Audits
Audit. Verify. Build trust.
Certification-oriented testing – audits that create value.
Audits with DS DATA SYSTEMS
Audits with vision – recognize risks, eliminate weaknesses.
First and second party audit
- ISO/IEC 27001
- VDA ISA
- ISO 22301
- ISO/IEC 20000-1
- ISO/IEC 27701
- Data protection audit
- Service provider and supplier audits
- Internal audit
- Physical security audit
- Security Quick Check
Third party audit
- ISO 27001 on the basis of IT baseline protection (BSI)
- Audit according to §8a BSIG (KRITIS)
Why are audits important?
Audits have a greater benefit compared to the costs incurred.
The aim of a security audit is to determine whether the existing security facilities and procedures meet the applicable security requirements and are effective enough to minimize the risks for the company. Normally, an audit is conducted regularly according to a specific time-schedule with the goal of uncovering weaknesses in good time and remedying these sustainably.
Certifications of our security consultants for accredited audits:
- Lead Auditor ISO/IEC 27001, ISO/IEC 20000-1, ISO 22301
- Lead Auditor ISO 27701
- Assistant TISAX®-Auditor
Certification of our security consultants by the German Federal Office for Information Security (BSI)
- Audit team leader for ISO 27001 audits on the basis of IT-Grundschutz
Other personal certifications:
- Auditor according to §8a BSIG / KRITIS
First and second party audit
ISO/IEC 27001
ISO/IEC 27001 is an international standard for information security management systems (ISMS) that specifies how companies and organizations should organize and monitor their information security.
An ISO/IEC 27001 audit is a process, where an independent, external party reviews the implementation and effectiveness of an organization’s ISMS system to ensure that it meets the requirements of the standard/norm.
An ISO/IEC 27001 audit typically involves a comprehensive review of the company’s or organization’s ISMS processes, procedures, and systems, including document reviews.
VDA ISA
Suppliers and service providers in the automotive industry must prove to automotive manufacturers that they have an appropriate level of information security in accordance with the Information Security Assessment (ISA) catalog of requirements if they process sensitive information.
To this end, the ENX Association and the VDA (German Association of the Automotive Industry) have jointly developed the “Trusted Information Security Assessment Exchange” (TISAX®) verification procedure. An assessment can be used to verify the company’s level of maturity with regard to the requirements defined in the VDA ISA at a specific location. The company can receive a so-called ‘label’ for the assessed location if it fulfills the relevant requirements of the VDA ISA.
ISO 22301
ISO 22301 is an international standard for business continuity management (BCM) that specifies how companies and organizations should organize, maintain and monitor their ability to respond to unforeseen events.
An ISO 22301 audit is a process where an independent, external party reviews the implementation and effectiveness of an organization’s BCM system to ensure that it meets the requirements of the standard.
An ISO 22301 audit generally involves a comprehensive review of an organization’s BCM processes, procedures, and systems, including document reviews.
ISO/IEC 20000-1
ISO/IEC 20000-1 is an international standard for IT service management (ITSM) and outlines requirements for processes, systems and the organization itself, that delivers IT-services.
An ISO/IEC 20000-1 audit is a process where an independent, external party reviews the implementation and effectiveness of an organization’s ITSM system to ensure that it meets the requirements of the standard.
ISO/IEC 20000-1 auditing generally involves a comprehensive review of an organization’s ITSM processes, procedures, and systems, including document reviews.
ISO/IEC 27701
ISO/IEC 27701 is an international standard and serves as an extension of the ISO 27001 Information Security Management System (ISMS) for the management and processing of personal data, especially with regard to the requirements of the EU General Data Protection Regulation (GDPR).
An ISMS according to ISO 27001 is a prerequisite for this audit. An ISO/IEC 27701 audit is a process where an independent, external party reviews the implementation and effectiveness of an organization’s ISMS system with regards to the management of personal data to ensure that it meets the requirements of the standard.
An ISO/IEC 27701 audit generally involves a comprehensive review of an organization’s ISMS processes, procedures, and systems with regards to the management of personal data. This generally involves document reviews, conducting performance tests and verifications.
Data protection audit
A data protection audit is a process where an independent, external party reviews the implementation and effectiveness of an organization’s data protection policies and procedures to ensure that they comply with applicable data protection laws and regulations.
A data protection audit can be conducted according to national and international requirements, depending on which laws and regulations apply to the company or organization.
A data protection audit generally involves a comprehensive review of an organization’s data protection processes, procedures, and systems, including document reviews. The goal of the audit is to determine whether the organization manages and monitors its data protection measures appropriately, complying with applicable laws. However, it is not a certification audit.
Service provider and supplier audits
A service provider and supplier audit is a process where a company or organization reviews the compliance with standards (and for example internal requirements), as well as capabilities of its service providers and suppliers.
Its purpose is to ensure that service providers and suppliers live up to the expected, agreed-upon services and fulfill their obligations. This includes satisfying quality, safety, emergency management, environmental and ethical standards.
A service provider and supplier audit generally involves a comprehensive review of a service provider’s or supplier’s processes, procedures and systems, including document reviews.
Internal audit
An internal audit is usually conducted by the employees of an organization or company themselves. The main task here is to identify weaknesses in security procedures and propose remediations.
For example, this can be done by regularly reviewing records or conducting spot checks in individual areas.
However, it can be prudent to have internal audits performed by external persons in order to prevent conflicts of interest, subjective views and possible operational blindness.
Physical security audit
A physical security audit is a review of the physical security measures of a company or organization. Physical security is concerned with the measures taken to prevent hazards from direct, physical (bodily) impact on objects.
Physical security starts with simple measures, such as locked computer enclosures and extends to access-protection systems in data centers. These can include physical doors and windows, video surveillance systems, alarm systems, electronic access control systems, lighting systems, and other similar devices. The review can be performed internally by company employees or externally by our independent security consultants.
Security Quick Check
Additionally, we offer individual Quick Checks to quickly evaluate your security level for the following areas:
- Information security
- Data protection
- Security Systems
Our longstanding experience as accredited auditors ensures that we work quickly and cost-effectively to assist you in any of the mentioned aspects.
Third-party audit
ISO 27001 on the basis of IT baseline protection (BSI)
IT baseline protection is a framework developed by the German Federal Office for Information Security (BSI) and represents a method for implementing ISMS systems in predominantly, but not exclusively, German companies and organizations.
An ISO 27001 audit based on BSI IT-Grundschutz is an audit whereby an independent, external party reviews the implementation and effectiveness of a company’s or organization’s ISMS system according to the requirements of the ISO 27001 standard and the recommendations of the BSI IT-Grundschutz framework.
Audit according to §8a BSIG (KRITIS)
Paragraph 8a of the BSI Act (BSIG), also known as the Critical Infrastructure Act (KRITIS), is German legislation that defines rules for the security of critical infrastructures. Critical infrastructure means facilities and establishments that are essential for maintaining public safety and order, and secure the basic needs of the general public.
An audit according to §8a BSIG is a process in which an independent, external party reviews the security of critical infrastructures to ensure that they meet the requirements of the law. An audit typically involves a comprehensive review of the critical infrastructure’s security processes, procedures, and systems, including document reviews.
