Information Security Audit Response Review: Large UK Law Firm

Client challenge

The client is receiving an increasing number of audit requests from existing and potential clients, the complexity and format of which varies considerably from client to client. IT policies provide a key cornerstone in demonstrating our clients approach to Information Security and are used to support Audit responses. Current state includes: no formal and structured process, requests are managed and routed according to the receiving entry points, significant risk of single point of failure as responses are dependant on key senior personnel, no up to date master repository of Audit Responses resulting in duplicated effort, etc.

What we did

Phase 1:

  • Reviewed all existing policies in the context of information security
  • Reviewed process in the context of Information Security
  • Produced report detailing current state against industry best practice Information Security

Phase 2:

  • In depth assessment of policies in context of Information Security
    • To make amendments and update.
    • Recommend future areas for improvement
  • Reviewing the organisations audit response repository based on policy review
    • To make amendments and updates
    • Recommend future areas for improvement
  • Design process flow for future amendments and improvements to IS
  • Live trial of audit response
  • Agreed a template for all IT Policies
  • Agreed the process and controls for managing Documents change
  • Supplied resources to modify and consolidate documents

The result

  • TORI Practitioners helped the client reach a target state of a formalised audit process that’s defined, timely, supports clients and cost optimised
  • Updated audit response repository
  • Improved audit process volume resiliency and reduced the risk of single point of failure
  • Produced best practice policies fit for purpose, managed and with evidential controls to support audit responses and updated polices in accordance with findings and recommendations for larger scale improvements
  • TORI are currently responding to client questionnaires on behalf of the firm and are in discussion about providing a managed service.