Tough, unannounced audits critical to any security certification program
May 1, 2013
Of all the lessons learned over the 14 years of the NAID AAA Certification Program, the single most important lesson was the critical importance of unannounced audits.
Many will remember that we launched the certification program with three levels: “A,” “AA,” and “AAA.” The “AAA” used in the current program is simply a holdover from those early years. The two lower levels were eliminated in 2005 because the structure was confusing to customers. Also, many will remember that the association initially hired a national security contractor to conduct the audits. We switched to independently contracted, accredited security professionals when we determined they were able to offer a higher quality audit.
As valuable as those early lessons were, without a doubt, the most significant lesson we have learned over the years is how critical random unannounced audits are to promoting compliance. Yes, NAID started with the annual scheduled audit and we understood the limitations of announced audits at the time. Any company can be ready for an audit once a year when they know it is coming. We went in that direction because that is what we saw in other programs.
After a number of years living with this fallibility, NAID introduced random unannounced audits. As you might expect, the non-compliance issues discovered on unannounced audits were significantly higher. In fact, they were six times as high. So we doubled the frequency of unannounced audits and cut the scheduled audits in half. We also created the Certification Review Board (CRB) to monitor non-compliance incidents, recommended program changes and issued sanctions. As a result, over the past six years, the number and severity of non-compliance issues on unannounced audits has been reduced significantly.
As you can imagine, NAID’s experience calls into question any certification program that relies on scheduled audits to validate compliance. In an era when customers are in need of certifications to validate vendors’ qualifications, relying on scheduled audits or self-certifications is simply too low of a standard to set and misleading to the customer.