[WG-IDAssurance] CO-SAC: Inconsistent audit criteria

Anna Ticktin atick10 at me.com
Tue Jan 17 14:07:11 EST 2012 

Hello Folks—

I've attempted to capture Richard's summary below on the IAWG's wiki space currently tracking proposed IAF batch changes.
(RGW—pls feel free to edit if I've mis-captured in anyway.)

link : http://kantarainitiative.org/confluence/display/idassurance/IAF+Stack+Edits


Best.
—> Anna Ticktin

       anna at kantarainitiative.org
       anna at ieee-isto.org

On 17Jan2012, at 9:13 AM, Richard G. WILSHER @Zygma wrote:

> Dear IAWG-ers,
>  
> Brian Dilley has raised the following point (I paraphrase him, he wouldn’t show-off by using big words such as ‘extant’ ;-):
> 
> AL[2,3,4]_CO_ISM#090  Independent Audit all state the following:
> “Be audited by an independent auditor at least every 24 months to ensure the
> organization's security-related practices are consistent with the policies
> and procedures for the specified service.”
> Whilst at AL2 the 24 month period is in keeping with best practice, at AL3 and 4 extant best practice is to conduct these audits at 12-monthly intervals.
>  
> I am in agreement with Brian, and would add:
> AL4_CO_ISM#120  Best Security Management Practice requires that CSPs “Have in place a certified Information Security Management system (ISMS) …”.  Such an ISMS would require, through its certification practices, an annual third-party audit.  AT AL3 this same criterion lacks the word ‘certified’, but nevertheless requires that there be a management system in place, which would lead to the conclusion that a 12-month period would also be applicable at AL3.
>  
> Beyond that, in reviewing Brian’s comment and the affected criteria, I noted the following:
>  
> AL[2,3,4]_CO_ISM#080 Internal Service Audit
> “Be audited at least once every 12 months for effective provision of the specified service by independent internal audit functions of the enterprise responsible for the specified service, unless it can show that by reason of its organizational size or due to other [justifiable – AL3,4] operational restrictions it is unreasonable to be so audited.”
> The ‘independence’ referred-to here is that the auditors are employed by the CSP but are not directly involved in the planning, operation, etc. of the system, i.e. what is being referred-to is a ‘First-party’ audit.  However, the use of ‘Independent’ in the title and body of ’ISM#090 has a different implication, i.e. that the auditors have no tie to the audit subject other than in their auditing capacity, i.e. what is being referred-to here is a ‘Third-party’ Audit. 
>  
> So, here’s what I suggest the IAWG considers, endorses and actions:
> 1)      Amend AL[2,3,4]_CO_ISM#090  Independent Audit to replace all instances of ‘independent’ with ‘Third-party’ (title and requirement body);
> 2)      Amend AL[3,4]_CO_ISM#090  Independent Audit to read “…at least every 12 months …”, the ‘12’ to be in bold at AL3;
> 3)      Amend AL4_CO_ISM#090  Independent Audit to state ‘certified’ in bold;
> 4)      Amend AL2_CO_ISM#080 Internal Service Audit by adding guidance to the effect: “Using a third-party auditor to provide the independent audit should be considered when the organisation cannot easily provide true internal independence but wishes to benefit from the value the audit can provide.  This may be accomplished by fulfilling the AL2_CO_ISM#090requirement on a 12-monthly basis, e.g.” (Note to IAWG – this proposed guidance is meant to encourage the application of these audits but does not change the fact that it may be waived, i.e. it cannot be imposed by a Kantara-Accredited Assessor.);
> 5)      Amend AL[3,4]_CO_ISM#080 Internal Service Audit by adding guidance to the effect:  “Using the third-party audit required by AL[3,4]_CO_ISM#090 to provide the independent audit instead of the assignment of an internal audit function is not an acceptable means of fulfilling this criterion.  Management systems require that there be internal audit conducted as an inherent part of management review processes.  Third-party audit of the management system is a fully separate requirement, intended to show that the internal management system controls are being appropriately applied.” ;
> 
> Best regards,
> R
> 
> Richard G. WILSHER
> CEO, Zygma LLC
> O:  +1 714 965 99 42
> M: +1 714 797 99 42
> www.Zygma.biz
> 
>  
> _______________________________________________
> WG-IDAssurance mailing list
> WG-IDAssurance at kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/wg-idassurance

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-idassurance/attachments/20120117/ab0477b4/attachment-0001.html

More information about the WG-IDAssurance mailing list