic - general advice intended to suit most organizations. Both need to be interpreted in the specific context of a particular organization. Both may need to be supplemented, extended modified or ignored in various circumstances. That complexity makes it too tough for straightforward compliance auditors, apparently, demonstrating a fundamental limitation of the tick-n-bash approach. That's why an ISO/IEC 27001 compliance certificate confirms the presence of a 'management system' for information risk and security, rather than a secure organization with all the appropriate information security controls in place.
ISO/IEC 27001 specifies that internal audits must be performed on the Information Security Management System but does a poor job of explaining them, in particular it uses the word 'conforms', a synonym for 'complies' with the unfortunate implication that auditing is compliance auditing:
Taking my own medicine, I ask myself "Why? Why does the standard equate auditing with compliance auditing?" The answer lies with the experts responsible for the ISO27k standards, in their biases and prejudices about auditing ... which in turn reflects their experience of auditing ... which I presume is largely compliance auditing ... and so the loop continues.
Breaking the committee out of that vicious cycle is an objective I have thus far failed to achieve but the current round of standards revision presents another opportunity, a chance to explain, persuade and hopefully convince. Not bash, oh no.
Longer term, I'd like to push ISO27k further into the realms of assurance and accountability, and beef-up its advice on governance, information risk management, business continuity, and business for that matter. The business context and objectives for information security would be fascinating to explore and elaborate further on. One day maybe. I've learnt to pick my battles though: it takes a winning strategy to succeed in war.
* PS I have the same philosophy in security awareness and training. To me, security awareness and training works best as a positive, motivational and inspirational technique. Dire warnings and penalties may be necessary to curb inappropriate behaviors and instill discipline but that's a last resort, best reserved for when other techniques have failed. Clearly, I'm no sadist.