X Close

Risky Business


Tips and tricks for securing information


Auditing- what is it?

By Bridget Kenyon, on 31 July 2017

Brace yourself: we are heading into the Unknown Land of Terror and Tedium. Yes, the domain of the Auditor!


Seriously, though, it isn’t as scary, or as boring, as that. Having carried out audits for two different security standards (ISO/IEC 27001 and PCI DSS), I have visited that Land, and am able to unveil its mysteries to you. I’ve also been audited, so have seen both sides of the process.

First, dismiss any thought of auditing being uniform across all standards. Auditors are trained very differently depending upon what they are auditing against. For example, payment card audits are very technical, while 27001 audits can be carried out by non-technical (but trained and experienced) people.

It’s auditing, so there must be a list…

Having said that, there are significant similarities between the audits I have been involved in. As this is about audit, there needs to be a list:

  • You have to audit against something, a fixed point of comparison. This is usually a standard. You can audit against policy, too.
  • Audits tend to have predefined possible outcomes: e.g. pass or fail.
  • Audits also produce “non-conformities”, or “findings” relating to parts of the document which you are auditing against.
  • Audits look for evidence of compliance; positives, not negatives. A good auditor is looking for reasons to give their client a pass.
  • Hard evidence is key to the whole thing. There is a saying: if it’s worth doing, it’s worth documenting. But proof doesn’t have to be documentation. Some standards can be satisfied by everyone demonstrably doing the same thing.
  • Auditors usually test part of the environment to be audited, not the whole thing. So even if you pass an audit, that’s not bullet-proof.
  • There are two different types of audit: internal and external.
  • External auditors are from a company specialising in audit, which is usually “accredited” to prove that it provides a good quality of audit.
  • Internal auditors are often internal to your company, but can be from another company. They do not have to be accredited, as their findings are private to the company being audited.
  • Internal audits usually look at part of the standard to be audited against, not the whole thing. More of a spot check than a full review.
  • If you are an external auditor from an accredited auditing company, and the company you audit passes the audit, it can say that it is “certified”. Not “accredited”!
  • You can be asked to audit part of an environment, not the whole thing. This can get really messy if it isn’t clearly agreed and documented.
  • Auditors tend to think of EVERYTHING as a process.

To sum up

I hope that this has given you a little peek inside the world of auditing, and that it wasn’t as tedious or unsettling as you expected!

Leave a Reply