DER.3.1 Audits and Revisions
Audits and revisions are fundamental to every successful information security management system (ISMS). Only if established security measures and processes are...
Description
Introduction
Audits and revisions are fundamental to every successful information security management system (ISMS). Only if established security measures and processes are regularly reviewed to determine whether they are still effective, complete, appropriate, and current can the overall state of information security be assessed. Audits and revisions are thus a tool for determining, achieving, and maintaining an adequate level of security. Through audits and revisions, it is possible to identify security deficiencies and adverse developments and to take appropriate countermeasures.
An audit (audire = to hear, to listen) is a systematic, independent examination of activities and their results. It examines whether defined requirements such as standards, norms, or guidelines are being met. In a revision (revidieren = to check, to review), it is examined whether documents, conditions, objects, or procedures are correct, effective, and appropriate. Unlike an audit, a revision does not necessarily have to be independent. Furthermore, a revision in the sense of maintenance may also include corrective action.
Objective
The building block DER.3.1 Audits and Revisions defines requirements for audits and revisions with the goal of improving information security in an institution, avoiding adverse developments in this area, and optimizing security measures and processes.
Scope and Modeling
The building block is to be applied to the entire information network. This applies to internal audits (first-party audits) and revisions, as well as audits of the institution’s service providers (second-party audits) or other institutions with which the institution has entered into a partnership. Certification audits (third-party audits) are not covered by this building block.
Likewise, the IS revision mandatory for federal authorities is not addressed here. This is covered in building block DER 3.2 Revisions Based on the IS Revision Guide.
Threat Landscape
Since IT-Grundschutz building blocks cannot address individual information networks, typical scenarios are used to illustrate the threat landscape. The following specific threats and vulnerabilities are of particular importance for building block DER.3.1 Audits and Revisions.
Insufficient or Unscheduled Implementation of Security Measures
The level of protection of an institution depends on security measures being fully and correctly implemented. Particularly during the critical phase of projects or under certain conditions, it can happen that security measures are temporarily suspended. If they are then forgotten to be reactivated, an excessively low level of security can result.
Ineffective or Uneconomical Implementation of Security Measures
If security measures are implemented without taking certain practical aspects into account, the measures may be ineffective. For example, it is pointless to secure an entrance area with turnstiles if employees can simply enter the building through an open side entrance.
Similarly, individual measures may be taken that are not economically sensible. For the protection of information with normal confidentiality requirements, a properly implemented rights and roles concept is better suited and more cost-effective than complex, certificate-based encryption of the file server.
Inadequate Implementation of the ISMS
In many institutions, the Information Security Officer themselves checks whether security measures have been implemented. However, the review of the actual ISMS is often overlooked, especially since this should be carried out by independent third parties. As a result, the processes of an ISMS may be implemented inefficiently or inappropriately, which in turn can impair the security level of the institution.
Insufficient Qualification of Auditors
If the persons who are to conduct an audit or revision are not sufficiently qualified or prepare inadequately for the reviews, they may incorrectly assess the security status of an institution. This could lead to missing or even incorrect corrective actions in the audit report. In the worst case, this results in security that is too high and therefore not economical, or too low and therefore very risky.
Lack of Long-Term Planning
If audits and revisions are not planned long-term and centrally, it can happen that some areas are checked very frequently and others not at all. This makes it very difficult or even impossible to assess the security status of the information network.
Lack of Planning and Coordination When Conducting an Audit
If an audit has been poorly planned and not sufficiently coordinated with the institution, not all required persons may be present during the on-site review. As a result, it may be impossible to audit individual areas at all. Also, if the time slots for individual areas are set too tightly, the investigation may only be conducted superficially because insufficient time has been allocated.
Failure to Involve the Employee Representatives
Audits and revisions may also examine aspects from which conclusions about the performance of employees can be drawn. These reviews could therefore be treated as a performance appraisal. If the employee representatives are not involved, this can lead to violations of applicable co-determination rights.
Deliberate Concealment of Deviations
Employees may fear that their errors will be exposed during the review and may therefore attempt to conceal security problems. This could convey a false picture of the actual current status.
Requirements
The following are the specific requirements of building block DER.3.1 Audits and Revisions. The Information Security Officer (ISO) is responsible for ensuring that all requirements are met and verified in accordance with the established security concept. The ISO MUST always be involved in strategic decisions.
Additional roles are defined in the IT-Grundschutz Compendium. These should be filled insofar as this is reasonable and appropriate.
| Responsibilities | Roles |
|---|---|
| Primary responsibility | Information Security Officer (ISO) |
| Additional responsibilities | Audit Team, Top Management |
Exactly one role should be primarily responsible. In addition, there may be additional responsibilities. If one of these additional roles is primarily responsible for fulfilling a requirement, that role is listed in square brackets after the requirement heading. The use of singular or plural does not indicate how many people should fill these roles.
Basic Requirements
The following requirements MUST be fulfilled as a priority for this building block.
DER.3.1.A1 Definition of Responsibilities (B) [Top Management]
Top Management MUST designate a person responsible for planning and initiating audits and revisions. In doing so, Top Management MUST ensure that no conflicts of interest arise.
