| When Supply Chain Audits go wrong...
Engagement: Contracted to perform a three-day security supply chain audit.
Client request: The Senior management team have for some time felt that things where not right and common issues and threads not rectified with the Company to be visited.
Brief: Review all security processes using ISO 27001, determine what was going wrong and benchmark the Company against the other suppliers you have seen, and we use.
Company being audited: Manufacturing and maintenance sector holding security and managment system standards (9001, 27001, PCI etc.) for several years. The compliance team and the consultant had built up a strong working relationship, that defended everything that they had achieved, but failed to look at improvements, in fact some might say barred the way for others to enter their world.
- Establish what knowledge and information was floating around in the outside world.
- Visit the secure site and walk through the security system they had established, review internal audit, certification, and accreditation reports.
Opening meeting with the management team and Consultant to go through how the review would take place and how reporting and benchmarking would work. I agreed to give them an overview of my findings and allow 10 days for them to provide any extra evidence.
“We are ready for this audit and because of the good work the team does we have never had a ‘non-conformance’ for certification in over five years, we would expect a couple on ‘opportunities for improvement’ or ‘observations.’ from this audit…”Outcome Good Points:
With the assistance of an ISMS Consultant the compliance team had developed a well-structured statement of applicability
- Finance and HR control procedures that met all the requirements of a management system, operationally it was as good as it could be.
- Manufacturing and control procedures all in place and records available.
The management controls Clauses 4 to 10 where not as established and not fully understood. Here are several key points identified:
- The information security manual including management policy and scope had not changed since ISO27001:2005.
“…The standard has not changed that much, and the certification auditor has never highlighted it…”
- The Company risk and issues log had 5 items, none of which related to security.
"...we don't have any risks to capture..."
- The internal audit schedule focused on Quality no extra time given to key security components in the manufacturing process of the Company and no time for the Annex ‘A’ controls.
“…we have never had a problem before…”
- The management review would be undertaken every three years.
“...the standard does not specify a review period…”
- Improvement plan or process not established.
“…we have not had any notable findings…”
- Operational day-to-day risks and issues not captured
“…we don’t have any…”
- IT team used an external company to manage their systems.
“…they look after the complete system, all documents and records in relation to our IT systems are with them. We trust them…”
- Change control, patching and release.
“…our IT provider looks after that…”
- The SSL certificate pointed to a certificate with 20 companies on it, none of them had the company name.
“…our IT provider looks after that…”
- Backup and configurations for in house systems not undertaken
“…our IT provider looks after those controls…”
- Do you ever audit the IT provider?
“…no! do you think we should…”
I have considered what may have caused the problems:
- They never stood back for a closer look.
- Very little understanding of a Management System.
- No impartiality was in place.
- It may have been good when they started, but over time it had weakened.
- Weak internal and external audit findings had done them no favours
Other areas of note:
- The consultant never left the room, they felt any issue was pointed directly at them and not at the underlying management system,
- At every turn they demanded evidence from the standard, even when evidence was presented in the form of chapter and verse from the ISO27000 standards it was reluctantly noted.