The Optimization of the Integrated Management
System Audit Program
Ilya I. Livshitz1, Kseniya A. Nikiforova2
JSC Gazinformservice
Saint Petersburg, Russia
1
livshitz.il@yandex.ru,
2 1
nikiforova.k.a@yandex.ru
Abstract—The application of Integrated Management
Systems (IMS) is now attracting the attention of TOP
management of a variety of organizations: refineries, machinery,
instrument-making, aviation, defense, etc. However, now the
major problem is still the performance of IMS audits as full
implementation of complex checks from different ISO standards
with a substantial limitation or reduction of available resources.
At the same time, the continuous improvement of
management principles and in particular – the transition to risk-
based thinking provide a greater interest in the rational use of
ISO standards. In this issue cover a technique of optimization
IMS audits program, based on principles of continuous
adaptation when entering data in a single micro-cycle audit. An
additional advantage of proposed technique is the use of
numerical IT-security metrics of audit, contributing to
continuous improvement of the IT-security level of organizations.
Keywords—Information security; Information Security
Management System; audit; risk management; threats;
vulnerabilities; Standards.
I. INTRODUCTION
Recently, the application of integrated management
systems (IMS) attracts the attention of senior management
(decision makers – decision makers of various organizations.
Occur almost isolated cases, when the modern organization of
diverse industry sector (oil, instrument, aircraft and defense)
implement only one system management (SM), by contrast,
now typically implemented the projects of IMS. Consider some
of the largest Russian organizations, in which authors over a
long period 2010-2015 had the opportunity to perform audits.
However, at the moment remains an important issue
ensuring the implementation of the audit programme in
management systems information security (ISMS) –
implementation of the full set of checks on various ISO
standards, with a significant reduction in available resources.
Largely this problem is to ensure the IMS audit program for
audits of information security (IT-Security), as the negative
effects of incidents can result in significant damage to the
organization until the end of activities. At the same time,
continuous improvement management principles and, in
particular, the transition to a thinking, risk-based, provide
increased interest in the rational use of modern risk-oriented
standards [1 - 5].
121
Pavel A. Lontsikh1, Elena Y. Drolova2,
Natalia P. Lontsikh
National Research Irkutsk State Technical University,
Irkutsk, Russia
palon@list.ru, 2 elena_uspeh@mail.ru
Accordingly, of particular interest to the study of problems
in the execution of the IMS audit, as well as finding ways to
optimize the program IMS audit based on the principles of
continuous adaptation of the data within one micro-cycle
PDCA (Plan-Do-Check-Act), one of the basic audit cycle. On
the basis of the practice of IMS audits it is proposed a new
method to optimize the program audits, which will enable a
more rational decision making for decision makers in today's
complex economic environment [6 – 8].
II. AUDIT TASK DEFINITION
As previously noted, to ensure the stable development of
modern organizations in the context of the presence of risks of
different origin, it seems reasonable to use the risk-based
standards and the introduction of IMS [9 - 11]. From the point
of view of the management audit of IMS in the proposed
technique, we note the need to address the following important
practical problems (in parentheses indicate the paragraphs of
the standard audit SM – ISO 19011 [18]):
A. The problem of resource allocation for the program
audits:
 The development of a programme of audits (5.1),
 Identification and risk assessment audit programs
(5.3.4),
 Identification of resources for program audits (5.3.6).
B. The task of taking into account factors that affect depth
program audits – leakage incidents, the manifestation of
criminal actions, previously identified inconsistencies and,
therefore, to determine the scope of programme of audits
(5.3.3).
C. The task of collecting verifiable information (6.4.6).
D. The task of providing special knowledge and skills of
auditors (7.2.3.3), or the involvement of technical experts:
 Types of activity,
 Requirements of stakeholders,
 Knowledge of security process,
 Knowledge of the technical means and measures to
ensure information security.
978-1-5090-3680-6/16/$31.00 ©2016 IEEE
 Additionally, we note that the IMS should be taken into
account and recommendations of the PAS-99 [5], which
