Company Wants Audit - Not Ready

So my company decided they wanted to pull off the ISO 27001 audit and continue on their initial schedule even though I was brought on late and had to catch up late with everything they've been doing—along with learning/growing on the job.

Things seem very bleak now due to the fact that my team of two shrunk to one and the "lead" for the team is on leave for the audit.

I've been pulling my hair for the past 2 months trying to prepare and keep up with what the company PM has asked for this thing (on top of the stuff I'm supposed to be doing just for the regular part of the job; i.e. helpdesk) but I'm not confident things will go well.

For starters, I feel like we're missing some things the standard clearly calls for. The PM addressed some things before but nothing was done about it.

Secondly, the CEO got involved just about 2-3 weeks ago and prep for this has been happening for what seems like 7 months now. The audit is happening in a week.

I'd gladly sip through my tea throughout the entire thing if it weren't for the fact that I will be the primary POC for just about everything that goes on that day. The PM has told me they will simply refer the auditor to me if he gets asked anything and I'm just sitting there thinking to myself "why?". I can understand why since this is largely being undertaken by IT and it's basically all governed by IT—which I am a part of—but I can't just pull off something like this when I have no experience, nobody to pull from, etc.

Every fiber in my body is telling my to leave but I have bills to pay. This is also—in its own weird little way—a learning opportunity. This whole fiasco has been a learning opportunity in different ways.

At the end of the day, I just don't feel ready. This isn't about "imposter syndrome" or what have you. The reality is I'm a recent grad who only just got on board with the "real world".

If the audit doesn't go well, the fingers will be pointed at me—ME. I only just got on!

I will not be surprised if the PM and the lead throw me under the bus. They're in the right positions to do it. Everyone in my office thinks I'm weird anyway.

I think I'll be at peace if they finally fire me. It's just constant "oh, what's this". My internship was tons better than this and not just because of the workload.

Find more posts tagged with

Comments

EANx

Have you talked with your boss about the status, the challenges and expectations and the fact that you were brought in late? No reasonable person will expect you to be responsible for something you were brought in late and don't have the training for and short staffed and no lead, etc. And then follow that up with an email with the points discussed so that they can't later go back and say "this is the first I've heard of it".

This is a great learning experience if you can separate yourself emotionally from the process but the firm is that screwed up, you might want to start looking.

devilbones

That Random Guy said:

Everyone in my office thinks I'm weird anyway.

This got me, lol. You will be fine. I am not saying your going to pass your audit but there is not much you can do at this point except for your best. Please report back here on how things go. You can do this. Be honest and be yourself.

Ertaz

Audits are learning experiences. Today's MRA prevents tomorrow's breach. Take everything in stride and apply the standard. Pitter Patter, go right at er.

That Random Guy

10/25/2019 Report/Update:

So, the audit went on for the whole week. I was pretty much in meetings all week for this and I wasn't enjoying any of it.

The auditor was able to "pass" the company for TWO of the certs they already had. Yes, this means that the company actually had the same auditor go through two previous audits (or recert) and one prep review for the ISO27001 during this one week. This was not something I was aware of nor prepared for (I was only aware of the 27001) but they went and did it anyway.

In the end, you could say I was saved by the fact that they had "passed us" for the priors. However, it looks like the 27001 is not something that will be doable in the schedule the company (CEO+COO) want it at. They presume it will go smoothly in a months time. The trick, however, requires gaining additional software/solutions to support controls regarding MDM/BYOD and centralized logging (e.g. SIEM). This is NOT something that will go smoothly in my mind solely due to the fact that just by looking at the different processes involved in previous audit requirements and the like, one month is not a realistic time-frame. That is just considering the time necessary to get the software running/working. There's yet work to be done on the documentation (i.e. policy) side of things that needs amending as well. That will likely need to be updated when the time comes for these "solutions" but this is the gist of it. Just those two things alone would require planning, risk assessments, documentation, budgeting, etc.

