Audit and Compliance
Overview
Auditing validates ISO 27017 implementation effectiveness and demonstrates compliance to stakeholders and regulators.
Learning Objectives
- Prepare for ISO 27017 audits
- Understand audit processes
- Collect and maintain evidence
- Address audit findings
- Demonstrate ongoing compliance
Audit Types
Internal Audits
Purpose: Self-assessment of control effectiveness
Internal Audit Program
Frequency: Quarterly (minimum annually)
Scope:
├─ All ISO 27017 controls in SOA
├─ Rotating focus areas
├─ Risk-based selection
└─ Incident follow-up
Audit Team:
├─ Internal audit department
├─ Security team members
├─ Independent (from audited area)
└─ Trained in ISO 27017
Process:
1. Planning (2 weeks)
2. Fieldwork (2-4 weeks)
3. Reporting (1 week)
4. Remediation (varies)
5. Follow-up (quarterly)
External Audits
ISO 27001 Certification Audit:
Certification Process
Stage 1: Documentation Review
├─ Review ISMS documentation
├─ Assess readiness
├─ Identify issues
└─ Duration: 1-2 days
Gap Period: 1-3 months
├─ Address Stage 1 findings
├─ Complete preparations
└─ Final readiness check
Stage 2: Implementation Assessment
├─ Verify control implementation
├─ Test effectiveness
├─ Interview personnel
├─ Review evidence
└─ Duration: 3-5 days
Certification Decision
├─ No findings: Certificate issued
├─ Minor findings: Corrective action, then certificate
├─ Major findings: Re-audit required
└─ Certificate valid: 3 years
Surveillance Audits
├─ Frequency: Annual
├─ Duration: 1-2 days
├─ Scope: Sample of controls + changes
└─ Purpose: Maintain certification
Recertification Audit (Year 3)
├─ Full reassessment
├─ Similar to Stage 2
└─ New 3-year cycle
Compliance Audits
Regulatory Compliance:
| Regulation | Audit Frequency | Auditor | Focus |
|---|---|---|---|
| GDPR | As needed | DPA | Data protection practices |
| HIPAA | Annual | Qualified assessor | PHI safeguards |
| PCI DSS | Annual (Q) | QSA | Cardholder data security |
| SOC 2 | Annual | CPA firm | Trust services criteria |
| FedRAMP | Continuous | 3PAO | Federal security controls |
Audit Preparation
Pre-Audit Checklist
30 Days Before Audit:
├─ [ ] Review and update documentation
├─ [ ] Run internal audit/self-assessment
├─ [ ] Address known gaps
├─ [ ] Organize evidence repository
├─ [ ] Schedule personnel interviews
├─ [ ] Arrange workspace for auditors
├─ [ ] Prepare system access (read-only)
└─ [ ] Conduct readiness review
14 Days Before:
├─ [ ] Finalize documentation
├─ [ ] Verify evidence completeness
├─ [ ] Brief audit participants
├─ [ ] Confirm auditor schedules
├─ [ ] Prepare opening meeting materials
└─ [ ] Test evidence access
7 Days Before:
├─ [ ] Final documentation check
├─ [ ] Confirm all appointments
├─ [ ] Prepare conference rooms
├─ [ ] Test presentation equipment
└─ [ ] Stakeholder communication
Day Before:
├─ [ ] Final walkthrough
├─ [ ] Verify access credentials
├─ [ ] Confirm schedules
└─ [ ] Rest and prepare
Evidence Collection
Types of Evidence
| Evidence Type | Examples | Storage |
|---|---|---|
| Policies | Security policy, acceptable use | Document repository |
| Procedures | Incident response, change management | Document repository |
| Records | Access reviews, training completion | Database/system |
| Logs | Authentication, access, changes | SIEM, cloud logs |
| Screenshots | Configuration settings | Screenshot library |
| Reports | Vulnerability scans, audits | Report repository |
| Certificates | Training, certifications | HR system |
| Contracts | SLAs, DPAs with CSPs | Contract management |
Evidence Organization
Evidence Repository Structure
/ISO27017-Evidence
├── /Policies
│ ├── Information-Security-Policy-v2.1.pdf
│ ├── Cloud-Usage-Policy-v1.3.pdf
│ └── Data-Protection-Policy-v1.5.pdf
│
├── /Procedures
│ ├── User-Provisioning-Procedure.pdf
│ ├── Incident-Response-Procedure.pdf
