Following the methodology used by PCI DSS consolidated procedures, it has been de-cided to endorse a similar idea for the structure of realized audit procedure: the employed approach systematically aims to submit the control verification process to multiple audit procedures of different types. This implies that for each information security control a specific, pre-defined combination of testing procedures has been assigned. To this pur-pose, the following four testing methods illustrated in4.1have been established, and the structure of the test procedure has been defined accordingly, as shown in figure 4.2.
Figure 4.1. Combination of four testing methods
Figure 4.2. Design of the audit procedure structure
The labels characterizing the chosen structure are intuitively understandable:
• ID: unique control identifier in ISO/IEC 27002:2022 document
• Control: statement describing what the control is, as defined in ISO/IEC 27002:2022 document
Design of audit procedures
• Testing Procedure: title describing the testing procedure scope of interest
• Interview: testing method based on verbal interview, explained in4.4.1
• Document: testing method based on the analysis of any written form of documents, explained in 4.4.2
• Configuration: testing method based on the inspection of configuration settings, explained in 4.4.3
• Observation: testing method based on the observation of a process or of its outputs, explained in 4.4.4
4.4.1 Interview
The interview is the most widely used testing method, both in this thesis work and in general by auditors. It consists in a series of pre-defined verbal or written questions to which auditee’s employers are subjected. This form of audit procedure turns out to be easier to implement because it requires less time and effort on the auditor side, it allows to collect information of different entities but relating to the same topic simultaneously, and it is the most flexible. By a way of example, as far as surveillance system is concerned, the auditor can gather information about what surveillance measures are present, how they are employed for monitoring, how frequently and by who, by interviewing the responsible personnel.
Since interview is inherently based on verbal evidence which is the least reliable, ac-cording to the classification presented in3.3.1, this implies the need of providing additional types of evidence that supports verbal ones. This is the reason why, during this thesis work, testing method based on interview has always been integrated with other methods.
Types of interviews
Interviews can be conducted through several approaches, aiming to obtain an adequate pre-established level of coverage of all target items. Thus, interviews can be:
• General vs Detailed: it depends on what the interview aims to validate, leading to a different level of detail in gathering information process. For example, if the target is the general design of human resources management process or it is a recovery plan of a incident management process, auditor will conduct a general or detailed interview, respectively.
• Individual vs Group: it is intended for a single person or a group of individuals.
Group interviews are less frequent and they are usually performed when is necessary to analyse the interactions between members, so typically individual interviews are more common.
Results, conclusions and any type of information deriving from interviews of any form should be appropriately recorded. [16]
Design of audit procedures
4.4.2 Documentation
The method based on the documentation consists of the review of documents like poli-cies and procedures and formally recorded information. It is performed as a preliminary step of effectiveness of control implementation, so typically first documented process exis-tence is checked through documentation analysis and then its effectiveness and compliance will be validated, producing documentary evidence (following the classification in3.3.1).
From the point of view of the results, documented information review is appropriate for understanding and evaluating the management system functioning and design, and re-lated controls from a broader perspective. In the context of developed audit procedures, documentation method has been adopted whenever possible to analyse policies or any well-formed procedure or process, considering the feasibility of the method according to the kind of information that usually are documented or not.
The validation of documented information is performed by evaluating:
• the correspondence of its content with respect to the represented clause
• its format conformity
• the relative procedure for the management of the documented information [15]
4.4.3 Configuration
This audit method consists in the analysis of configurations, intended as configuration settings of the system or application under evaluation. It is adopted to validate the effectiveness of a technical control in place, for this reason it can be applied to systems where configuration settings are meaningful for the fulfillment of the control purpose. This implies that this method is typically targeted to any kind of device, hardware or software component, or in general any IT system where the configuration values are relevant and must be verified by the auditor. Consequently, the analysis of configurations produces technical evidence, which has a medium level of reliability according to the classification in 3.3.1. The auditor usually does not verify the configurations autonomously but asks a system administrator to show them or, if particularly large or difficult to analyze, to export them. In the context of this thesis work, it has been mostly used in technological controls of ISO/IEC 27002. [16]
4.4.4 Observation
This audit method is performed through direct observation of the phenomenon subject to the audit activity. Typically, it can include physical inspections, records examinations, and in general whatever observation aimed at verifying processes, procedures as well as the implementation of information security best practices, such as firewall updates. Since it produces physical evidence, the best in terms of reliability, the observation is certainly the most reliable form of audit method, because it adopts a broader perspective given by the fact that a procedure or process is considered in its entirety.
Design of audit procedures
Depending on the depth of the auditor analysis, this method can be performed through general or detailed observation. Respectively, the former aims to verify just the existence of a process and its implementation, and the latter examines in detail the functioning and continuity of a process. For example, the visit of the data-processing center and the observation of a system backup test are illustrative of the different level of analysis detail.[16]