The institution MUST use the results of audits and revisions to improve security measures.
DER.3.1.A2 Preparation of an Audit or Revision (B)
Before an audit or revision, the institution MUST define the subject and objectives of the review. The relevant personnel MUST be informed. Depending on the subject matter, the employee representatives MUST be informed about the planned audit or revision.
DER.3.1.A3 Conducting an Audit (B) [Audit Team]
In an audit, the audit team MUST examine whether requirements from policies, standards, norms, and other relevant specifications are being met. The institution being audited MUST know the requirements.
The audit team MUST conduct a document review as well as an on-site review for every audit. During the on-site audit, the audit team MUST ensure that it never actively intervenes in systems and never provides instructions for changes to the subject of the audit.
The audit team MUST document all results of an audit in writing and summarize them in an audit report. The audit report MUST be submitted to the responsible party in the institution in a timely manner.
DER.3.1.A4 Conducting a Revision (B)
In a revision, the revision team MUST examine whether requirements are fully, correctly, appropriately, and currently implemented. The institution MUST correct identified deviations as quickly as possible. The respective revisions MUST be documented with a change history.
Standard Requirements
Together with the basic requirements, the following requirements represent the state of the art for this building block. They SHOULD generally be fulfilled.
DER.3.1.A5 Integration into the Information Security Process (S)
The institution SHOULD establish a policy for internal ISMS auditing. It should also create a policy for managing corrective actions. The policies SHOULD specify that regular audits and revisions are part of the security process and are initiated by it.
The ISO SHOULD ensure that the results of audits and revisions feed back into the ISMS and improve it. The ISO SHOULD include the conducted audits and revisions and their results in the regular report to Top Management. It SHOULD also be recorded there which deficiencies have been remediated and how quality has been improved.
DER.3.1.A6 Definition of the Audit Basis and a Uniform Assessment Scheme (S)
The institution SHOULD establish a uniform basis for audits. A uniform assessment scheme for evaluating the implementation of requirements SHOULD be established and documented.
DER.3.1.A7 Creation of an Audit Program (S)
The ISO SHOULD establish a multi-year audit program that covers all audits and revisions to be conducted. Goals SHOULD be defined for the audit program, derived in particular from the institution’s objectives and information security objectives.
The ISO SHOULD include reserves for unforeseen events in the annual resource planning. The audit program SHOULD be subject to its own continuous improvement process.
DER.3.1.A8 Creation of a Revision List (S)
The ISO SHOULD maintain one or more revision lists that document the current status of revision objects as well as planned revisions.
DER.3.1.A9 Selection of a Suitable Audit or Revision Team (S)
The institution SHOULD assemble a suitable team for each audit or revision. A person SHOULD be designated to lead the audit or revision. This person SHOULD bear overall responsibility for conducting the audits or revisions.
The size of the audit or revision team SHOULD correspond to the scope of the review. The institution SHOULD in particular take into account the competency requirements of the review topics as well as the size and geographic distribution of the review area. Members of the audit or revision team SHOULD be appropriately qualified.
The neutrality of the audit team SHOULD be ensured. Furthermore, the revision team SHOULD also be independent. If external service providers are engaged for an audit or revision, they SHOULD be checked for their independence and obligated to maintain confidentiality.
DER.3.1.A10 Creation of an Audit or Revision Plan (S) [Audit Team]
Before an audit or a major revision, an audit or revision plan SHOULD be created. For audits, the audit plan SHOULD be part of the final audit report. The audit plan SHOULD be updated throughout the audit and adjusted as needed. Smaller revisions SHOULD be planned using the revision list.
The institution SHOULD allocate sufficient resources for the audit or revision team.
DER.3.1.A11 Communication and Conduct During Reviews (S) [Audit Team]
The audit or revision team SHOULD establish clear rules for how the audit or revision team and the employees of the institution or department being reviewed exchange information. The audit team SHOULD use appropriate measures to ensure that the information exchanged during an audit remains confidential and integral.
Persons accompanying the audit SHOULD NOT influence the reviews. Furthermore, they SHOULD be obligated to maintain confidentiality.
DER.3.1.A12 Conducting a Kick-Off Meeting (S) [Audit Team]
The audit or revision team SHOULD conduct a kick-off meeting with the relevant contact persons. The audit or revision procedure SHOULD be explained and the conditions for the on-site review coordinated. The respective responsible parties SHOULD confirm this.
DER.3.1.A13 Review and Examination of Documents (S) [Audit Team]
Documents SHOULD be reviewed by the audit team based on the requirements established in the review plan. All relevant documents SHOULD be examined to determine whether they are current, complete, and comprehensible. The results of the document review SHOULD be documented. The results SHOULD also feed into the on-site review where this makes sense.
DER.3.1.A14 Selection of Samples (S) [Audit Team]
The audit team SHOULD select samples for the on-site review based on risk and justify the selection in a comprehensible manner. The selected samples SHOULD be documented. If the audit is conducted on the basis of building block target objects and requirements, these SHOULD be selected using a previously defined procedure. When selecting samples, the results of previous audits SHOULD also be taken into account.
