Saturday, November 28, 2009
Do certification audits also suck?
This post why do pen-tests suck? triggered my thoughts I started thinking about the certification audits.I have personal experiences of dealing with ISO27001 auditors from certifying companies with very limited knowledge in IT infrastructure & technical areas and some of them are even from non-it backgrounds (I have seen audit findings in all CAPS :-) ). Without this crucial knowledge they will not be able to find any gaps hence the audit will be ineffective. I am also aware of the option/process of having a domain expert during an audit; perhaps this is not practiced as it might uncover too many gaps that may be expensive to fix. If certifying company auditors do comprehensive job I am sure things would change…
Labels:
audit,
certification,
compliance,
ISO27001,
pen-tests
Subscribe to:
Posts (Atom)