Since you don’t have the real chapters in place. Not even on paper.
Since those initial chapters of just any standard you can dream of (Alptraum, you know) have the essence, the principle-based stuff. Whereas the latter ‘chapters’ of any standard regard guidelines or even-mere examples for the lazy, of what needs to be done after those initial chapters are working effectively.
Yes, a lot of you may jump directly past the fluff to the annex that has some of the things you understand. The penny-wise stuff. ISO 27001 as a prime example I happen to work with every now and then. Others apply, certainly.
Since for very sure, it is the first few chapters that describe the processes that you need to have (sine qua non), to even be able in the most basic form, to move from unconsciously inept, past consciously inept [I can certainly help with that part!] and consciously able, to … well maybe not unconsciously able – the ideal, but then you lose control, of the ‘provable’ type – but semi-consciously able then.
Only then may you be compliant.
For one, the auditor should, must according her/his professional standards, only sample not check in full. The sample(s) to be determined by the auditor’s risk analysis on your administration. According to the standards that absolutely require to work efficiently, meaning (s)he does not waste any of her or your money on, what should be, utterly superfluous testing. When an auditor requires ‘all’ the proof to be handed over in a binder (irrelevant whether electronic or not), they a. don’t know their job, b. are non-compliant with their standards, c. try to drive up your cost for no reason whatsoever; where c. may come close to deceit, fraud.
For another, ‘prove me’ is requiring the firing squad convict to pay for his own bullet. Which is among the most immoral things dreamt up in the sickest of minds. Come to think of it … auditors … shouldn’t!… ‘Provable’ means that if asked, one can (start to) produce the evidence immediately. Pre-produced evidence is circumspect hence useless. Why ask for useless stuff, and then not use it for that ..!? Or use useless stuff still, and lead everyone incl yourself astray?]
The processes involved, revolve around risk management of the real type – for now – in which business decisions on what to do or not are based on the risks present, mitigated or not. Only if that is done, can one select from the annex those controls that make sense. Yes, there’s tons of non-linearity in that, since the selection also requires to inculcate the costs involved.
Proof that one has implemented all this, is in pertinent records that such weighing has taken place, decisions have been made on the business side and have been signed off by … not some scapegoat like the CISO or so, but the Board themselves. Yes, they might need to know about some nitty-gritty stuff. Bad luck for them, or they’re simply incompetent! They are the ones ultimately and immediately accountable, their heads are on the block – that’s what they are paid for or they get way too much; enormous insurance premiums they fetch? Yes. But not heads I win tails you lose.
(Yes such proof is of the pre-pared kind; can’t be produced on the spot sometimes long after the fact and hence needs to be tested in detail.)
Only when such proof exists, does one follow on via testing of Design, to some sampling of effective implementation (Existence) of the annex-controls. Testing of Design will lead to two things: 1. establishing whether the requirements from the risk business have been translated properly to frameworks of controls and the controls selection was fitting, 2. establishing the very possibility that the controls selected, if implemented to the max of their efficiency, might in principle lead to appropriate risk reduction (Effectiveness, Working Effectively). Or already, one can point out that the controls selected are (only) fighting yesterday’s war and will fail against today’s and tomorrow’s circumstances – most often, this is the case; certainly when one started at this wrong end by having jumped to the annex too early.
Oh how often [infinitesimal off ALWAYS] does one have no trace of this effectiveness testing of the design. I.e., the auditor does something but not his work according to her own standards! When this were characterised as Fraud, one couldn’t argue against that period
With Existence testing as a final closure thing, and proof produced on the spot. If not producible, not provable. Note that one needs repeat this only sparingly, the maintenance of controls deisgn and implementation should have been built into the design otherwise the design is a failure.
TL;DR Yes I’m serious. When the Board doesn’t understand the first couple of chapters of some standard, compliance efforts as resistance against change in the Board and business culture are futile. Auditors involved cannot move onward unless this is fixed.
On the bright side:
[“Hey, the sun’s out so who cares we’re running after the emperor’s new clothes compliance standards?” – yes that’s putting it mildly]