To assess compliance with A.5.36 "Compliance with Policies, Rules, and Standards for Information Security," an information security auditor would need to review a variety of evidence and documentation to ensure that an organization is effectively adhering to its established policies, rules, and standards for information security. Here is a list of evidence that an auditor may require:
-
Information Security Policies: Copies of documented information security policies, rules, and standards that the organization has established. These documents should outline the requirements, expectations, and guidelines for information security practices.
-
Policy Review and Approval: Documentation showing the approval process for information security policies and procedures, including signatures from senior management or relevant stakeholders.
-
Communication of Policies: Records of how information security policies are communicated to employees and other stakeholders within the organization.
-
Employee Training Records: Evidence of employee training and awareness programs related to information security policies and standards.
-
Policy Acknowledgment: Documents or logs showing that employees have acknowledged and understood the organization's information security policies.
-
Policy Implementation: Records demonstrating how the organization has translated information security policies into actionable controls and practices.
-
Documented Procedures: Detailed procedures, guidelines, or work instructions that provide step-by-step instructions for implementing specific security controls based on the established policies.
-
Conformance Monitoring: Documentation detailing how the organization monitors adherence to its information security policies, rules, and standards.
-
Exception Handling: Records of any exceptions or deviations from established policies, along with explanations and justifications for such exceptions.
-
Incident Reports: Records of any incidents or breaches related to non-compliance with information security policies, along with actions taken to address them.
-
Audit Findings: Reports from internal or external audits, assessments, or reviews that highlight areas of non-compliance or potential gaps with established policies.
-
Corrective Actions: Documentation of corrective actions taken in response to identified policy violations or non-compliance issues.
-
Policy Updates: Proof of how the organization updates its information security policies, rules, and standards to reflect changes in technology, regulations, or business operations.
-
Evidence of Monitoring: Logs, reports, or tools that show ongoing monitoring of systems, processes, and user activities to ensure compliance with established policies.
-
Third-Party Assessments: Documentation from third-party assessments or certifications that validate the organization's compliance with specific standards or frameworks.
-
Management Reporting: Records demonstrating how compliance with information security policies is reported to senior management or the board of directors.
-
Review of Access Controls: Evidence of regular reviews of user access rights and permissions to systems and data, ensuring that they align with established policies.
-
Configuration Management: Documentation showing how configuration management processes align with information security policies and standards.
-
Change Management: Records demonstrating how changes to systems, applications, and configurations are reviewed against established policies before implementation.
-
Performance Metrics: Data indicating key performance indicators (KPIs) related to compliance with information security policies, rules, and standards.
-
Documentation Retention: Proof of how records related to compliance with policies are retained and managed over time.
By examining these types of evidence, an auditor can determine the extent to which an organization complies with its information security policies, rules, and standards and whether there are any areas of non-compliance that need to be addressed.
Managers, service, product or information owners should identify how to review that information security requirements defined in the information security policy, topic-specific policies, rules, standards and other applicable regulations are met. Automatic measurement and reporting tools should be considered for efficient regular review.
If any non-compliance is found as a result of the review, managers should:
- identify the causes of the non-compliance;
- evaluate the need for corrective actions to achieve compliance;
- implement appropriate corrective actions;
- review corrective actions taken to verify its effectiveness and identify any deficiencies or weaknesses.
- Results of reviews and corrective actions carried out by managers, service, product or information owners should be recorded and these records should be maintained. Managers should report the results to the persons carrying out independent reviews when an independent review takes place in the area of their responsibility.
- Corrective actions should be completed in a timely manner as appropriate to the risk. If not completed by the next scheduled review, progress should at least be addressed at that review.
Technical compliance should be reviewed, either by IT or as part of an independent review, preferably with the assistance of automated tools, which generate technical reports for subsequent interpretation by a technical specialist. Technical compliance reviews are also performed by many organizations. From vulnerability and DLP (data loss prevention) assessments to penetration testing, there are a number of technical solutions available to help information security teams conduct effective reviews of IT infrastructure and the information life cycle (processing, transmitting, storing). Some of these tools can disrupt business and IT operations if used by untrained individuals, which leads some campuses to use third parties for these purposes. However, these examinations are just a ‘snapshot’ at a point in time and must be repeated at recurring intervals in order to become an effective method or process.