allows to take into account the specific requirements of
execution of combined audits, risk-based, flexible
management of the volume of the IMS audit program taking
into account previous results and the importance of processes
[19 - 21].
III. THE PRINCIPLES OF FLEXIBLE AUDITS
The proposed method of optimization program IMS audit
based on the following basic principles:
 Introduces the concept of integrated assessment mark
(IAM) of IT-Security, which includes a specific
indicator group evaluation of all submitted for audit
processes – RISMS. This group index is determined
using the weighted sum of partial indicators where the
weights determine the importance of the R PR process,
the organization of IT-security specific object of
assessment (OA)
 After the initial (primary) audit check for each process
is evaluated as to compliance with the requirements of
the audit criteria (ISO, GOST, STO Gazprom, etc.), as
well as its effect on IAM level for specific OA.
 Subsequent information security audits are conducted
according to the proposed method, using a flexible
approach: the most detailed and carefully checked the
processes on which the previous audit revealed
significant inconsistencies (e.g., in notation of ISO
17021 – ―major‖ [22]) and which have the highest
priority in IOS for a particular OA.
 The frequency and detail that needs to be differentiated
for different check processes, is also linked to IAM.
For example, certain groups of processes that have
IAM priority (e.g., critical IT-Security processes for
Top management) are subjected to audits in more detail
and more often. The processes with low priority IAM
for a specific OA are checked less and less detail.
 The depth of verification and frequency of audits every
time for the k-th audit the PDCA micro-cycle depends
on the approximation of the function specific IAM to
OA to some agreed target – Rtar (in the limit, obviously,
equal to 1) for a comprehensive security assessment of
a specific OA.
Additionally, we note the importance of the
implementation of the new standard, ISO 55000 [2-4] –
because many assets are not managed properly (in particular,
by the use of an outdated internal procedures, such as STO
Gazprom, in principle, does not operate assets such as staff,
buildings, and structures).
Accordingly, the application of the requirements already
implemented standard (e.g. ISO 27001) greatly facilitates the
solution of typical safety tasks, which are solved in parallel
(accounting and asset protection, risk management,
competency assessment, etc.), it is recommended to parallel
the test in the framework of the joint audit of all management
system or IMS [22 - 24].
122
IV. JUSTIFICATION OF THE MATHEMATICAL BASES OF THE
FLEXIBLE AUDITS
For the evaluation of a degree of providing ISMS
conformance on the IMS audits to presented requirements of
IT-Security we use private and group IT-Security indexes. For
the purposes of realizing IMS audits in the aspect of providing
IT-Security we suggest to use the index of effectiveness of MS
IT-Security RISMS , which we can calculate in each cycle of
k-audit using the additive formula with the account of α-
weight coefficients and index of effectiveness of each concrete
process of IT-Security – RPR
n
RISMS    i  RPr i (1)
i 1
in this case :
n
i 1
i 1
In its turn, indexes of effectiveness of each concrete i-
process of IT-Security – RPR are calculated by additive
formula with the account of β-weight coefficients and indexes
of IT-Security metrics for each concrete i-process of IT-
Security – KKPI:
m
RPri    j  K PKIj (2)
j 1
in this case:
m
 j 1
j 1
The coefficients of relevancy of private indexes of
IT-Security, that are used by calculation of IT-Security group
indexes, must be equal to 1 that provides norm balancing of all
indexes in additive formula above (1) and (2). Accordingly,
the final index of effectiveness of MS IT-Security RISMS must
maximize reaching 1:
n
RISMS    i  RPr i  1 (3)
i 1
In the process of IMS audits, the constant measuring of
current nonconformance for k-audit RISMS is measured as
discrepancy with the objective (maximal) index:
n
R  1  RISMS    i  (1  RPr i ) (4)
i 1
Regarding the results of all audits, that are carried out in a
strict accordance with IMS audit program, we fill in the
following matrix with the account of IT-Security processes –
PR, IT-Security audits – k-audits and IT-Security metrics –
KPI.
V. THE TASK FOR OPTIMIZATION
The specific optimization problem may be related to the
type of problems of the static optimization of the control
processes occurring in the steady state. You must implement
an optimization model for a process audit of IMS in terms of
deterministic constraints, and constrained optimization (the begining

