Reports as Evidence, Credibility, and Trust-builders

August 2, 2016

Content, delivery, and clarity are imperative components of successful written communication; a lack of such results in confusion and misunderstanding. Assessment reports such as ISO 27001, SOC 1, and SOC 2 can be confusing for employees or clients who are unfamiliar with the processes and outcomes involved in such. Simply having the assessments and certifications on which these reports are based is not always enough to secure a relationship between a user organization and their client. User organizations must be ready and able to present well written documentation to evidence the methods and findings of security assessments.  

Clients want to know whether or not controls are successfully in place, but many scrupulous clients also want to read and understand evidence describing how and why the control is or is not properly in place. Developed language that sufficiently describes processes and outcomes involved in assessment lend credibility to both the assessor and the party assessed. 

Of course, evidence is only useful when it is conveyed with clear and articulate language. It is essential that the assessment processes and outcomes are described in such a way that accommodates those with and without a thorough working knowledge about the examination performed. This includes the use of thorough and objective descriptions, and accurate terminology.  

In some instances, a service organization may find it appropriate to share their assessment report internally or externally, and in these instances the assessment report functions as an official document representing the organization. As with all company communications, the report should be written grammatically and formatted with appropriate and consistent conventions. A report without these layers can convey carelessness or sloppiness on the part of the organization, whereas a report that does employ these conventions lends a degree of polish which enhances an organization’s image and bolsters credibility.  

The report is the written record of the process and outcomes of a security assessment. It details what was assessed, how it was assessed, and the outcomes of the assessment. In the case of security assessments which are precursors to certification, such as the ISO 27001, the report is the written proof and explanation of how and why an organization has, or has not, been granted a given security certification. All opinions, assertions, and findings must be clearly communicated.  

When choosing an auditing firm, an organization should consider the firm’s ability to produce a well written report on the assessment and outcomes. Certain firms such as Schellman & Co., LLC employ report specialists dedicated to performing quality assurance that ensures well written reports. Before agreeing to work with a firm, be sure to inquire about who writes and reviews the reports. The report is a representation of an organization and as such, a well written report demonstrates strong organizational integrity, which in turn fosters strong client relationships. 

Previous Article
An Introduction to CSA STAR and ISO 27001
An Introduction to CSA STAR and ISO 27001

Curious about the CSA STAR Program or how its certification works together with ISO 27001? We answer basic ...

Next Article
ISO 27001 – Starting the Internal Audit Process
ISO 27001 – Starting the Internal Audit Process

An internal audit process should be present within the organization, and is vital to the design and effecti...