The Audit Process
Although Audit processes can vary, from one Standards Organisation to another and also from one Policy to another, they do follow similar principles and involve similar activities.
The first step of an Audit is almost always carried out on your company's premises by a qualified Assessor. This will involve the assessment of Documentation to ensure that you have considered and covered everything applicable to your business. Your documentation will illustrate what aspects you have considered and what Policies, Processes and Technologies you have put in place to address all of the requirements and controls of the Standard. Also included in your documentation will be full details of any exclusions you have determined from your own risk assessments, and your justification for those exclusions. From this, the Assessor will be able to determine how the requirements and controls of the Standard have been interpreted and will identify any ommissions or oversights.
The second step of an Audit may be completed at the same time as the first or, more usually, it is scheduled for a later date. This is to allow for any remedial ammendments, to shortfalls or misinterpretations, that have been identified during the assessment of the documentation. This step will involve the assessment of Practices. This is simply to identify if the security practices that have been documented are being carried out. Attention will also be paid to the communication of requirements and controls aswell as the level of personal responsibility demonstrated as policies are enforced, processes are followed and technologies are utilised.
The third step of an Audit is completely out of your hands. It involves writing a full report on your organisation which is reviewed by the certification review team of that Standards Organisation and, if everything is in order, the issuing of a certificate.
What Auditors will Need to See
As you can see, Documentation plays a critical role in any Audit process. This is because, even if the correct actions are being practiced, if it is not down to documentation being followed, then it could just as easily be down to the individual (who might leave the company) or even by fluke.
Opt-Sec Compliance Systems will show you, as you are working your way towards compliance, exactly what documentation you will need as well as what additional documents will make it easier for the Auditor to see what he needs to see.
The fact that all of your compliance related documentation will be in a single repository and cross-referenced to specific Requirements and Controls will make it much easier for you to locate exactly what the Auditor may ask you for. It will also put at your fingertips any additional or supporting paperwork that you have accumulated which will help the Auditor to see your approach to the satisfaction of the standards.
Taking an Auditor's Advice
This ability to reference documents to the precise requirements and controls of a policy will also clearly demonstrate your interpretation of them, because the evidence you offer indicates what you thought the requirement or control statement meant.
If an Auditor identifies that you have misinterpreted a requirement or control, or more commonly, if an Auditor has a different opinion of the interpretation, then he or she is duty bound to point out the "error", offer you a full explanation of the differences, and provide you with an opportunity to make ammends.
Opt-Sec Compliance Systems not only make the identification of these misinterpretations quicker and easier, they also allow you to alter the System itself to reflect what the Auditor has told you to do instead. The User Inferfaces provide the facility to Add, Remove and Ammend descriptions without diverting from the Objectives, Requirements or Controls laid down by the Policy itself. This allows you to quickly and easily adjust your approach to fit with the recommendations of your Auditor and also to have all the necessary documentation ready for his or her next visit (including full documentation of his or her advice of course, in case you get a new Auditor the next time with another interpretation of their own!).
This combination of the most comprehensive purpose-built compliance evidence repository on the market AND the flexibility of the user interface to reflect the "variability" of the Auditing process, makes Opt-Sec Compliance Systems absolutely unique and by far the best choice to help you get through the Audit process successfully.