minimum "residual"): The basic conditions

for audits planning: 1 Formation of audit program
F ( y)  min (5) T0, S0, V0, F0, O0 αi , βj , K KPI pr j

where:
F ( y)  R m , Realization of cycle of
2 Formation of k-Audit plan
5 audit program, planning
1
f ( y)  R k+1 аудита

f (y) – is the objective function of the m-dimensional vector Formation the monitoring by j-
argument y, such that: 3 metrics K KPI for
Pr i - processing in k-audit ОЗ K KPI pr j
y = (y1, y2, … ym)
where: y  D  R m Formation of evaluation of
Changing (easing) the
4 Pr i – processing and R ISMS
The range of permissible values: conditions for planning
audits: Tk+1, Sk+1, Vk+1,
of integral evaluation in k-audit R PR i , R ISMS

gi ( y)  0; i  1, N
Fk+1, Ok+1

The parameters of the m-dimensional vector argument y The analysis of integral

may be, for example: evaluation

R ISMS

R ISMS <> 1
 T– the period of information security audits; Changing “complication” of
conditions for planning Formation of mismatches of
 S– the planned cost of information security audits; audits: Tk+1, Sk+1, Vk+1,
6
k-audit
Fk+1, Ok+1

 V is the volume of information security audits (number

of units); 7
Formation of plan of corrective
actions for k-audit ∆ R PR i,
∆ K KPI pr j
 F– a list of the functional issues of information
 O – list of visited objects of information security R ISMS (corr) <> 1 The evaluation
audits. of corrective efficiency
R ISMS (corr)

On the basis of auditing standards (in particular [18]) and

industrial practices (STO BR IBBS, STO Gazprom, etc.), 8 Completion of audits program

suggest a method of multi-stage optimization process IMS

audit for a complex industrial facilities (CIF), which allows to
provide a system of coordination, allocation of resources and
prompt delivery of audits of IMS.
The proposed method is scientifically grounded and
focused operational functioning of the IT-Security subsystems
in the composition of the IMS, different from the existing
methods for cyclic continuous evaluation of the effectiveness
RISMS on the basis of an optimal system of numerical
indicators (metrics) of IT-Security {KPIik}. The proposed
method consists of 2-cycles associated program optimization
audits IMS, characterized by the presence of new units:
A. The basic optimization cycle, which characterizes the
effective implementation of audits of IMS in terms of
estimation performance for each of the PRi process and IT-
Security each KPIj–metrics, and defines the cycles of
optimization of resources in the audit program: depth
(―scope‖), size of the audit sample, the number of involved
auditors (experts), etc.
B. Quick evaluation unit of the effectiveness of corrective and
remedial actions in the current k-th audit affecting change
– as the following IT-Security process, and the following
(k+1) audit. Also provided a quick transition to the
assessment of performance indicators IMS – RISMS in k-m
audit and (k+1) audit for the permanent and operational
optimization of the entire program of IMS audit.
end
Fig. 1 – the Basic optimization cycle of the program IMS audit
Let’s consider the basic optimization cycle of IMS audit
program that was built with the account of audit’s formal ISO
standards requirements and ISAGO standards supported with
new components (see fig. 1):
 Formation efficiency evaluation of each k-audit;
 Formation of fast efficiency evaluation of correction
(corrective actions);
 Formation of quick back link in the current audit cycle;
 Formation of system reaction – complication or easing
depending on current integral evaluation in current
audit cycle.
VI. CONCLUSIONS
The methods of optimization program IMS audit based on
modern risk-based standards and ensures constant
optimization program perform information security audits
based on the associated flexible adaptive algorithms.
Experimental verification of the proposed method is made in
the implementation of several projects in the period 2014-
2016. The use of these specific blocks of optimization the
methodology for other IMS might require different parameters
(for example, selecting as criteria other industry standards or
other quantity and composition argument vector optimization).

