April 21, 2013, 11:26 AM — When an ISO 27001 auditor is knocking at your office door, that is not the time to check whether the latch on your window works. It's time to take a deep breath and review some important guidelines on how to handle an audit.
First off, keep your eyes on the prize. Remember that the auditor is going to be asking about your organization's security policies (sometimes referred to as "controls"), how you adhere to those policies, and whether you can provide records that demonstrate your adherence -- all with the end goal of certifying that the overall system works and certification is warranted. The auditors will be representing an accredited certification firm and the audit itself is meant to demonstrate to all concerned parties (i.e., stakeholders) that you are following good security practice.
As Unix admins, we're probably all well schooled in the basics of security and the three-legged stool on which it rests (confidentiality, integrity and availability). Those same principles underly security standards such as ISO 27001. So, focusing on how you keep your systems in line with these principles, you should be in good shape for responding to audit questions.
Before an audit begins, you should already have been schooled on what to expect. In general, auditors can talk to anyone, though one-on-one interviews will have been arranged ahead of time. They will want to have some interactions with a sampling of staff so that they get a well rounded picture of how well your security system works, but the "drive by" questions are likely to be very general in nature.
Good rules of thumb
Don't take the audit too personally. You are not being interrogated to uncover some wrong that you've done and you're not on trial nor are you under oath. The auditor's goal is to determine whether the overall security structure under which you are working represents good practice and is reliable.
Understand that auditors are trained to be fair. They're impartial at worst. In fact, they might actually prefer to see your organization pass the audit. Their goal, however, is to impartially assess your security system and to promote good security practice in the process, not to catch you in some failing.
Let the auditor ask the questions and don't volunteer information that he or she hasn't requested. Don't embellish your answers with any more details than are absolutely needed.
Listen to each question and provide simple, straightforward answers. Ask questions if you're not sure what the auditor is looking for.
Don't guess. If you don't know an answer, admit that you don't know, but also don't be
afraid to consult other resources. If you don't remember how frequently accounts on your systems are reviewed (to be sure that they're still needed and still valid) but have a review schedule posted in your online documents, go ahead and refer to it.
flickr / dpstyles