We’re going to look at an example of how audit action tracking could be used to help deliver a more robust security management process in an international business.
The Challenge
A global technology firm recognised the increasing complexity of the IT security landscape. With a vast network of systems and applications, the company faced the challenge of effectively identifying, prioritising, and addressing security vulnerabilities. Traditional manual tracking methods were becoming increasingly inefficient, leading to delays in remediation and potential compromise of the confidentiality, integrity and availability of data.
The Solution: Implementing an Audit Action Tracking System
An internal audit team performed ongoing security audits of every department, aligned with the clauses contained in the ISO27001:2022 standard (Information Security Management Systems). Alongside this, automated network monitoring software reported any security issues on the network, while the support desk received information from customers about any security issues found in the company’s products. An external auditor was also contracted to perform annual audits of the entire company’s security processes.
A key challenge was managing the response to any security issues which may have surfaced during these processes. Information was being produced from a variety of sources and there was no consistent approach to recording and actioning any mitigation in response to security issues.
The decision was made to adopt a commercially available action tracking application which provided the following benefits:
- Centralised Tracking: After a vulnerability had been identified during the audit, an action was created to mitigate the issue. The action detailed all relevant information required to perform the task – e.g. attached copies of security logs. A due date for completion of the action was set and details of any individuals who would need to check and approve the completed action were added. Actions were then directed to the appropriate team or individual. Actions were also stored centrally in a secure cloud based database and it was easy to see trends and identify bottlenecks where actions had become overdue.
- Automated Workflow Management: Automated workflows were established to inform all stakeholders when actions were created, and also to keep relevant people informed as actions moved through the approval process. For example the company decided to automatically send emails to their PR company at specific points in the remediation of a major security breach – this allowed appropriate external communication to be quickly released to investors
- Risk-Based Prioritisation: Vulnerabilities were prioritised based on their likelihood and potential impact on the business, enabling the security team to focus on the most critical issues.
- Real-Time Reporting and Analytics: The system generated real-time reports and analytics, enabling the security team to monitor progress, identify trends and make data-driven decisions.
- Enhanced Collaboration: The system facilitated collaboration between IT, security, and business teams, ensuring alignment and accountability.
The Impact
After implementing the audit action tracking system the company saw rapid ROI:
- Accelerated Remediation: The automated workflows and clear accountability reduced the average time to address vulnerabilities. This was mainly due to the fact that remediation actions could be directed to the right people, and the centralised reporting improved accountability, creating an environment where staff bought into the benefits of rapidly addressing actions.
- Improved Security Posture: The system helped to identify and address critical vulnerabilities promptly, significantly reducing the organisation’s overall risk exposure.
- Enhanced Compliance: The system ensured compliance with industry standards and regulatory requirements, mitigating the risk of fines and penalties.
- Data-Driven Decision Making: Real-time reporting and analytics enabled the security team to make informed decisions and allocate resources effectively.
- Reduced Exposure to Legal Issues: Because the action tracker kept an accurate record of all changes, the company was able to demonstrate that it had taken specific actions which were key to the settlement of litigation brought by a customer who claimed a financial loss due to missing data. The company had previously acquired a cybersecurity insurance policy which was able to provide financial support purely on the basis that accurate evidence of positive action was available within the system change logs.
- Stronger Security Culture: By fostering a culture of accountability and continuous improvement, the system helped to strengthen the organisation’s overall security posture. The adoption of an action tracking system also strongly supported the company’s achievement of the ISO27001:2022 accreditation, which is the international standard for information security management systems.
Key Takeaways
- A robust audit action tracking system is an essential element in any audit process – whether for a global technology company or a local food manufacturer.
- Automation and workflow management can significantly improve efficiency and reduce human error.
- Risk-based prioritisation helps to focus on the most critical issues.
- Real-time reporting and analytics provide valuable insights for decision-making.
- A good action tracker will maximise the value of audits by ensuring that audit findings are visible and promptly actioned.
At the end of the day successful audits depend on people – so anything that helps accountability and communication is likely to pay dividends.