Audit Preparation

Thorough preparation is essential for successful ISO 27019-aligned and regulatory audits. OT security audits have unique considerations compared to IT audits.

Types of Audits

Internal Audits

Self-assessment of ISMS effectiveness
Identify gaps before external audits
Preparation for certification
Continuous improvement

External Audits

ISO 27001 certification audits (Stage 1 and Stage 2)
NERC CIP compliance audits
Regulatory inspections
Customer or partner audits

Surveillance Audits

Annual follow-up after certification
Verify continued compliance
Review changes
Sample control testing

OT-Specific Audit Considerations

Safety and Operational Constraints

Cannot Demonstrate Everything Live

Cannot take systems offline for testing
Cannot disable safety systems
Cannot run invasive scanning tools
Cannot disrupt operations

Alternatives:

Documentation of procedures and configurations
Photos/videos of previous exercises
Test environment demonstrations where available
Interviews with operational staff

Physical Access Restrictions

Auditors accessing OT facilities:

Safety training may be required
Escort by operations staff mandatory
Restricted to certain areas
Some areas may require photos/videos instead of physical access
No disruption to active operations

Legacy System Limitations

Common Audit Findings:

Systems lack individual user accounts (shared credentials)
No logging capabilities on older devices
Patching not feasible due to vendor support or operational risk
Modern security controls not compatible

How to Address:

Document compensating controls clearly
Explain operational constraints with evidence
Show documented risk acceptance by management
Demonstrate alternative protections (network segmentation, physical security)

Audit Preparation Checklist

Documentation Review

Policies and Procedures:

Information security policy current and approved
OT security policy specific to control systems
All procedures documented and up to date
Document version control maintained
Documents accessible to audit team

Risk Management:

Risk assessment completed and current
Risk treatment plans documented
Residual risks accepted by management
Risk register maintained

Asset Management:

Complete asset inventory
Criticality classifications
System owners identified
Network diagrams current

Access Control:

User access lists current
Privileged access documented
Access reviews completed
Vendor access procedures documented
Access logs available

Change Management:

Change control procedures
Change records for sample period
Testing documentation
Approval records

Incident Management:

Incident response plan
Incident logs and records
Lessons learned documented
Exercise records

Training and Awareness:

Training curriculum documented
Attendance records
Competency assessments
Awareness campaign materials

Evidence Preparation

Logs and Records:

Authentication logs
Change logs
Incident logs
Patch management records
Vulnerability scan results
Access review records
Training records
Meeting minutes (management review, steering committee)

Technical Evidence:

Firewall rule sets
Network diagrams (logical and physical)
System configurations
Backup verification records
DR test results

Organize Evidence:

Create evidence repository
Index all documents
Ensure logs are searchable
Prepare evidence cross-reference to requirements

Team Preparation

Assign Roles:

Audit coordinator (primary contact)
Technical experts for each domain
Operations representatives
Management representatives

Briefing:

Review audit scope and schedule
Clarify roles and responsibilities
Review documentation location
Practice interview responses
Establish communication protocols

Mock Audit:

Internal audit as dry run
Identify gaps
Practice evidence presentation
Refine responses to expected questions

During the Audit

Opening Meeting

Introductions
Confirm scope and schedule
Logistics and facility access
Safety briefing for auditors
Questions and clarifications

Document Review

Provide requested documents promptly
Explain context where needed
Track all requests
Note any unavailable items

Interviews

Answer honestly and directly
Don'''t guess - say "I'''ll find out" if unsure
Stay in your area of expertise
Ask for clarification if question unclear
Keep answers concise

Site Visits

Coordinate with operations
Ensure safety compliance
Arrange escorts
Prepare staff who will be interviewed
Have contact info for technical questions

Closing Meeting

Review findings
Ask for clarification on any issues
Understand severity classifications
Confirm next steps and timelines

Handling Findings

Non-Conformities (NCs)

Major NC: Significant gap that affects ISMS effectiveness Minor NC: Isolated lapse or gap that doesn'''t significantly impact ISMS

Response Process:

Understand the root cause of the finding
Develop corrective action plan with timeline
Implement corrections
Collect evidence of correction
Submit to auditor within required timeframe (typically 30-90 days)
Implement preventive measures

Observations

Not required to address, but opportunities for improvement
Consider for continuous improvement program
May become requirements in future standards
Document decision on whether to address

Best Practices

Don'''t argue with auditor
Ask questions if finding is unclear
Focus on solutions, not excuses
Document everything
Use findings to improve

Post-Audit Activities

For Certification Audits:

Address all NCs within timeline
Provide evidence to certification body
Receive certificate upon satisfactory closure
Plan for surveillance audits

For Regulatory Audits (NERC CIP):

Address violations with mitigation plans
Submit compliance filings
Track to closure
Prevent recurrence

Continuous Improvement:

Analyze root causes of all findings
Update procedures to prevent recurrence
Share lessons learned across organization
Plan improvements for next audit cycle

Next Lesson: Continuous improvement and ongoing operations of OT security program.