ISO27001 audit in real-time....
1) opening meeting

Introductions

Blah blah blah

Auditer w domain experience

Key person unavailable (not a problem - business continuity)

Changes since Covid-19?

Emergency test of home-working for all staff: no major issues

Acquired another company

Sharepoint migration

Integration of previous acquisition

2) asset management

Review policy

Responsibility for mobile phones

Hardware inventory

Is Excel adequate? You must have assets everywhere 😳

This is workstations and laptops

Review last starter / joiner

Review leaver process - ticketed 👍

Returned equipment re-imaged and securely stored

Secure disposal policy

Searching for record of disposal

How do you ensure WEEE if you give old kit to staff 🤷‍♂️

Last WEEE certificate?

Need to maintain inventory of disposed equipment - WEEE certified

Opportunity for improvement

Information classification policy

USB controls

Tea time 🍵

Who actually does this 🤷‍♂️

Who can provide traceability for all their equipment through lifecycle 🤷‍♂️

Who still maintains equipment inventory in Excel? What else do you use?

3) access control

Access control policy

New starters process (again)

New starter form -> ticketed

Another worksheet

Includes apps and networks 👍

Review ticket

How are creds communicated?

Password policy

Enforced via GPO

Can we look at GPO?

Outsourced to MSP

Let’s review local policy

Local policy doesn’t match GPO 😳

Attempt to change password against policy fails 👍

Regular review of access rights

Process for non-ad accounts

Not IT responsibility -> application owner/admin

Control of domain admins

Logging and MFA

Review of domain admins

Generic MSP acct being replaced with named individuals

Leavers form

Compare w AD

Disabled 😅

Break for lunch 😋

This audit is better than most - the auditor has some knowledge of IT 😬

NB. We didn’t review network assets or cloud services!

4) operations security

Provide overview of infrastructure

(I won’t go into detail)

Various technologies for management and monitoring

Vulnerability management

MSP

Reporting

Patch management reports?

Defer to MSP

Outsources SOC

Review of network monitor dashboard

Lots of false positives

Behavioral monitoring and tuning

SOC is 24x7 but we’re 9x5

Reviewing antivirus tools

Checking client version (slightly out of date)

Still in support, no critical updates

Back to patch mgmt

Security updates immediately
Feature updates monthly

Capacity monitoring (RMM)

Backup processes

Evidence?

Segue - home working
Physical controls 🤷‍♂️

MFA enabled for users

Endpoint monitoring

Application version control biggest issue

Restrict local admin rights

Application whitelist (RMM)

Back to backups...

Dashboard report acceptable 🤨

No question of validating backups via restore 🤷‍♂️

Clock synchronisation

NTP.... telephones 🤷‍♂️

(I’d focus on cctv)

Password GPO revisited

One opportunity for improvement

5) supplier management

Please provide overview

Cross-functional approach ->
Commercial and Operational

Eg contractual and service management

How do we track all this?
List of suppliers?

Another worksheet (Microsoft rules!)

A balanced scorecard

Based on commercials, tickets, sla, training...

Who manages access controls for suppliers?

And compliance / onboarding?

Reviewing contracts, etc

Onboarding worksheet ->
Financials
Services
Certifications

Do we ask for SOA for 27001 certs?

Due diligence is mainly commercial

Tiered categories for security assurance based on risk

5) closing

No significant issues; one opportunity for improvement

Recommendation for continued certification 👍

6) post-facto

Controls per group:
Assets management (10)
Access control (14)
Operations security (14)
Supplier relationships (5)

One hour for each only scratches the surface

This was a six monthly surveillance audit. The certification cycle is three years.

Certification and renewal covers all controls and management framework

But there is limited time and limited knowledge, so can only be sampled

You really have to rely on your internal audit process to identify issues

It’s easy to be compliant AND insecure 😟

If you depend on MSPs, make sure they’re doing what you expect of them. Make sure you clarify your expectations.

To rely on the MSP to demonstrate how they do eg patch mgmt, means you probably aren’t managing them adequately

How do you know they are doing backups

How do you know they are patching systems?

How do you know who has access to what?

Hod do you know if they’re monitoring the network?

Who they gonna call out of hours?

How do you know they configured systems securely?

What firewall rules are enabled?

And why 🤷‍♂️