IT Security & The Internal Audit

The Internal Audit & Your IT Security

Usual conversation openers can be, where do you work or what do you do? If you work for the Revenue or are an Auditor, you are safe enough in the knowledge that the conversation just initiated will probably end quite quickly.

Internal Audit will struggle to stand up against mountaineer or neurosurgeon as an exciting job, however now that I find myself working as an Internal Auditor the role is not as dull as I initially thought. What you are as the Internal Auditor is a professional who is helping your organisation achieve and go beyond best practise, comply with regulation and legislation and quite simply add value. This certainly sounds like a job description that many would be very interested in.

But why would an organisation have a need for an Internal Auditor?

The answer to this question varies by organisation and the reach of the role also differs depending on the answer. At Intuity we place a major emphasis on Security and IT Security. With both ice cube and tec support operating under the Intuity Technologies banner – it has been a body of work to ensure that we all continue to grow as one united organisation and a key element of this is that our Security Standards are aligned.

Living the ISO27001 Standard

Ice cube received their first ISO 27001 Certification in 2011 and at the time, were one of the first organisations in the country to do so – since then the team have been living the ISO 27001 standard. It is a requirement of the standard to have an appointed internal auditor however obligations aside it has been invaluable to our organisation. The maintenance and improvement of/on our ISO Certification has seen us achieve the revised and improved ISO 27001:2013 certificate in 2016 and expand the scope of our certification. As the Internal Auditor for our ISO 27001 Information Security certification, I understand both our business and the certification requirements. I do not attend the fortnightly Information Security meetings and therefore can ask the difficult questions and provide suggestions on opportunities for improvement.

When ice cube merged with tec support in late 2014, one of the primary agendas on the table was how we would align and merge our security standards – we took this approach:

  • Living the ISO Standard every day.
  • Ongoing internal training.
  • Expanding the committee and sharing responsibility for ISO tasks.

The appointment of an ISO Information Security Committee meant that the team truly bought into ISO. As the Internal Auditor, I then was gifted with internal ambassadors and advocates for the “cause”. Together we work through internal audits from each external audit to the next and we were proud and excited when in late 2016, Intuity Technologies also achieved ISO 27001:2013 Certification.

How GDPR makes Internal Audit’s more important

As we rapidly approach the date of the GDPR, the ISO Internal Audit function will play a more crucial role. While being ISO 27001 certified does not automatically mean, we are ready for next May, it does mean that we are very close to it. Because of our experience, we can identify the areas requiring attention prior to the regulation date. We understand the importance and value of Information Security to our customers’ and our own businesses. We are continually implementing new technologies to protect the confidentiality and integrity of our organisation’s data, both internally and from external threats. We also recognise that the key to protecting data is user awareness. It is only when both are combined correctly that you can truly achieve security around data and protect your organisation’s assets and reputation.

You may not require an Information Security Committee or have any interest in attaining a recognised Information Security standard but I would recommend that you start including Information Security as a core part of your business. The data you own and process is an Asset, a valuable asset and it is often confidential. You will be obligated by law to treat data in a particular way come May 2018.