What are the most common audit findings in ISO/IEC 27001 audits? DNV Lead Auditor and trainer Rob Jansen has analyzed audit data from benchmarking tool Lumina and gives you his views and tips for improving these issues.
About ISO/IEC 27001
ISO/IEC 27001 focuses primarily on the information security management system, protecting the availability, integrity and confidentiality of information and information processing systems within an organization. In this article, you will read the top 5 findings in ISO/IEC 27001 audits. These data are based on data from ISO/IEC 27001 audits conducted by DNV Business Assurance in the Benelux in 2022.
1: Internal audits
According to Rob, the requirements for the process of internal auditing are quite robust. Therefore, it is not surprising that it is difficult (especially for small organizations) to meet these requirements. According to ISO/IEC 27001, every organization must have a multi-year risk-based audit program, but how do you ensure that the multi-year audit program is risk-based? And how do you ensure that all criteria are assessed? "In practice, organizations still sometimes find it difficult to have the multi-year audit program evolve with business developments over time. Organizations cannot always show an updated multi-year audit program. To properly prepare each audit, clear audit planning is essential. The scope and criteria should be clearly visible for each audit. In addition, a report must be made of each audit."
The audit program is supposed to be dynamic, Rob says. "Some departments or processes will need more attention at one audit time than at other audit times. In addition, each audit should take into account the findings of previous audits, and each audit should be independent and objective. To achieve a good internal audit, it is important that all internal auditors are generally at the same level in terms of knowledge and skills. Therefore, make sure that the internal auditors are trained in the same way, this way the (basic) knowledge is the same and the way of auditing is unambiguous."
2: Privacy and protection of personally identifiable information
This is where the General Data Protection Regulation (AVG) comes in, the privacy law that applies to the entire European Union. Rob indicates that within the requirements of the AVG, organizations often struggle with securing the technical privacy aspects in business processes and systems and it proves challenging to remain compliant. You also need to consider privacy when developing and outsourcing business processes. For example, you must ensure that privacy is also guaranteed in contracts with critical suppliers.
3: Monitoring and evaluation of supplier services
Rob elaborates, "Critical suppliers must be assessed, monitored, evaluated and audited according to ISO/IEC 27001. This is important because suppliers are an extension of your organization, so to speak, and thus have an impact on ensuring information security and privacy. When a supplier processes personal data of your customers, there must be a processing agreement. This should contain agreements, for example, how and how long the data may be stored. The processing agreement should be included in the contract, or as an appendix to the contract. Rob mentions that it is important to also have insight into the chain behind the critical suppliers.
"You assess a supplier before you enter into a partnership: does this organization meet the requirements we have for a supplier? Then you can assess the supplier annually for performance. Monitor with a frequency to operational performance of the supplier, for example, request a Service Level Report. Together with the suppliers, evaluate 'how did we think things were going?' and determine if audits are performed on the suppliers."
4: Risk assessment
"ISO/IEC 27001 has many more risk assessment requirements than, say, ISO 9001. The more requirements, the greater the chances of something not going quite right. Organizations must establish a risk assessment process and conduct it at least annually. In addition, organizations are expected to conduct a risk assessment whenever there has been a major change within the organization." Rob sees that, in practice, organizations still sometimes forget this.
"Organizations find risk ownership and demonstrating measures difficult. For example, organizations cannot always show all current treatment plans during the audit. It is important to name the consistency and structure of issues and keep this well ongoing during the development of your management system."
The standard says measures should be taken to address risks. "In-house measures taken should be compared with the mandated Annex A 'measures'. That way you can be sure you are not forgetting anything."
During the standards knowledge ISO/IEC 27001 training DNV's risk assessment is addressed. With practical exercises, it looks at issues (4.1), interested parties (4.2), how these issues can lead to opportunities and risks (6.1), and how these risks can be managed, or the opportunities understood (H8).
5: Access management
"The ISO/IEC 27001 has several requirements regarding logical access management. Granting rights within organizations and systems actually always goes well. Revoking or changing rights, on the other hand, is still sometimes forgotten."
The standard says access rights should be checked regularly, but what is regular? Rob says this is up to the organization. It has to fit the dynamics of the business operations. "It is an advisable thing for the person in charge of ICT to have a schedule for this, so that the checking is done with a certain frequency and nothing is forgotten."
Want to get started with analytics or benchmarks yourself?
DNV collects data from thousands of management system audits conducted by DNV worldwide. This data is stored anonymously in Lumina, a database of more than 2.3 million audit findings. Through the free client portal you can compare your organization to other organizations in the same industry.
Neem dan rechtstreeks contact op met DNV.
Contact opnemen