Problem solve Get help with specific problems with your technologies, process and projects.

IT auditing applications and tools for ISO 27002 certification

Gaining ISO 27002 certification can be a daunting process, so what auditing tools can help? David Mortman weighs in on how to choose the best auditing tool for your organization.

Our organization is looking to gain ISO 27002 certification and I'm trying to take steps that would make this difficult process a little less difficult. There are a ton of security auditing applications out there, but what I am looking for is an application that I can use to define security parameters that I wish to apply, and then utilize that application to not only audit for non-compliance, but also have it make all (or most) of the changes for me. Do you know of any such application? If not, what process can help us?
What you are looking for is the holy grail of security auditing tools. While there are, in fact, a variety of auditing tools out there, the ones that can audit and also directly apply changes are point products that are designed to handle specific situations. The tools that give you a solid overview of your security status don't have the ability to make the changes you need. Wrapping the two styles of tools together will go a long way toward enhancing security, but you will still be missing a large (if not the entire) portion of the process and policy space.

Fortunately, there are two tools that you (hopefully) already have at your disposal:

  1. A spreadsheet -- As you've probably already discovered, ISO 27002 is broken up into 12 main sections. I recommend creating a spreadsheet with at least one worksheet for each section. From there, break down each section into appropriate policies, procedures and controls. There are several organizations that sell pre-made spreadsheets for this purpose, but keep in mind that ISO 27001/2 is flexible, so even with a commercial product, some editing will be necessary to cover your specific situation. Some auditors will also pre-share their own lists; this is something to consider when negotiating during the contract phase. Regardless of how the spreadsheets are generated, they will serve as a basic outline for measuring your current state, as well as your target state for certification.

  2. Project management skills -- Once you have your spreadsheet, these skills come to bear through the simple -- yet not necessarily easy -- job of prioritizing and implementing the necessary changes to achieve certification. The level of difficulty of prioritization is going to depend heavily on how complete the current information security program is. One way to do this is to take the spreadsheets from above and rate each objective on three metrics:

    1. % complete
    2. criticality
    3. cost to comply

Then add these three numbers together and you'll have some data to compare the tasks to each other. If the company has a more formal risk management process in place, leverage that for the rankings instead.

For more information:

This was last published in February 2009

Dig Deeper on Security audit, compliance and standards

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.