│ └── Change-Management-Procedure.pdf
│
├── /Access-Control
│ ├── /Access-Reviews
│ │ ├── Q1-2024-Access-Review.xlsx
│ │ ├── Q2-2024-Access-Review.xlsx
│ │ └── Review-Results-Summary.pdf
│ ├── /MFA-Enrollment
│ │ ├── MFA-Enrollment-Report.csv
│ │ └── MFA-Coverage-Dashboard.png
│ └── /Provisioning-Records
│ └── New-User-Approvals-Q1-Q4.xlsx
│
├── /Encryption
│ ├── /Key-Management
│ │ ├── Key-Rotation-Schedule.xlsx
│ │ ├── Key-Rotation-Logs.csv
│ │ └── KMS-Configuration-Screenshots/
│ └── /Encryption-Validation
│ ├── Encryption-At-Rest-Audit.pdf
│ └── TLS-Configuration-Scans/
│
├── /Monitoring
│ ├── /Security-Events
│ │ ├── SIEM-Configuration.pdf
│ │ ├── Alert-Configurations.xlsx
│ │ └── Monthly-Security-Reports/
│ ├── /Compliance-Scans
│ │ ├── CIS-Benchmark-Results/
│ │ └── Configuration-Compliance/
│ └── /Incident-Reports
│ └── 2024-Incidents/
│
├── /Training
│ ├── Training-Records-2024.xlsx
│ ├── Security-Awareness-Completion.pdf
│ └── Training-Materials/
│
├── /Vendor-Management
│ ├── /AWS
│ │ ├── AWS-SOC2-Report.pdf
│ │ ├── AWS-ISO27001-Certificate.pdf
│ │ └── AWS-SLA.pdf
│ └── /Azure
│ └── Azure-Compliance-Documents/
│
└── /Audit-Reports
├── Internal-Audit-Q1-2024.pdf
├── Internal-Audit-Q2-2024.pdf
└── Audit-Findings-Tracker.xlsx
Audit Process
Opening Meeting
Agenda:
├─ Introductions
├─ Audit scope and objectives
├─ Audit methodology
├─ Schedule review
├─ Logistics (workspace, access)
├─ Communication protocols
├─ Questions and clarifications
└─ Duration: 30-60 minutes
Fieldwork
Control Testing Approach:
Example: Testing A.9.2.1 (User Lifecycle)
Design Effectiveness:
├─ Review user provisioning procedure
├─ Review deprovisioning procedure
├─ Assess completeness
└─ Assess alignment with ISO 27017
Operating Effectiveness:
├─ Sample 25 new users from past year
│ ├─ Verify approval documentation
│ ├─ Verify timely provisioning
│ └─ Verify appropriate access
│
├─ Sample 25 terminated users
│ ├─ Verify termination notification
│ ├─ Verify timely deprovisioning
│ └─ Verify complete access removal
│
└─ Sample 1 quarter access review
├─ Verify review completion
├─ Verify manager certification
└─ Verify remediation of findings
Results:
├─ Design: Effective
├─ Operating: 1 exception found (delayed deprovisioning)
└─ Finding: Minor (recommendation)
Closing Meeting
Agenda:
├─ Summary of audit activities
├─ Preliminary findings
├─ Positive observations
├─ Areas for improvement
├─ Next steps
├─ Timeline for report
└─ Questions and discussion
Duration: 60-90 minutes
Audit Findings
Finding Classification
| Level | Description | Response Required |
|---|---|---|
| Major | Control not implemented or ineffective | Corrective action, may prevent certification |
| Minor | Control partially effective, isolated issue | Corrective action within 30 days |
| Observation | Opportunity for improvement | Optional improvement |
| Positive | Noteworthy practice | Recognition |
Corrective Action Process
Finding Resolution
1. Acknowledge Finding
├─ Understand the issue
├─ Agree or contest
└─ Document response
2. Root Cause Analysis
├─ Identify why it occurred
├─ Determine contributing factors
└─ Document analysis
3. Corrective Action Plan
├─ Immediate fix (if applicable)
├─ Long-term solution
├─ Preventive measures
├─ Timeline
├─ Owner
└─ Resources required
4. Implementation
├─ Execute corrective action
├─ Document implementation
└─ Collect evidence
5. Verification
├─ Test effectiveness
├─ Auditor review
└─ Closure approval
6. Monitor
├─ Ensure sustained compliance
├─ Track in subsequent audits
└─ Continuous improvement
Example Finding and Response
FINDING: Minor Non-Conformity
Control: A.12.4.1 - Event Logging
Reference: ISO/IEC 27017:2015
Description:
CloudWatch logs for production S3 buckets are enabled,
but log retention is set to 30 days. ISO 27017 guidance
and organizational policy require 90-day retention for
access logs.
