Often times, our clients we assist with establishing an ISMS are surprised to hear that the Audit Trail requirement is something that should be considered prior to the actual audit. The goal of an Audit Trail is to have all of the information regarding your ISMS audit organized and ready to be presented to the auditor. In this post we cover a common mistake in the preparation of an audit and a solution on how to ensure all your hard work is organized for an audit.
An Audit Trail is commonly defined as “a security-relevant chronological record, set of records, or destination and source of records that provide documentary evidence of the sequence of activities.” Simple enough, right? Basically an Audit Trail is the path of the internal records your organization keeps regarding its activities in securing information according to a specific standard (i.e. ISO 27001).
Audit Trails are important because they provide the relevant information that an auditor needs to ensure you are complying with a specific standard. Thus, the Audit Trail tells the auditor what exactly your organization is doing to ensure compliance.
From our years of experience in working with organizations seeking or maintaining certification most of them complete all of the necessary work in documenting the information that is needed for the audit. However, often times these organizations fail to properly manage the plethora of documents in a way that allows for easy access to the information the auditor request. The poor management of documentations can result in a nonconformity, even if this issue was addressed, but the record cannot be found.
For example, an organization may conform to software testing policies and procedures. However, the system administrator who completes the testing, say in March, may save the associated documents to a random location; then in December, the auditor request to see the software testing documents during the audit. The system administrator however does not remember the location of the documents. The pressure of the audit gets to him, and he says “I guess… uh… we don’t have it!”
The common mistake we see is that organizations do all the heavy lifting in preparing the documentation that is needed, but fail to manage it in a way that allows for easy access at the time of the audit.
In order to address this issue, we encourage our clients to think about the audit and the documentation that will be needed as soon as the decision is made to obtain certification. There is no one “right way” to manage documents, the key is that the document management process is in place and in a manner that meets the organizational structure, be it SharePoint, a shared drive, or other document sharing tools.
When the documentation procedure has been planned and accepted, it is important to ensure all employees are aware and follow the procedure. Organizations can even take it one step further and implement a specific document storage policy or procedure. The goal of this policy is to ensure that come audit time, the documentation needed can be found with ease.
Following these simple steps will go a long way to ensuring your organization doesn’t receive a nonconformity for hours of work that have already been completed.