TL:DR version:

It will take anywhere from around 1-3 months for the data collection and review by the auditor to come to an opinion and issue a report or certification.

An IT Audit can be an intimidating process. If this is your first audit then there can be many unknowns that you are uncomfortable with. Don’t fret. In this article, we will go over the amount of time that it takes to complete an IT Audit and how you can remain confident in the process. This one question will frame how you respond to your audit.

What framework standard you are being assessed against?

One of the primary considerations for your IT audit is the understanding of which framework you are being compared against. If you understand what framework the auditor is comparing you against then this will provide enormous help in guiding your answers to the auditor’s questions. Many executives and directors without cybersecurity training are frustrated by the seemingly endless and apparently unconnected wave of questions and requirements brought up during an audit, but the standards that the questions are based upon follow a logical order. To some extent or another, the audit team wants to understand

1. What the business does and how it does this
2. The types of data that the company handles
3. The risk to the data that is handled
4. What the company does to decrease the chances of those risks harming the business (aka controls)
5. How the company checks to make sure that their controls are actually protecting the business

What the auditor is looking for

Once you have determined the type of framework that the auditor is comparing you against then you can leverage this information to help you prepare for your audit. For example, if you are in an ISO 27001 audit then you know that the auditor will be asking you about the mandatory requirements of ISO 27001. If you are being audited against NIST CSF, the auditor will be looking to see how well you adhere to the control families of that framework.  You will avoid lengthy delays due to going back and forth with the audit team and be able to provide the precise evidence that satisfies the requirements and get through your audit faster. An important thing to note here is that you do not have to implement every single control. If provided a question for a yes/no answer and there are no risks to the data or systems, then it is perfectly fine to answer no, and explain that that item does not apply to your business.

What type of evidence to provide

Every business is different, so the evidence you provide to the auditor will be customized for your organization. To the point above, if you know what framework or standard that you are being compared against then you will need to tailor your audit evidence for your specific evidence. Many organizations come across audit controls that they believe they are not in compliance with or do not have evidence for. Auditors will not be happy with a lack of audit evidence for specific controls especially if the risk to the organization requires some level of control implementation to decrease the impact of that risk. You should try to think out of the box and determine what processes, documentation, or risk control activities you have in place that can potentially fit the question that the audit will be looking for. Don’t be afraid to use evidence that doesn’t exactly match the control description described. In most cases, it can be argued that a specific process or document from an organization fits the control item at hand.

The time to complete the audit

So how long does it take to complete the Information Security audit? From our experience, for small and medium-sized organizations it will take anywhere from around 1-3 months for the data collection and review by the auditor to come to an opinion and issue a report or certification.