Tips to Prepare for a Cyber Security Audit

Even if you aren’t planning on validating your cyber security maturity through a third-party auditor, knowing what artefacts and processes you should have in place will help with your compliance progress.

‍

Gather your team

Being the key person responsible for the audit process doesn’t mean you need to know everything! There will be people in your business who have more knowledge than you about the processes and configurations in place that protect your systems. You may also need to pull in your Service Provider(s), suppliers and partners to assist.

‍

Some key personnel that I find useful to join me during an audit include:

• Service Delivery Manager – your Service Delivery team will be able to provide insights and information to the auditor on support documentation, support processes, onboarding & offboarding, disaster recovery, incident management, asset management and supplier relationships.
• People & Culture (HR) representative – having someone to assist with details around screening, disciplinary processes, employment contracts and onboarding & offboarding processes is useful.
• SecOps Engineer – they can provide information around access & authentication, identity management, data classification, threat intelligence, privileged rights management, logging & monitoring and physical security.
• Cloud/Operations Engineer – an IT engineer can share information about configuration management, device management, application management, patching, capacity management, backups, web filtering and architecture.
• Networking Engineer – how your network is secured is an important part of your security. Having a Network Engineer on hand to discuss segregation of networks and network security will be useful.
• Development Lead – if relevant, demonstrating the tools and processes your development team has in place to design and build secure solutions will be helpful.
• Legal Counsel – with the ever-increasing focus on supply chain management, our Legal Counsel is increasingly involved in assessing and managing our supply chain. They can also provide insight into data protection, processing, and privacy.
• Executive Team – it’s likely that your Executive Team will be interviewed to ensure they’re committed to a culture of security and are driving that culture across the business. Engagement from your CEO and CISO will be especially required throughout the audit process around governance and risk management.

‍

Take control of your controls

Each cyber security framework has a set of controls you will be assessed against during an audit or assessment. Controls are measures that help reduce risk and improve security. Choosing the correct framework for your business needs is an important first step, and you can read more about the different cyber security framework options here.

To prepare for a third-party security audit, you’ll likely confirm the audit scope with your auditor, as you may have controls specific to your industry or organisation that need to be assessed.

If you aren’t sure or looking for a more generic approach, I recommended referencing the controls list for ISO 27001 or the NIST Cyber Security Framework, as they offer a comprehensive set of controls that should help prepare you for most audit requirements regardless of industry.

‍

Tracking your readiness

Many tools are available online to help you track your governance, risk and compliance (GRC) requirements. For organisations just starting out and looking for something to help step through the basics (often the case for SMB’s), we recommend Onwardly, which enables you to assign and track tasks to start securing your business. It also provides some policy templates to get you started.

At the bare minimum, to get your head around what you need to prepare for, you can start with a spreadsheet listing all the controls so you can identity whether they are applicable to your business and then assign owners and track your readiness and the location of any relevant evidence (person, process, document or system).

‍

Show your auditor the evidence

Your auditor will want to view documents, artefacts and evidence to demonstrate how you comply with each control. Depending on the control, evidence may be in the form of a system walk-through, a Standard Operating Procedure (SOP) document, a policy document or a report showing confirmation of a status.

It’s difficult to enable configurations and controls in an organisation if you don’t have a policy in place; as a result, policies are a big part of demonstrating your cyber security maturity. Many policies are useful - at the minimum, you will need to have the following documentation in place and approved by your Board or Senior Leadership team before your audit:

‍

• Acceptable Use Policy
• Business Continuity Plan
• Code of Conduct
• Critical Systems and Risk Assessment
• Data Retention Policy
• Ethics Policy
• Health and Safety Policy
• Incident Management Policy and Plan
• Information Security Policy
• Privacy Policy
• Probity Policy
• Whistleblower Policy

‍

There are additional policies and documentation that you might find useful to have in place depending on your business and your audit requirements, including the following:

‍

• Access Control Policy
• Asset Management Policy
• Cryptographic Policy
• Data Protection Policy
• Data Processing Policy
• Device Management Policy
• Environmental, Social and Governance Policy
• Information or Cyber Security Management System Policy
• Supplier Code of Conduct
• Secure Development Policy
• Third Party Processor Policy
• Threat Detection and Prevention Policy

‍

Knowing where to start with all these policies can be overwhelming – we can help with this.

We have experience working with customers to develop the policies required to meet their compliance needs while ensuring these policies align with company culture and language.

Get in touch if you need assistance maturing your cyber security, building policies and templates for tracking readiness, defining your cyber security roadmap or completing a third-party audit against a cyber security framework.