Skip Navigation


Bookmark and ShareWednesday May 1, 2013

Tough, unannounced audits critical to any security certification program

By Bob Johnson, NAID CEO

Of all the lessons learned over the 14 years of the NAID AAA Certification Program, the single most important lesson was the critical importance of unannounced audits.

Many will remember that we launched the certification program with three levels: “A,” “AA,” and “AAA.” The “AAA” used in the current program is simply a holdover from those early years. The two lower levels were eliminated in 2005 because the structure was confusing to customers. Also, many will remember that the association initially hired a national security contractor to conduct the audits. We switched to independently contracted, accredited security professionals when we determined they were able to offer a higher quality audit.

As valuable as those early lessons were, without a doubt, the most significant lesson we have learned over the years is how critical random unannounced audits are to promoting compliance. Yes, NAID started with the annual scheduled audit and we understood the limitations of announced audits at the time. Any company can be ready for an audit once a year when they know it is coming. We went in that direction because that is what we saw in other programs.

After a number of years living with this fallibility, NAID introduced random unannounced audits. As you might expect, the non-compliance issues discovered on unannounced audits were significantly higher. In fact, they were six times as high. So we doubled the frequency of unannounced audits and cut the scheduled audits in half. We also created the Certification Review Board (CRB) to monitor non-compliance incidents, recommended program changes and issued sanctions. As a result, over the past six years, the number and severity of non-compliance issues on unannounced audits has been reduced significantly.

As you can imagine, NAID’s experience calls into question any certification program that relies on scheduled audits to validate compliance. In an era when customers are in need of certifications to validate vendors’ qualifications, relying on scheduled audits or self-certifications is simply too low of a standard to set and misleading to the customer.

Comments: 0 | Reply

Submit your Comment

All comments are moderated. Your comment will appear in the order received after being approved.

(comment length available: )

Enter Verification Code:
Captcha Code
Type the characters you see in the picture above.

By submitting a comment, you agree to the terms and conditions governing this blog. Any information, including but not limited to remarks, suggestions, ideas, personal information or other submissions, communicated to NAID through this website is the exclusive property of NAID. Your name will appear along with your comment if/when they appear on the website.

Return to Current Blog