Welcome to the SecAware blog

I spy with my beady eye ...

26 Sept 2019

NBlog Sept 26 - audit strategies

I recommend treating any audit as a negotiation process with risks and opportunities* for both parties i.e. auditees and auditors. Here's why.

In respect of ISO/IEC 27001 compliance, the certification auditors are supposed to be formally checking that an ISMS complies with the standard’s formal requirements, plus information security requirements that the organization determines for its own purposes**. They are not supposed to conjure-up additional requirements out of thin air, then complain about noncompliance. However, auditors are human and make mistakes. So auditees are fully entitled to ask auditors to identify any requirements in the standard or in their corporate requirements that they say are not being fulfilled, if necessary down to the individual clause numbers and specific words from ‘27001, their policies etcBy all means discuss the wording and intent/meaning of those requirements, as well as reviewing the evidence and details of the alleged noncompliance. 

So far, that's conventional, an expected, routine part of the normal interaction between auditor and auditee. From that point, however, the process can proceed along various paths. 

The auditee could take a very hard line, focusing myopically and deliberately on strict compliance with the explicit requirements of the standard, being really tough on the auditors about that … but beware as the auditors can take just as hard a line in response, perhaps even pointing out additional minor noncompliance issues that they might otherwise have ignored. Bringing out the big compliance sticks is a viable but risky strategy. It can be tricky to back down once either party starts down this path. It tends to make the relationship between auditors and auditees highly adversarial and tough-nosed, each party treating the other as the enemy to be beaten. It’s stressful for all concerned, adding to the usual stresses of audits and certification. [Speaking as a former/reformed auditor, this may be a sign of either a na├»ve/scared or, paradoxically, a highly experienced/assertive auditee. Identifying and responding proactively to the situation as it develops is part of the auditor’s social skill set, which varies with the auditor’s experience level plus their own personality. If things escalate, it draws-in management on both sides, so each party really needs their management behind them. It’s also something that experienced auditors will have dealt-with many times (stress and challenge is very much part of the job), hence they tend to be well-practiced at it and on the front-foot, whereas auditees tend to be less well prepared and on the back-foot.]

Alternatively, the auditee could make more of an effort to understand and deal with the issues the auditor claims to have found, setting aside the pure compliance aspects (at least for now). Discuss and negotiate with the auditors, aiming towards finding mutually-acceptable solutions. Be “reasonable” about things (whatever that means!). Consider the business implications of what the auditors are saying, in particular consider whether they might just have put their finger on genuine information risks that the organization probably ought to address in some way. Focus on addressing those risks and reaching agreement on suitable responses, rather than compliance. Make and seek little concessions, respond positively and home-in on a resolution that both moves the business forward and leads to certification. Work with the auditors, each party treating the other as collaborators or colleagues with shared objectives. At the end of the day, either party can still reach for the big compliance stick if the negotiation stalls and the other party becomes stubborn, but that’s best left as a last resort option since it can lead to the same souring of the relationship. [This is generally a less stressful, less risky approach provided both parties are willing to play the game and move things forward. It helps if both parties have negotiation skills, or can get support from their managers/colleagues who do. It may take longer, though, which can be an issue if there are deadlines such as other audits or business demands. And there is inevitably some formality around this that needs to be respected. The auditors must meet their own obligations or risk losing their accreditation.]

But wait, there’s more.

The audit report, in particular the precise phrasing and wording of any adverse findings/noncompliance statements, is potentially another opportunity to clash or collaborate. Although the auditors own their report and have the final say (part of their formal independence), the auditee should have opportunities to review and discuss/respond to drafts, if appropriate challenging and ‘insisting’ that the details are factually correct. In general, the issue comes down to the facts and hence the audit evidence, which should be non-negotiable if the auditor has done a good job. The way those facts are documented, explained and interpreted is where the discussion tends to revolve. Again, both parties have their objectives/requirements, and it’s best if they negotiate a mutually satisfactory outcome and move ahead. Both parties being clear about priorities and overall objectives helps immensely.

And one last thing.

The relationship between auditor and auditee generally extends beyond an individual audit since audits are periodic. As well as the stage 1 and 2 certification audits, there are surveillance and re-certification audits to look forward to. So, the way the audit itself goes, the manner in which issues are raised, discussed and addressed, and the way audit findings and reports are resolved, is all part of the background for, and hence to some extent affects, future audits. Auditors who personally experienced or have been briefed about an intensely adversarial auditee in a previous audit are likely to anticipate a similar strategy and more aggravation on the next audit. Audit management might even consciously pre-select tough auditors who are strong in that situation for future audits, and likewise auditees might choose hard-nosed compliance specialists and negotiators to front-up their team, escalating matters. This can be the sting in the tail for auditors and auditees who have taken an unreasonably hard line in the past: it takes effort on both sides to turn things around and re-focus on more productive matters (namely the organization’s management of its information risks and security in support of business objectives), rather than the audit/certification process itself. 


* Experienced negotiators appreciate the game-playing aspect to the typical negotiation process. Clued-up players enter the arena well-prepared, with goals and bottom-lines clarified and various game-playing strategies not just in mind but ideally refined through previous events. Each game plays out within the rules (mostly!), the players attacking and defending, trying various approaches, each pushing towards their own goals and exploiting weaknesses in the other, while gradually establishing and reaching agreement on neutral ground (hopefully!). At the end, the players depart with yet more experience under their belts, ready for another encounter. Every negotiation is a rehearsal for the next. Same thing with audits.

** ISO/IEC 27006:2015 says:

  • "Certification procedures shall focus on establishing that a client’s ISMS meets the requirements specified in ISO/IEC 27001 and the policies and objectives of the client." (clause;
  • "The audit objectives shall include the determination of the effectiveness of the management system to ensure that the client, based on the risk assessment, has implemented applicable controls and achieved the established information security objectives." (clause;
  • "In addition to evaluating the effective implementation of the ISMS, the objectives of stage 2 are to confirm that the client adheres to its own policies, objectives and procedures." (clause ...
... and more. Auditees who are unclear about this, want to develop a sound, proactive strategy in preparation for their audits, or find themselves heading into a battle royale with the auditors, can study '27006 and ISO/IEC 17021-1:2015 (Conformity assessment — Requirements for bodies providing audit and certification of management systems — Part 1: Requirementsfor additional insight into the certification audit objectives, process and constraints. 

No comments:

Post a Comment