NIS2-Compliance-Audits: How to ensure compliance with cybersecurity standards with suppliers and service providers

A compliance audit for suppliers and service providers is a structured procedure to verify adherence to agreed security standards and regulatory requirements, especially concerning the NIS2 Directive. This audit aims to identify risks, uncover vulnerabilities, and ensure the initiation of corrective actions.

Objective of the Audit

The primary goal of the audit is to check the compliance of suppliers and service providers with the defined security requirements. The secondary goal is to identify vulnerabilities in the security practices of partners and address these with targeted corrective measures.

Preparing the Audit

Defining the Scope of the Audit

The IT Security Officer and the Compliance Manager jointly determine which suppliers and service providers should be audited based on their risk profile. The audit scope is also defined, including the systems, processes, and security measures to be examined.

Assembling the Audit Team

The Compliance Manager assembles an audit team with expertise in IT security, data protection, and the NIS2 requirements. The team is trained to meet the specific requirements of the audit.

Creating an Audit Plan

A Lead Auditor creates a detailed audit plan outlining the areas to be reviewed, the timeframe, and responsibilities. This plan is communicated in advance to suppliers and service providers, along with a request for necessary documentation.

Conducting the Audit

Opening Meeting

The audit begins with an opening meeting where the Lead Auditor explains the goals, procedure, and scope of the audit to the supplier or service provider. Any open questions about the audit process are clarified.

Document Review

The audit team reviews all relevant documentation, including security policies, risk analyses, training records, incident response plans, and reports on security measures. Compliance with the defined standards and NIS2 requirements is evaluated.

On-Site Review

Auditors conduct an on-site review of IT systems and implemented security measures, including physical controls such as access to data centers and server rooms. Interviews with key personnel are conducted to assess their understanding and implementation of security policies.

Technical Review

An IT security expert within the audit team performs a technical review to evaluate implemented security measures such as firewalls, Intrusion Detection Systems (IDS), encryption, and access controls. Random tests are conducted to assess the effectiveness of these measures.

Review of Incident Reporting

Logs and reports of past security incidents are analyzed to assess the effectiveness of responses and the implementation of corrective actions.

Closing the Audit

Closing Meeting

After completing the audit activities, the Lead Auditor holds a closing meeting with the supplier or service provider. Preliminary findings, identified deficiencies, and initial recommendations are discussed.

Creating the Audit Report

The Lead Auditor compiles a detailed audit report summarizing the results of the document review, on-site review, technical review, and incident reporting. The report includes recommended actions to address identified vulnerabilities.

Delivering the Audit Report

The Compliance Manager delivers the audit report to both the organization's management and the audited supplier or service provider. A timeline is set for implementing the recommended corrective actions.

Follow-Up and Corrective Actions

Implementing Corrective Actions

The supplier or service provider is responsible for implementing the actions recommended in the audit report within the specified timeline. Progress is monitored by the Compliance Manager and regularly documented.

Follow-Up Audit

A follow-up audit is conducted to verify the implementation of corrective actions and assess their effectiveness. A corresponding follow-up audit report confirms that all non-compliances have been addressed.

Completion and Documentation

Closing the Audit Process

After successful implementation of all corrective actions, the audit process is officially closed by the Compliance Manager. All audit documents and reports are archived to serve as evidence for compliance requirements and for future reference.

Lessons Learned and Continuous Improvement

The Lead Auditor conducts a "Lessons Learned" session with the audit team and relevant stakeholders. Insights gained are used to continuously improve audit methods and standards.

Summary

Regular and comprehensive compliance audits are essential to ensure that suppliers and service providers adhere to cybersecurity standards and minimize potential risks. This process strengthens the company's security strategy and improves resilience to external threats.