Skip to content

51 - Auditing process

Auditing is like a big project or research task that contains different phases. Usually this process contains three different stages: Planning - Testing - Reporting. One model, which is quite a simplified version is explained below. This is just one way to carry out auditing, but there are also other models. All these models follow a certain pattern e.g. Plan-Do-Act.

Planning phase

image

Like with any project, the planning phase is the most important part, because it sets guidelines for how to carry out the auditing. For example, the goal of this groupwork is to perform a cyber security audit to an environment. The main questions are like WHAT, WHO, WHEN etc. Below are listed example tasks that should be decided in this phase.

  • Create audit plan
    • Define purpose of audit
    • Define scope and objectives
    • Define audit staff (and skills)
    • Create timeframe (schedule)
  • Describe target environment
    • List assets
    • List documents related to assets
    • List documents related to security processes, policies, etc
    • Interview security personel
  • Prepare report template
  • Schedule meetings with audit team
    • Define goals for meetings

Usually this audit plan is a document, which the client approves, and testing can start. This is an important task because of the legislation. Some tools cannot be used if the customer does not give their permission.

Testing and documentation phase

image

  • Research
    • Read documentation
    • TTP = Tactics, Techniques, Procedures
    • Known vulnerabilities / weaknesses
  • Test controls (scope and objectives)
    • Use your skills and tools!
    • Document everything (it must be repeatable)!
    • Who, What, When, Why, Where
  • Discover and validate
    • Check the results
    • Validate findings
  • Collect and document results

Analysis and Reporting phase

image

  • Risk analysis
    • Threats?
    • Vulnerabilities?
  • Recommendations
    • What should be done
  • Report
    • SCOPE! – and what was left outside!
    • Summary for management
    • Details for system specialists

ISO Standars notification

ISO 19011 Guidelines for auditing management systems: This document provides guidance on auditing management systems, including the principles of auditing, managing an audit programme and conducting management system audits, as well as guidance on the evaluation of competence of individuals involved in the audit process. These activities include the individual(s) managing the audit programme, auditors and audit teams.

ISO 27007 Guidelines for information security management systems auditing: This document provides guidance on managing an information security management system (ISMS) audit programme, on conducting audits, and on the competence of ISMS auditors, in addition to the guidance contained in ISO 19011:2011. This document is applicable to those needing to understand or conduct internal or external audits of an ISMS or to manage an ISMS audit programme.

Usually, you cannot find any auditing documents on the internet, because these documents can tell what is wrong with your environment ,and attackers can use this information. Another reason is also NDA (non-disclosure agreement). Sometimes companies publish these documents after they have fixed all problems. One reason is increasing company’s reliability. For example, CloakCoin company published their security audit document on their webpage https://www.cloakcoin.com/en/project/security.