The security and compliance audit process is one that many information security pros are becoming increasingly
familiar with. Over the years, many infosec practitioners have mulled the pros and cons of pursuing a certification, and now more face the question of whether to pursue the skills needed to become a certified IT compliance auditor.
While security certification might not be right for all practitioners or all security roles, there are two good reasons to become certified; to whit, certification can open doors to interviews, or allow you to work for agencies that mandate certification under the U.S. Department of Defense directive, DoD 8570.01-M. In the audit world, similarly, there are two specific areas where having a certification is not only useful, but necessary. Those are the roles of Payment Card Industry Qualified Security Assessor (PCI QSA) and ISO 27001 Lead Auditor. In this tip, we'll discuss what it takes to earn an audit certification and the organizational and career benefits of doing so.
How to become an internal IT auditor
In order to audit and certify that a company is officially compliant with PCI DSS, it's necessary to be certified as a PCI QSA. Certification requires passing a written test administered by the PCI Security Standards Council (SSC), having sufficient work experience or holding a qualified certification (five years experience or a CISA, CISM or CISSP), and working for an organization that has been certified to perform PCI DSS assessments.
Becoming certified as a QSA essentially means that you've decided to become (or further specialize) as a consultant, since there isn't a large need for non-consulting companies to have QSAs on staff . However, there is definitely value in QSA training for internal employees, as it will enable those employees to communicate better with their QSAs when the company is being evaluated. As with most control frameworks, PCI DSS has specific definitions for the wording of its requirements that may differ from the standard dictionary definitions, and, as a result, having someone who understands those specific details can help the organization properly prepare for the assessment and potentially save an organization a large amount of time and money. Additionally, since level-one merchants can self-assess, a trained QSA on staff can definitely speed up the assessment process.
ISO 27001, while popular in Europe, has slowly gained ground in the U.S. (especially among companies that do business in the European Union) as the most relevant organizational security certification after PCI DSS. It is increasingly seen as a mark of the maturity of an organization's security group and as a demonstration of its operational discipline. As with many other standards, in order to be compliant with ISO 27001, a company must be certified compliant by a third-party auditor. In the case of ISO 27001, the auditor needs to be someone certified specifically as an ISO 27001 Lead Auditor.
Like a PCI QSA, the Lead Auditor must be an outside consultant, due to the requirements that certification be granted by a third party. However, in the same way that having PCI QSA-trained staff members can aid a company, organizations that are trying to achieve the ISO certification can benefit highly from having employees who have been through the ISO Auditor training. (There is also an ISO 27001 implementer training/certification, which may be helpful to organizations as well).
As with PCI DSS, the terminology used in ISO has specific definitions that, in many cases, vary not only from regular English, but also from other control frameworks. Having employees with this training allows the organization not only to prepare better for the ISO audit, but also to have a common language with its auditors. Compliance with 27001 is so complex that many organizations even have members go to the extent of becoming certified as ISO 27001 internal auditors; the opinions of these certified employees will often have more weight with the external team.
In addition to the regulation-specific certifications detailed above, there is also the Certified Information Systems Auditor (CISA) certification, which covers a broad range of audit frameworks, including COBIT and COSO, both of which are used for Sarbanes-Oxley (SOX) audits. Training for the CISA covers everything from control objectives, business impact analyses (BIAs) and compensating controls for risk management and analysis techniques, all of which would be useful for dealing with HIPAA/HITECH or FTC Red Flags Rule audits as well. The benefits of becoming an auditor, in general, include the additions to a person's skill set, which can look good on a resume, as well as a much greater understanding of the various regulations and legislations a company may need to be compliant with. Additionally, such training provides a different perspective on why and how controls need to be implemented and the value of those controls.
Perhaps most importantly, training as an auditor allows a person to interact with his or her auditors in the same language ; having a common understanding of what each person means when using words and terms like "risk" or "compensating control," for instance, can speed up the audit process immensely. Such training gives a much better idea of what auditors are looking for and what their goals are. This enables infosec pros to more effectively work in partnership with auditors, which can save not only time and money, but also make the security team as a whole more effective in supporting the audit process.
For many infosec professionals, transitioning to an audit role shouldn't be difficult, though IT auditing requires a strong technical background, especially for PCI DSS and ISO 27001 audits. Practitioners who enjoy and are experienced at communicating with management will find the transition even easier. Most proactive enterprises will already have training initiatives in place to keep their employees educated, and these initiatives will likely include an audit track; if not, using the information included above may be a creative way to blaze a new and challenging career path within your organization.
About the author:
David Mortman is a contributing analyst with Securosis LLC. Formerly the Chief Information Security Officer for Siebel Systems, Inc., David and his team were responsible for Siebel's worldwide IT security infrastructure, both internal and external. He also worked closely with Siebel's product groups and the company's physical security team and led up Siebel's product security and privacy efforts. A CISSP, Mr. Mortman sits on a variety of advisory boards including Qualys and Applied Identity and Reflective, amongst others. He holds a BS in Chemistry from the University of Chicago.