This might sound really immature and unprofessional, but I just don't want to do it. I'm someone who needs time to be able to do sophisticated things. Being forced to do things in a rushed manner just because someone else wants it done to their lousy schedule will grant you what you pay for. I really don't want to stay here and the only thing keeping me here is being able to get my clearance.

What advice do you all have? In my mind, I realize I cannot simply state to management that "we can't do it because I can't do it". I need something to back this up. Keep in mind I'm practically the only one running the helpdesk and I'm also performing regular "sysadmin" duties while participating in other projects.

advanex1

Hate to be the one to tell you, but part of working in IT is developing a plan to make things work. You can't go to your stakeholders and tell them no it's just not possible unless there is really something catastrophic going on. What you can do is tell them the time table that you think is valid for such a task, lay out your plan with time tables, be able to speak intelligently on the topic, and show them the entire process.

Just like in Cybersecurity.. our job is not to tell our Customers/Stakeholders no. Our job is to find the appropriate balance between the two. Accreditation and certification is no different.

Why are you even handling this if you are help desk? I don't understand the dynamic at that company.

That Random Guy

advanex1 said:

Why are you even handling this if you are help desk? I don't understand the dynamic at that company.

My position title is Sysadmin Jr. but I am providing helpdesk support on top of the sysadmin duties... which hasn't been a lot. The helpdesk stuff is what chips away my time.

I feel like the company just hired me to put up with the small stuff (helpdesk) but now we're entering into deep territory. The problem is I'm not familiar with how projects like this get raised and implemented. I'm not a PM. I've never had to comply with standards like this on a regular basis and I simply don't have the experience I believe would help in this situation.

It's not intuitive for me to set up meetings, perform other stuff that an actual lead or something should be doing.

advanex1

Help Desk chips away at everyones time so I understand.

Who is your lead/boss for Systems Administration?

That Random Guy

advanex1 said:

Help Desk chips away at everyones time so I understand.

Who is your lead/boss for Systems Administration?

There is a "senior" admin who has been with the company for a bit and has been the one who manages IT. His role is kind of odd due to the fact that he's also managing the developers and our main output is software. So, his time is mainly spent providing assistance to their projects and not IT. He does check in every now and then but it's kind of difficult when I don't know what I'm supposed to be keeping track of (aside from what's been mentioned). I've asked questions where it made sense to but I feel like I'm not always on the same page. I think more than anything, I need to be asking more questions. It would probably do me some good...

advanex1

This seems to me like it's one of those situations where you either crap or get off the pot. I'm not sure what your financial situation, but if I was being paid for your position I would be deflecting all of those duties to that lead. That's his job and not a Jr. Sys Admin/Help Desk. If they don't want to take on the responsibilities they should be responsible for I'd be looking for another position or asking for a promotion/raise at your current company. Your company seems backwards.

flamecopper

Hi there,
Has anyone prepared an RFI for ISO 27001 before?
What is there are controls that are not applicable like Mobile Device Management and Teleworking

That Random Guy

flamecopper said:

Hi there,
Has anyone prepared an RFI for ISO 27001 before?
What is there are controls that are not applicable like Mobile Device Management and Teleworking

The ones that are not applicable are the ones that don't apply to any process involved in your company/organization. I'm not an auditor, so forgive the simplified explanation.

For instance, my company designated that the control related to "loading dock or delivery area" security (i.e. physical control) did not apply to our company as we did not govern the responsibility for this in our office. My company only has a presence on two floors and ultimately does not manage the building.

We somehow got away with that response and while I would disagree with that, the auditor that passed us said that answer was sufficient.

Jon_Cisco

You will often hear people compare certs vs real world experience. I think what you are dealing with here is understanding the two of them. They both have value but they are very different. If you step back and think about this your new to the company and career and you are being given opportunities that you don't yet have the experience to deal with.

This is exactly how experience is gained. Your situation is not uncommon and I am fairly confident your CEO knows he is being demanding. It is very different from the CEO level looking at a project. They need to be a driving force which means they usually push people under them to do more. Usually to do more with less!

I honestly think you are gaining great real life work experience but it's hard to see it in the moment.

Good Luck in the new year.

Jon