IT Security Assessments Going Online: A Guide to Performing a Virtual Audit
When the whole world has been put to a lockdown, things started to change: companies shifted to the work-from-home mode and significant scope of work has gone remote. The new normal has challenged companies in many ways, namely the inability to adapt and maintain business continuity in uncertain times. Things have changed and this has also affected the compliance world. Companies started to pay more attention to security and data privacy, while the compliance obligations didn’t go anywhere – you still need to align with the requirements and conduct regular audits to keep your sensitive data safe.
Why Are Cybersecurity Assessments Critical Today?
Cybersecurity audit is a technical assessment of an organization’s IT infrastructure, i.e., their operating systems, applications, and more. They provide invaluable information about the organization’s security controls and are particularly beneficial to companies for documenting and addressing their risks, vulnerabilities, and threat exposure. Internal and external security evaluations allow security managers to evaluate the potential disruptions, discover gaps and leaks, and get ready for future certifications. In the post-pandemic world, remote audits are an option that more and more organizations start to consider and implement in their compliance processes. Regular assessments help to discover new vulnerabilities, besides, they are required by regulations and standards. For example, an internal audit is mandatory for ISO27001, as well as for IT-Grundschutz on the check phase.
What Is a Remote Audit?
A virtual IT audit is conducted partially or completely off-site. It covers all the points and steps as an onsite audit, but the auditor uses communication technology when a site visit is not possible.
How Is a Virtual Audit Conducted?
The remote audit will typically last as long as the regular onsite audit. The assessor will dial you into the conference call via the previously agreed platform. You will need to be available all the time and share your screen. The assessor may ask you to send documents for review via any of the secure communication channels available.
Security Audit Workflow
A security audit should follow such basic format:
Definition of the Assessment Criteria
At first, it is necessary to determine the general goals of the company, what exactly you need to address in the assessment, and then define the priorities of these objectives. Whether you need to check your security system for further improvements or you’re heading for certification – it should be clearly stated. According to Gartner, a company should agree on how the performance and tracking of the audit will be carried out, as well as on gathering and addressing the assessment results.
Preparation for the Remote Security Audit
Since remote auditing relies on technology, you may follow these points to arrange your virtual audit:
- Define which tools you will use for your virtual audit. Check the benefits the right software can provide you with.
- Decide which online conferencing system you would use for interaction with the assessor, such as Microsoft Teams, Skype, Zoom, GoToMeeting, Google Hangouts, etc.
- Ensure online connection. If it’s not possible, the auditor may ask you to email the necessary information and follow up with a telephone call.
Three Essential Aspects of the Virtual Audit
You will also need to make sure the following aspects to be available for a virtual IT audit:
People that have to be present during the audit:
- CISO or IT security manager;
- Key personnel involved;
- Representative(s) of the management board if planned for the opening and final meetings, or the leadership part if planned.
The assessor will review your ISMS remotely via screen share or by sending the files via a secured communication channel. Documents that are usually to be submitted for the auditor are as following:
- Internal audit records
- Internal audit plan
- Management review minutes and actions
- Complaints log
- Corrective actions
- Improvement documentation
- Risk register
- Documentation supporting core business processes (if possible)
3. Site tours
A remote audit may require a site tour, so you should show the auditor around via a webcam or a video call. If the location is closed, or a virtual site tour is not possible due to technology, safety, or health issues, then this procedure will be carried out on-site during the next audit. The assessor will determine it based on your circumstances.
Remote Audit Results
You should monitor the progress of the audit and prioritize certain points that may require further examination. After the audit is completed, discuss the results with all of the stakeholders. Create a list of action points based on the audit and decide which steps to take first to fix the security issues discovered.
How a GRC Solution Can Make Your Virtual Audit a Blast
During the remote assessment, the auditor will require you to send documents via email. With Infopulse SCM you can generate reports with just a few clicks, make all the necessary snapshots upon the auditor’s request, and provide clear and consolidated information regarding your compliance operations when necessary. Infopulse SCM enables you to maintain a holistic view of your ISMS and manage multiple standards in one system.
Effective and easy-to-use IT security management system based on the latest standards and regulations — from planning and establishing the security concept to certification.