Joint audits: The successful model of ccTLD registries

Switch manages the ccTLDs «.ch» and «.li» on behalf of OFCOM and the Principality of Liechtenstein Office for Communications. In its function as a ccTLD registry, Switch operates a critical infrastructure for these two countries. To fulfil this responsibility, Switch relies on ISO/IEC 27001, among other standards, for information security. One aspect of this standard is to regularly review the effectiveness of its management system and adjust it as necessary. Switch organises this in collaboration with other European registries. The procedure described below fulfils various standard requirements simply by being implemented, regardless of the focus of the respective audit. For those interested, a reference to the section of the standard is provided in brackets.

From standard to practice

Conducting internal audits of the Information Security Management System (ISMS) is a standard requirement (9.2) that must take place at planned intervals (9.2.1). These audits should be objective and independent (9.2.2.b). This basically rules out self-audits of one's own ISMS. Part of the audit criteria to be defined (9.2.2.a) is to ensure that the auditors have the necessary knowledge and experience. This is the case in our circle, as everyone practises information security and many of them also have relevant diplomas and certifications (7.2).

Now, you can either turn to qualified consulting and auditing firms, which can be very costly, or you can organise yourself. The problem with using external auditing firms is, as is well known, the lack of context. They check things that they may understand from a technical point of view but cannot correctly assign to the corporate context. The audit findings are then either generic or require a great deal of imagination to identify the actual deviation. Registries employ highly qualified security and audit specialists. It was therefore obvious that the ccTLD registries from the Netherlands, Germany, Austria and Switzerland/Liechtenstein would form an interest group (4.2, A.5.6) to audit each other.

More information security for all registries

At that time, all four organisations operated an ISMS in accordance with ISO/IEC 27001:2013. The composition of the audit round has changed several times in recent years. Slovenia was involved for a time, and the Netherlands played a significant role in the round for several years until it decided to leave in 2024. The most important feature of the group is that communication takes place in German. Documentation can be written in another language. It simply takes the appropriate time during the audit to translate the texts. The founders of the audit group pursued several goals with the interest group: 

• Changing roles: Each registry takes on the audit lead role for another registry at least once a year. Each registry is audited once a year. This strengthens the auditing skills of the people who take on the role of lead auditor. In addition, the rotation ensures that different people regularly look at the respective ISMS.
• Targeted further development of your own ISMS: The registry to be audited sends the audit plan (9.2) to the auditing registries. The lead auditors prepare by considering relevant questions and possibly reflecting on their own ISMS. During the audit, the implementations (7.5) are checked by means of random samples. Typically, the audit team asks further questions about the implementation or contributes its own experience (A.5.36). This helps the lead auditor (yes, finally a finding!) on the one hand, and all other participants on the other, to check their own ISMS implementations.
• Exchange of experiences on the implementation of the annex controls: In the case of an audit event lasting several days, the examination of the previously planned controls according to the scope of application (6.1.3.d) of the registry concerned begins on the second day. Here, the nerds among those present can get lost in discussions. It is then up to the lead auditor to postpone the exciting discussions in favour of the audit plan to lunch or dinner time.
• Targeted how-tos: When planning the audit, each registry can bring up topics that are to be discussed in depth on the last day of the audit. These include demonstrations of tools, examples of instructions or tips for implementing processes. In recent years, particular attention has been paid to the changes resulting from the revision of the ISO/IEC 27001:2022 standard. It is not uncommon for concrete drafts to be drawn up at the same time.
• Cost-effective and standard-compliant audits: Travel and accommodation costs are significantly lower than when external consulting firms are hired. The benefits are much greater and the results, such as suggestions for improvement, are industry-specific and therefore more targeted. This saves a lot of time in the development and implementation of measures compared to having to create them on the basis of a white paper or a blank Confluence page. So far, all accredited ISO certification bodies have accepted this type of internal audit without reservation.

Of course, part of every audit is to reflect on the strenuous day while enjoying a local speciality. Those who are still interested then delve back into detailed discussions.

Practical findings instead of standard solutions

The maturity levels of ISMSs differed more in the past than they do today. Individual ISMS development (10.1) has accelerated thanks to joint audits. Measures are more targeted, implemented more efficiently and show the desired effectiveness much earlier (9.3.1). The risks of serious non-conformities in an external ISO audit are reduced because the findings from the audit round (9.2.2) may only be identified as minor non-conformities (10.2) during the external audit.