Security Audits

Internal audit

Within the framework of internal ISMS audits (1st party audit), your company is put to the test. In principle, this can also be done by an internal colleague. The decisive factor in internal audits is that your established ISMS is audited by an independent authority, in other words someone who has not been involved in setting up or operating the ISMS and therefore does not have "tunnel vision". And this person should have the necessary audit expertise as well as technical expertise in the area of information security and management systems.

If you have an independent body (for example Internal Audit) with the required know-how (e.g. ISO 27001 Lead Auditor), you can perform internal ISMS audits yourself. Otherwise, hire us.

The goal of internal audits is to independently verify that all applicable external requirements (e.g., from laws or contracts with customers) as well as internal security requirements (defined in your own policies and process descriptions) are met - across the entire scope of your ISMS.

In addition, you need proof of internal audits to obtain the necessary certification maturity.

The internal audit consists of a document review (do the policies and processes make sense) and several interviews with the departments to verify whether the defined rules are actually lived. At the end, you receive a detailed report documenting all identified non-conformities and potential for improvement. You can then prioritize these, transfer them to your action planning, and implement them. 

Supplier audit

As part of a supplier audit (also called 2nd party audit), you put one of your key service providers to the test. Your service provider is assessed for compliance with the requirements of the defined test basis (e.g. ISO 27001, another security standard or your own test catalog).

Such audits are particularly recommended for (potential) strategic or important suppliers / service providers, either when initiating a new business relationship with the service provider or as part of service provider management with the aim of reducing the risk of an attack via the service provider.

In a supplier audit, we first define the desired basis for the audit with you, as well as the scope of the audit - depending on the service your service provider delivers for you. We then review the security processes, guidelines and other relevant documentation of your service provider in order to make a statement about the quality of the documents. Next, we conduct interviews with the responsible persons on supplier side and evaluate its security maturity level as well as the compliance with the applicable requirements with the aim of identifying potential weaknesses and opportunities for improvement.

At the end of the supplier audit, all identified non-conformities and proposals for optimization are documented. You can use these as a basis for working with your supplier to achieve the desired security level.  

Certification audit

In a certification audit (also 3rd party audit) you have already implemented the necessary requirements and would like to take the last hurdle on the way to certification of your ISMS.

Depending on the standard you want to achieve certification for, we can support you as auditors.

In the KRITIS environment, HvS-Consulting acts as a "suitable auditing body". Therefore, we can perform the KRITIS audit in your company (auditing body HvS-Consulting).

For the standards VDA ISA and ISO 27001 our HvS-Consultants act as auditors on behalf of the certification body TÜV Nord CERT. Since the processing is carried out completely by TÜV Nord CERT, we are happy to make the contact.

We also act as auditors for DVO (EU) 2019/1583 audits as a BSI-approved service provider. If you would like to conduct your audit with us, please feel free to contact us.