DER.3.1.A15 Selection of Appropriate Audit Methods (S) [Audit Team]
The audit team SHOULD use appropriate methods for each subject matter to be reviewed. It SHOULD also be ensured that all reviews are proportionate.
DER.3.1.A16 Schedule for the On-Site Review (S) [Audit Team]
The audit team SHOULD develop the schedule for the on-site review together with the institution. The results SHOULD be documented in the audit plan.
DER.3.1.A17 Conducting the On-Site Review (S) [Audit Team]
At the start of the on-site review, the audit team SHOULD conduct an opening meeting with the institution. All requirements established in the review plan SHOULD then be checked using the designated review methods. If a selected sample deviates from the documented status, the sample SHOULD be expanded on a needs basis until the matter is clarified. After the review, the audit team SHOULD conduct a closing meeting. In it, the team SHOULD briefly present the results without evaluation and describe the next steps. The meeting SHOULD be recorded in minutes.
DER.3.1.A18 Conducting Interviews (S) [Audit Team]
The audit team SHOULD conduct structured interviews. Questions SHOULD be formulated concisely, precisely, and in an easily understandable manner. Appropriate questioning techniques SHOULD also be used.
DER.3.1.A19 Review of the Risk Treatment Plan (S) [Audit Team]
The audit team SHOULD examine whether the residual risks remaining for the information network are appropriate and acceptable. It SHOULD also examine whether they are bindingly supported by Top Management. Measures that fundamentally contribute to the information security of the entire institution MUST NOT be included in this risk acceptance.
The audit team SHOULD verify by sampling whether and to what extent the measures established in the risk treatment plan have been implemented.
DER.3.1.A20 Conducting a Final Meeting (S) [Audit Team]
The audit team SHOULD conduct a final meeting with the audited institution. The preliminary audit results SHOULD be presented therein. The next activities SHOULD be introduced.
DER.3.1.A21 Evaluation of Reviews (S) [Audit Team]
After the on-site review, the audit team SHOULD further consolidate and evaluate the information gathered. After additionally requested documentation and supplementary information have been evaluated, the reviewed measures SHOULD be finally assessed. To allow additionally requested documentation to be provided, the audit team SHOULD grant the institution a sufficient time window. Documents not received by the agreed deadline SHOULD be treated as non-existent.
DER.3.1.A22 Creation of an Audit Report (S) [Audit Team]
The audit team SHOULD compile the findings into an audit report and document them in a comprehensible manner.
The audited institution SHOULD ensure that all affected parties receive the sections of the audit report that are important and necessary for them within an appropriate timeframe.
DER.3.1.A23 Documentation of Revision Results (S)
The results of a revision SHOULD be documented uniformly by the revision team.
DER.3.1.A24 Conclusion of the Audit or Revision (S) [Audit Team]
After the audit or revision, the audit team SHOULD return or destroy all relevant documents, storage media, and IT systems. This SHOULD be coordinated with the audited institution. Retention obligations arising from legal or other binding requirements SHOULD be taken into account accordingly. The ISO SHOULD have all access that was approved for the audit or revision team deactivated or deleted.
It SHOULD be agreed with the audited institution how the results are to be handled. It SHOULD also be established that the audit results MUST NOT be passed on to other institutions without the approval of the audited institution.
DER.3.1.A25 Follow-Up of an Audit (S)
The institution SHOULD rectify the deviations or deficiencies identified in the audit report or during a revision within an appropriate timeframe. The corrective actions to be taken, including timelines and responsibilities, SHOULD be documented. Completed corrective actions SHOULD also be documented. The institution SHOULD establish and use a defined procedure for this purpose.
If there were serious deviations or deficiencies, the audit or revision team SHOULD verify that the corrective actions have been carried out.
DER.3.1.A26 Monitoring and Adjusting the Audit Program (S)
The audit program SHOULD be continuously monitored and adjusted so that deadlines, audit objectives, audit content, and audit quality are maintained.
Using the existing requirements for the audit program and the results of conducted audits, it SHOULD be verified whether the audit program is appropriate. It SHOULD be adjusted as needed.
DER.3.1.A27 Retention and Archiving of Documents Related to Audits and Revisions (S)
The institution SHOULD store and retain audit programs and documents related to audits and revisions in a comprehensible and audit-proof manner in accordance with regulatory requirements. It SHOULD be ensured that only authorized persons can access audit programs and documents. The institution SHOULD securely destroy audit programs and documents after the retention period has expired.
Requirements for High Protection Needs
The following are exemplary proposals for requirements that go beyond the level of protection corresponding to the state of the art for this building block. The proposals SHOULD be considered when there are elevated protection needs. The specific determination is made within the framework of an individual risk analysis.
DER.3.1.A28 DISCONTINUED (H)
This requirement has been discontinued.
Additional Information
Good to Know
The International Organization for Standardization has described guidelines for auditing management systems in the standard “ISO 19011:2011”.
The International Organization for Standardization has described guidelines for auditing an ISMS in the standard “ISO ISO/IEC 27007:2011”.
The Information Security Forum has described guidelines for auditing an ISMS in the document “The Standard of Good Practice for Information Security”.