[WG-IDAssurance] CO-SAC: Inconsistent audit criteria

Tue Jan 17 12:13:33 EST 2012

Dear IAWG-ers,

Brian Dilley has raised the following point (I paraphrase him, he wouldn't
show-off by using big words such as 'extant' ;-):

AL[2,3,4]_CO_ISM#090  Independent Audit all state the following:

"Be audited by an independent auditor at least every 24 months to ensure the

organization's security-related practices are consistent with the policies

and procedures for the specified service."

Whilst at AL2 the 24 month period is in keeping with best practice, at AL3
and 4 extant best practice is to conduct these audits at 12-monthly
intervals.

I am in agreement with Brian, and would add:

AL4_CO_ISM#120  Best Security Management Practice requires that CSPs "Have
in place a certified Information Security Management system (ISMS) .".  Such
an ISMS would require, through its certification practices, an annual
third-party audit.  AT AL3 this same criterion lacks the word 'certified',
but nevertheless requires that there be a management system in place, which
would lead to the conclusion that a 12-month period would also be applicable
at AL3.

Beyond that, in reviewing Brian's comment and the affected criteria, I noted
the following:

AL[2,3,4]_CO_ISM#080 Internal Service Audit
"Be audited at least once every 12 months for effective provision of the
specified service by independent internal audit functions of the enterprise
responsible for the specified service, unless it can show that by reason of
its organizational size or due to other [justifiable - AL3,4] operational
restrictions it is unreasonable to be so audited."

The 'independence' referred-to here is that the auditors are employed by the
CSP but are not directly involved in the planning, operation, etc. of the
system, i.e. what is being referred-to is a 'First-party' audit.  However,
the use of 'Independent' in the title and body of 'ISM#090 has a different
implication, i.e. that the auditors have no tie to the audit subject other
than in their auditing capacity, i.e. what is being referred-to here is a
'Third-party' Audit.  

So, here's what I suggest the IAWG considers, endorses and actions:

1)      Amend AL[2,3,4]_CO_ISM#090  Independent Audit to replace all
instances of 'independent' with 'Third-party' (title and requirement body);

2)      Amend AL[3,4]_CO_ISM#090  Independent Audit to read ".at least every
12 months .", the '12' to be in bold at AL3;

3)      Amend AL4_CO_ISM#090  Independent Audit to state 'certified' in
bold;

4)      Amend AL2_CO_ISM#080 Internal Service Audit by adding guidance to
the effect: "Using a third-party auditor to provide the independent audit
should be considered when the organisation cannot easily provide true
internal independence but wishes to benefit from the value the audit can
provide.  This may be accomplished by fulfilling the AL2_CO_ISM#090
requirement on a 12-monthly basis, e.g." (Note to IAWG - this proposed
guidance is meant to encourage the application of these audits but does not
change the fact that it may be waived, i.e. it cannot be imposed by a
Kantara-Accredited Assessor.);

5)      Amend AL[3,4]_CO_ISM#080 Internal Service Audit by adding guidance
to the effect:  "Using the third-party audit required by AL[3,4]_CO_ISM#090
to provide the independent audit instead of the assignment of an internal
audit function is not an acceptable means of fulfilling this criterion.
Management systems require that there be internal audit conducted as an
inherent part of management review processes.  Third-party audit of the
management system is a fully separate requirement, intended to show that the
internal management system controls are being appropriately applied." ;

Best regards,
R

Richard G. WILSHER
CEO, Zygma LLC
O:  +1 714 965 99 42
M: +1 714 797 99 42

www.Zygma.biz

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-idassurance/attachments/20120117/fcf3602b/attachment.html 