System Guides

A.5.35 "Independent Review of Information Security" would include:

1. Audit Reports: Copies of audit reports conducted by independent auditors or internal audit teams, assessing the organization's information security controls, policies, and practices.

2. Scope and Objectives: Documentation outlining the scope, objectives, and criteria of the independent review, indicating what aspects of information security were assessed.

3. Audit Plan: Evidence of a structured audit plan, including methodologies, sampling techniques, and timelines used to conduct the review.

4. Findings and Recommendations: Detailed findings from the independent review, including any identified weaknesses, vulnerabilities, and non-compliance issues. Corresponding recommendations for improvements should also be provided.

5. Corrective Actions: Documentation of corrective actions taken in response to identified findings and recommendations, along with evidence of their implementation and effectiveness.

6. Follow-Up: Records of follow-up audits or assessments conducted to verify the implementation and effectiveness of corrective actions.

7. Auditor Qualifications: Proof of qualifications and certifications of the independent auditors involved in the review, demonstrating their competence and expertise in information security.

8. Risk Assessment: Documentation indicating how the organization's risk assessment process influenced the scope and focus of the independent review.

9. Documentation Review: Evidence of the auditors' examination of relevant documentation, policies, procedures, and controls related to information security.

10. Interviews: Notes or transcripts from interviews conducted with key personnel responsible for information security practices and controls.

11. Testing Methods: Documentation of testing methods employed to assess the effectiveness of information security controls, such as vulnerability assessments, penetration testing, or security scanning.

12. Compliance Assessment: Proof of compliance with relevant information security standards, frameworks, or regulations, as evaluated through the independent review.

13. Third-Party Verification: Records of any third-party certifications or attestations obtained to validate the organization's information security practices.

14. Executive Summary: A summary report outlining the key findings, strengths, weaknesses, and overall effectiveness of the organization's information security controls.

15. Continuous Improvement: Documentation demonstrating how the organization utilizes the results of independent reviews to drive continuous improvement in its information security posture.

16. Audit Program Management: Evidence of how the organization manages its independent review program, including planning, scheduling, and reporting processes.

17. Board and Management Reporting: Documentation of how the findings and recommendations from independent reviews are reported to the organization's board of directors and senior management.

18. Evidence of Follow-Up Actions: Proof that recommendations from previous independent reviews were addressed and resolved in subsequent audits.

19. Non-Disclosure Agreements: If applicable, copies of non-disclosure agreements (NDAs) or confidentiality agreements signed between the organization and independent auditors.

20. Stakeholder Communication: Documentation of how the results of independent reviews are communicated to relevant stakeholders, such as employees, customers, or regulatory bodies.

21. Lessons Learned: Records of lessons learned from previous independent reviews and how they contributed to enhancing the audit process and information security practices.

By examining these types of evidence, an auditor can assess whether the organization has conducted independent reviews of its information security controls and practices, identified areas for improvement, and implemented corrective actions to enhance its overall security posture.

In addition to the periodic independent reviews, the organization should consider conducting independent reviews when:

•           laws and regulations which affect the organization change;
•           significant incidents occur;
•           the organization starts a new business or changes a current business;
•           the organization starts to use a new product or service, or changes the use of a current product or service;
•          the organization changes the information security controls and procedures significantly.

The outcome of independent review and actions taken would be discussed in the subsequent management review as well. Alongside periodic reviews, it may be necessary to initiate ad-hoc reviews. These reviews can be justified across 5 key areas:

• Any laws, guidelines or regulations are amended which affect the organisation’s information security operation.
• Major incidents occur that have an impact on information security (data loss, intrusion etc).
• A new business is created, or major changes are enacted to the current business.
• The organisation adopts a new product or service that has information security implications or makes underlying changes to the current product or service.
• Major changes are made to the organization’s bank of information security controls, policies, and procedures.
• Internal Auditing, External and assessments by consultants or certified auditors, Regulator assessments, Monthly/ Quarterly/ Annual Management reviews.