Information Security Audits: Why You Should Take Certifications with a Grain of Salt

When it comes to information security, certifications and audits are often seen as a gold standard. They provide the reassurance that a company is taking the right steps to protect its data, whether through standards like ISO 27001, SOC 2 Type II, or compliance frameworks such as HIPAA, PCI DSS, or the FTC Safeguards Rule. But here’s the thing—just because a vendor or partner waves a certification around doesn’t mean their information security is airtight.

In this article, we’ll break down what information security audits entail, explore the limitations of relying too heavily on certifications, and explain why it’s important to conduct security audits regularly and take a comprehensive approach when reviewing vendors or partners—certified or not.

What Are Information Security Control Gap Assessments and Audits?

Information security audits, also known as gap assessments, are evaluations conducted to ensure that a company is adhering to the standards, policies, and regulations designed to protect data. These audits are a way to verify whether specific controls—like password policies, access controls, and encryption methods—are being followed.

Auditors will select a handful of systems, devices, or instances to test these controls. They will review these samples to confirm that they are functioning as expected and complying with the relevant standard. If everything checks out, the company gets a nice, shiny report or certification saying, "Congratulations! You’re compliant (at least for the things we checked)."

There are two major types of audits worth mentioning:

• Internal Audits: These are conducted within an organization for internal purposes. They help a company evaluate its own security posture and identify any gaps or vulnerabilities before they can become a bigger issue. Internal audits are often less formal, and the results may not be shared externally.

• External Audits: These are formal evaluations performed by third-party auditors. The results are typically used to demonstrate compliance to customers, regulatory bodies, or potential business partners. Certifications like ISO 27001 and SOC 2 Type II are examples of external audits designed to show the world that a company meets certain security standards.

Importance of Security Audits

Security audits are a crucial component of any organization’s risk management strategy. They play a vital role in identifying security vulnerabilities, ensuring compliance with regulatory requirements, and protecting sensitive data from potential breaches. By conducting regular security audits, organizations can assess the effectiveness of their security controls, identify areas for improvement, and implement proper security measures to mitigate risks.

Security audits help organizations stay ahead of potential threats by providing a clear picture of their current security posture. They allow businesses to pinpoint weaknesses in their security controls, whether it’s outdated software, insufficient access controls, or gaps in network security. By addressing these vulnerabilities proactively, companies can significantly reduce the risk of a data breach.

Moreover, security audits are essential for maintaining compliance with various regulatory requirements. Whether it’s GDPR, HIPAA, or PCI DSS, adhering to these regulations is not just about avoiding fines—it’s about safeguarding sensitive data and maintaining customer trust. Regular audits ensure that an organization’s security measures are up to date and in line with the latest regulatory standards.

In addition to compliance, security audits foster a culture of continuous improvement. They provide actionable insights that help organizations refine their security policies and practices. This ongoing process of evaluation and enhancement is key to building a robust security program that can adapt to evolving threats.

Security audits are indispensable for effective risk management. They help organizations identify and address security vulnerabilities, ensure regulatory compliance, and protect sensitive data.

Certification Audits: ISO 27001 and SOC 2 Type II

Two of the most common certifications for information security are ISO 27001 and SOC 2 Type II.

• ISO 27001: This is an international standard that specifies requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). Companies certified to ISO 27001 must demonstrate that they have implemented a framework for managing information security risks.

• SOC 2 Type II: This certification, primarily used in the U.S., evaluates how a company manages customer data based on five “trust service principles”—security, availability, processing integrity, confidentiality, and privacy. SOC 2 Type II requires the company to show evidence that its controls are functioning effectively over a period of time (usually 6 to 12 months).

Both certifications can be valuable indicators of a company’s commitment to security and data security, but they don’t tell the whole story.

The Sampling Dilemma: How Much Is Really Being Checked?

Here’s where things start to get tricky. Certification audits are often based on sample testing. Auditors can’t realistically evaluate every device, system, or control, so they’ll select a small number of instances to review—typically 3-5 samples per control.

Let’s break down the math though. Based on a binomial staged sampling plan, if 11 samples are tested without finding any issues, there’s a 95% confidence that the company is at least 70% compliant (against the tested controls). In other words, a significant portion of systems or controls may be non-compliant, upwards of 30%.

If you want to increase that to be 95% confident that the company is compliant 95% of the time, you’d need to sample 72 systems or instances of that control. The sheer time required to do that would make any auditor run for the hills and the costs would make it prohibitive to practically all organizations. This isn’t to knock auditors—they're working within the constraints of time, cost, and practicality—but it highlights the inherent limitations of certification audits.

Certifications Aren’t a Get-Out-of-Jail-Free Card for Data Security

Seeing an ISO 27001 or SOC 2 Type II certification from a vendor or potential business partner can make you feel all warm and fuzzy inside, but that doesn’t mean you can ignore the risks. Certifications are just one piece of the puzzle. They show that the company was compliant (to some degree) with the controls that were sampled during the audit, but they don’t necessarily cover everything.

This is especially important in today’s environment, where businesses rely on third-party vendors for cloud services, software, and even physical infrastructure. You might assume that because your vendor has a security certification, they’re perfectly safe to work with—but that assumption could cost you. As we’ve discussed, those certifications only give you a snapshot of compliance, and they’re based on limited sampling.

In other words, don’t let a certificate on the wall make you complacent. You still need to perform your own due diligence to assess the actual risk associated with the relationship. This might include:

• Reviewing the scope of the certification: What systems or controls were actually tested during the audit? Are they relevant to your business and the services you’re using?

• Requesting additional information: Ask the vendor for evidence of their internal security practices. Are they conducting regular internal audits? How are they managing risks that fall outside the scope of their certification?

• Monitoring continuously: Security is not a "set it and forget it" situation. It’s important to regularly review your vendor’s security practices and assess whether any new risks have emerged.

The Bigger Picture: Central Management, and Continuous Review

The limitations of certification audits make one thing clear: central management and continuous review of security controls are critical. Rather than relying solely on an audit that reviews a tiny sample of systems, businesses need to have a centralized system for managing and monitoring security controls across their entire environment.

Central management systems allow organizations to:

• Monitor compliance in real time: Instead of waiting for an audit to tell you whether you're compliant, you can track the status of your security controls across all systems.

• Identify and address issues faster: When a vulnerability or non-compliance issue arises, a central management system can help you spot it quickly and take action before it becomes a major problem.

• Reduce the need for excessive sampling: With a strong centralized system in place, you can have a high level of confidence that your controls are being followed across the board, reducing the need for auditors to sample a large number of systems.

Conclusion: Certifications Are Helpful, But They’re Not Enough

Certifications like ISO 27001 and SOC 2 Type II can be valuable indicators that a company takes security seriously. However, it’s important to remember that these audits are based on limited samples, and a clean certification report doesn’t guarantee that every system is compliant.

Rather than relying solely on certifications, companies need to take a proactive approach to vendor and partner risk management. Conduct your own assessments, ask for additional evidence, and continuously monitor your partners’ security practices. By doing so, you’ll ensure that your business is protected—not just on paper, but in practice.

In the end, a certification is just one part of the equation. Proper care and diligence will always be your best defense against security risks. Or, as the auditors might say, "Trust, but verify—and then verify again."