2

One of my client has ISO 27001 audits at their disposal and they have been going through audits. Meanwhile, they are taking custom security services from our company where-in one of the deliverables happen to be Secure Network Architectural Review. While opting the services provided, they haven't informed before-hand that they did not had specific security documentations, policies and the framework in place to carry out the task.

To me viewpoint, I would had these requirements to carry out SNA or Secure Network Architectural Review process:

  1. Information Security Policy

  2. Network Security Policy

    Application Security Policy

    Information Asset Register & Classification adhere to CIA

    Password Standards

    Access Control

  3. Disaster Recover Policy (DRP)

  4. Change Management Policy
  5. Business Continuity Plan (BCP)

Since we are about to provide them information security risk assurances and they have these missing gaps, my primary question drops to few bottomline's here:

  1. Is it necessary to have these documents, policies, DRP, BCP's etc built from the scratch to tighten up security to carry the task at hand?
  2. Does the ISO 27001 require all these to be previously there? and if yes, how they still had been audited at the first place but no management had pushed forward the missing documentations, policies, etc gaps?
  3. If we are to provide serious risk assurances, should we provide them another service to create these docs, policies or shall it be covered along with SNA? (I know this is an executive view-point but still overall opinions needed)
Shritam Bhowmick
  • 1,602
  • 14
  • 28
  • You use the word "necessary" a lot, but you seem to switch the reason for the necessity. Are those things necessary for ISO 27k? Yes. Are those things necessary for Best Practice? Yes. Are those things necessary to engage in your services? We can have no idea about that. Your question is lost in all the possibilities. – schroeder Nov 21 '15 at 16:45
  • I'm editing the same to the best possibility. The bottomline is although they have done their ISO 27k they reveal they have no prior policy, docs or any other relevant data through which our services could be delivered. – Shritam Bhowmick Nov 21 '15 at 17:57

1 Answers1

1

I have worked in the IT Audit / IT Security profession for a while now, and I will answer from my professional experience.

Is it necessary to have these documents, policies, DRP, BCP's etc built from the scratch to tighten up security to carry the task at hand?

The policies you specified in your list are a basic necessity to a well functioning IT security program. Ask yourself the following questions:

  1. How do you ensure a consistent , reliable method of administering Information technology if you don't have tangible documentation in place?
  2. How do you expect employees to cooperate in IT Security mission if they don't know the purpose, polices, and their role in the program?
  3. It is almost a given that at some time, a failure will occur with IT assets of a company. Without a functioning, and well-tested, BCP / DRP, how do you mitigate the continuity threat to the business?

If we are to provide serious risk assurances, should we provide them another service to create these docs, policies or shall it be covered along with SNA?

Absolutely Not. This is a conflict of interest and would be considered unethical. If you were to offer this service, your professional judgement is Impaired and any subsequent assurances you provide for this client is inherently untrustworthy. Please see this document from ISACA for additional guidance of professional independence of the assurance function:

http://www.isaca.org/Knowledge-Center/Standards/Documents/1003-Professional-Independence.pdf

Anthony
  • 1,736
  • 1
  • 12
  • 22