Considerations

The presented technological controls cover many aspects related to technical function-alities. As previously introduced, some technological controls are complementary with respect to the organizational ones, and this trend has been observed also in the guidance of controls. For this reason, where two controls dealt with complementary aspects of the same subject, it has been decided to develop the related procedures exclusively in one or the other control, in order to avoid overlapped verifications and optimize the audit activity.

Since in this context the auditor objective is to focus to all those aspects strictly related to implementation details, the audit procedures related to this type of controls mainly use configuration and observation methods. A general overview of the related developed audit procedures highlights some common recurring patterns as regards:

• Topic-specific policies: they have always been analysed through interview and doc-umentation analysis, so the corresponding audit procedure has resorted to verbal and documented evidence, by verifying that the policy is established and communi-cated to all relevant interested parties and that it contains and properly regulates the fundamental related requirements. When applicable, the analysis of the configu-ration has also been performed in order to collect technical evidence, which are more reliable than the ones gathered previously.

Implementation of audit procedures

• Procedures and processes: in the audit procedures that analyse procedures or pro-cesses adopted internally, in addition to the interview, sometimes documentary re-view and sometimes observation have been used: this choice was dictated purely by pragmatic and realistic considerations since it depends on whether procedures and processes have been formalized or not.

• Specific aspects: depending on the type of analysis to be performed, some aspects have been unified under the same audit procedure, while others have been split in separate procedures. The determining factor has been reasoning on the actual ease of applicability of the procedure by the auditor, taking into consideration practical aspects on time and effort.

• References to additional ISO standards: in several controls, such as the ones relating to access management and key management, further detailed guidance can be found in other ISO standards.

• Distribution of audit methods: in general, as could be expected, the configuration and observation methods have been widely adopted since they adequately examine practical and operational aspects of the actual implementation of control require-ments. They are usually used in a joint manner, which implies that typically what is verified analysing configuration settings is then confirmed by the observation of actual results. Consequently, many times interview has been avoided due to the fact that in audit procedures where purely practical aspects have to be assessed, more reliable methods are sufficient to obtain reliable evidence, saving time and resources.

Chapter 6

Conclusion

This final chapter shows the result obtained by the thesis work and introduces a possible future use of the developed procedures towards the standardization of the assessment of information security controls.

6.1 Review and final version

The initial development of the audit procedures has produced an extended early version where a large number of aspects have been considered within each control scope and consequently included in the corresponding procedures. The following step of review has been focused on maintaining a general attitude with respect to the level of detail of involved aspects, reflecting the wide applicability typical of ISO/IEC 27002. This has implied that:

• topics belonging to specific contexts have not been included as testing procedures in order to ensure that they were applicable to organizations of all types and sectors as required by ISO standards;

• the relevance of considered aspects has been a determining factor for their inclusion or exclusion, leading to develop audit procedures just for the main ones;

• detailed control points belonging to separate audit procedures have been aggregated in a unique procedure with a common purpose including more than one aspect to be evaluated.

Specifically, where two controls dealt with complementary aspects of the same subject, it has been decided to develop the related procedures exclusively in one or the other control, in order to avoid overlapped verifications and optimize the audit activity. By way of example, the password management system and the related verification procedures have been handled entirely in auditing of clause 5.17 - Authentication information, although it is also considered in clause 8.5 - Secure authentication.

The utilization of audit methods that provide different levels of assurance can be considered a beneficial strategy: overall, the interview has been the most widely adopted

Conclusion

method because almost in every context it was applicable, and it is flexible and fast, while in order to support the verbal evidence, at least one of the three other methods have been successfully employed.

As far as critical or extended controls are concerned, testing procedures have usually been maintained more precise, leading to obtain on average more that four or five pro-cedures related to a single control implementation. All these choices have been applied pursuing the objective of improving the applicability of the developed audit procedures, which derives from a practical need of optimizing the audit activity. Consequently, the final version is anyway comprehensive and precise enough to give a substantial support in performing audit of information security controls implementation within a real context.