ISO 27001 audits can be intimidating, especially if it’s the first time that your ISMS (information security management system) has been audited.
So how can you make sure you’re doing everything that you should? This blog helps you settle your nerves, providing essential advice and examples to ensure your audit is successful.
Reports that will impress your auditors
Being able to produce a set of accurate, concise and updated reports is sure to impress even the most critical of auditors.
Your auditor will pay particular attention to the information security risks you’ve identified during your risk assessment, and the controls that have been applied to treat, tolerate, transfer or terminate these risks.
The auditor will also want to see that your SoA (Statement of Applicability) is clear about your justification for the Annex A controls you’ve included and excluded.
Let’s take a look at some of the important reports you should produce based on your risk assessment findings. Some of them are mandatory; others will help you gain valuable audit brownie points.
1. The Statement of Applicability
Mandatory report for the audit, the SoA ensures the proper management and control of an ISMS.
The SoA identifies the controls that are relevant to your business, and explains why those controls have been selected (or omitted) to treat the identified risks.
Want to learn more?
Below is a screenshot of an SoA produced with the risk assessment software vsRisk Cloud. This tool can be used to help you create all of the documents we discuss in this blog.
2. The risk treatment plan
Another mandatory report for audit purposes, the RTP (risk treatment plan) provides a summary of:
- Each of the identified risks;
- The responses that have been designed for each risk;
- The parties responsible for those risks; and
- The target date for applying the risk treatment.
This document essentially outlines how the organisation intends to manage information security.
You can find out more about what a RTP contains by reading our guide and by checking out this example:
3. The risk assessment report
The risk assessment report provides an overview of the risk assessment.
This includes information on:
- The relevant assets;
- The treatment applied;
- The impact and likelihood of the risk affecting the confidentiality, integrity and availability of each asset before and after treatment;
- Comments related to the justification for the treatment;
- The owner of the risk;
- The order of priority of treating the risks;
- The control applied; and
- The target date for applying the treatment.
A completed risk assessment should look like this:
4. The risk summary report
The risk summary report provides detailed information about the residual risks, as determined by the risk assessment.
This is useful for assessing assets that remain moderately vulnerable, and for helping the organisation prepare its responses and continuity plans based on the likelihood or severity of those risks.
It is also useful for providing information regarding the residual risks to the board or other stakeholders, ensuring that this is accepted by the appropriate authority.
Here is an example of a risk summary report produced by vsRisk:
5. Comments report
Comments regarding the applications of controls you’ve implemented and omitted are incredibly useful, so you should collect them in this report.
Including comments here ensures that the organisation applies controls effectively and efficiently. It also provides a log that can be presented to an auditor to explain any variations.
6. Controls usage report
This controls usage report shows all of the controls from Annex A that you’ve implemented.
Unlike the SoA, it doesn’t include the controls you’ve omitted. That’s because the two documents have different purposes. The SoA is designed to document your thought process when applying controls, whereas the controls usage report provides an overview of the actions you’ve taken.
Creating a report dedicated to the controls you’ve implement is great for staying on top of your compliance activity. The document is more streamlined than the SoA and contains only the information you need for monitoring the effectiveness of your security measures.
With vsRisk Cloud, this report is created automatically, as the tool populates all of the controls you have applied in one document.
Get started with vsRisk Cloud
We’ve referred to vsRisk Cloud throughout this blog, and for good reason. The tool simplifies the ISMS risk assessment process, making it easy to produce all the documentation you need.
With vsRisk Cloud, you don’t need to spend time developing a risk assessment methodology; you can immediately get to work on the actual risk assessment.
The tool will also save you time maintaining your risk assessment. Its robust methodology means that upcoming risk reviews and further risk assessments can be performed quickly, consistently and cost-effectively.
A version of this blog was originally published on 31 May 2016.