Evidence:
├─ S3 bucket: prod-customer-data
├─ CloudWatch log group: /aws/s3/prod-customer-data
├─ Current retention: 30 days
└─ Screenshot: CloudWatch-retention-config.png
Impact:
Insufficient log retention may hinder incident
investigation and compliance demonstration.
Root Cause:
├─ Default retention not updated during setup
├─ Configuration checklist incomplete
└─ Automated compliance scan not configured
Corrective Action Plan:
Immediate (Within 7 days):
├─ Update retention to 90 days for all S3 logs
├─ Document current configuration
└─ Owner: Cloud Administrator
Short-term (Within 30 days):
├─ Update S3 bucket configuration checklist
├─ Configure automated compliance check
├─ Scan all log groups for compliance
└─ Owner: Security Team
Long-term (Within 90 days):
├─ Implement Infrastructure-as-Code
├─ Automated compliance scanning (daily)
├─ Include in quarterly internal audit
└─ Owner: Cloud Governance Team
Evidence of Correction:
├─ Updated CloudWatch configuration screenshots
├─ Compliance scan report
├─ Updated checklist
└─ IaC code review
Verification:
├─ Internal audit verification: 2024-03-15
├─ External audit follow-up: Next surveillance
└─ Status: CLOSED
Lessons Learned:
├─ Importance of complete configuration checklists
├─ Value of automated compliance monitoring
└─ Need for Infrastructure-as-Code
Maintaining Compliance
Continuous Compliance Program
Daily:
├─ Automated compliance scanning
├─ Security event monitoring
└─ Alert review and response
Weekly:
├─ Compliance dashboard review
├─ New finding remediation
└─ Configuration drift detection
Monthly:
├─ Compliance metrics reporting
├─ Control effectiveness review
├─ Evidence collection check
└─ Management review preparation
Quarterly:
├─ Internal audit
├─ Access reviews
├─ Policy review
├─ Risk assessment update
└─ Management review meeting
Annually:
├─ Full control assessment
├─ External audit preparation
├─ Comprehensive risk assessment
├─ Policy updates
└─ Training program review
Compliance Metrics
| Metric | Target | Measurement |
|---|---|---|
| Controls Implemented | 100% | Monthly assessment |
| Control Effectiveness | > 95% | Quarterly testing |
| Audit Findings | 0 major | Per audit |
| Finding Closure Time | < 30 days | Average |
| Training Completion | 100% | Quarterly |
| Access Review Completion | 100% | Quarterly |
| Encryption Coverage | 100% sensitive data | Monthly scan |
| Log Retention Compliance | 100% | Automated check |
Key Takeaways
- Regular audits validate control effectiveness
- Proper evidence collection simplifies audits
- Finding remediation strengthens security
- Continuous compliance reduces audit stress
- Documentation is critical for demonstrating compliance
Self-Assessment
- What are the three main audit types?
- What is the difference between Stage 1 and Stage 2 audits?
- What are the audit finding classifications?
- How should audit evidence be organized?
- What is continuous compliance?