123
 REFERENCES
[1] ISO/IEC 27001:2013. Information technology. Security techniques.
Information security management systems // Requirements,
International Organization for Standardization. 2013. 23 p.
[2] ISO 55000:2014 Asset management – Overview, principles and
terminology // International Organization for Standardization, 2014. –
19 pages.
[3] ISO 55001:2014 Asset management – Management systems –
Requirements // International Organization for Standardization, 2014. –
14 pages.
[4] ISO 55002:2014 Asset management – Management systems –
Guidelines for the application of ISO 55001 // International
Organization for Standardization, 2014. – 32 pages.
[5] PAS-99:2012 «Specification of common management system
requirements as a framework for integration»
[6] Shishkin V., Yusupov R.M. Doktrina informacionnoi bezopasnosti
Rossi’skoy Federacii — opit kolichestvennogo modelirovaniy. Tr.
SPIIRAN. – 2002. – vyp. 1. – Tom 1.
[7] Yusupov R.M., Shishkin V. О nekotorih protivorechiyah v reshenii
problem informacionnoi besopasnosti. Tr. SPIIRAN. – 2008. – vyp. 6.
— pp. 39–59.
[8] Kotenko I.V., Saenko I.B., Yusupov R.M. Analiticheskiy obzor
dokladov Mezhdunarodnogo seminara ―Nauchniy analis i podderzhka
politik bezopasnosti v kiberprostranstve‖ (SA&PS4CS 2010). Tr.
SPIIRAN, 2010, vyp. 2, pp. 226 – 248
[9] Livshits I., Poleshuk A. Prakticheskay ocenka resultativnosti ISMS v
sootvetstvii s trebovaniyami razlichnih system standartizacii: ISO
27001 i STO Gazprom. Tr. SPIIRAN. – 2015. – vyp. 3. – pp. 33 – 44.
[10] Livshitz I. [Practical purpose methods for ISMS evaluation].
Menedzhment kachestva – Quality Management. 2013. vol. 1. pp. 22–
34 (In Russ).
[11] Livshitz I. [Approaches to the application of the integrated
management system model for carrying out audits for complex
industrial facilities – airport complexes]. Trudy SPIIRAN – SPIIRAS
Proceedings. 2014. vol. 6, pp. 72–94. (In Russ).
[12] Arzamazov M.A., Serov G.P. Konsolidatsiya obshich trebovani’ k
otdel’nym sistemam menegmenta I innovatcii pri razrabotke
integrirovannih sistem menegmenta // Nauka I technologii
124
truboprovodnogo transporta nefti I nefteproduktov. – 2012. – vyp.1. –
pp. 52-55.
[13] Malysheva E.Y., Bobrovski’ S.M. Architektura informacionno’ sistemy
ocenki integrirovannih sistem menegmenta // Vektor nauki Tol’atti
Universitet. – 2012. – vyp. 1. – pp. 64-67.
[14] Ajam M., Alshawi M., Mezher T. Augmented process model for e-
tendering: toward integrating object models with document
management systems.
Automation in Construction. 2010. V. 19. № 6. pp. 762-778.
[15] Sheverda V.V. Podhody k razrabotke integrirovannih sistem
menegmenta na predpriyatiyah elektronno’ promyshlennosti // Voprosy
sovremennoy nauki b praktiki. Yniversitet im. V.I. Vernadskogo. –
2012. – vyp. 3. – pp. 250-254.
[16] Mengersen K., Whittle P.J.L., et al. Beyond compliance: Project on an
Integrated system approach for PEST risl management in South East
Asia. EPPO Bulletin. 2012. V. 42. № 1. pp. 109-116.
[17] Portyanko T.M. Tendencii sozdaniy integrirovannih sistem
menegmenta na predpriyatiyah promyshlennogo kompleksa //
Vostochno-Evrope’ski’ zhurnal peredovyh technologi’. – 2010. – Vol.
2. – vyp 8 (44). pp. 40-43.
[18] ISO 19011:2011.Guidelines for auditing management systems;
[19] Griffith A. Management systems for sustainable construction:
Integrating Environmental, Quality and Safety management systems.
International Journal of Environmental Technology & Management.
2002. V. 2. № 1-3. p. 114.
[20] RAROC and risk management: Quantifying the risks of business.
Bankers Trust New York Corporation, 1995.
[21] Smith, Gordon E. (1992, ASQC) Massey University, Palmerston North,
New Zealand, Auditing Statistical Methods for ISO 9001. Аnnual
Quality Congress, Nashville TN Vol. 46 No. 0, QICID: 9905 May 1992
pp. 849-854
[22] ISO/IEC 27000:2014. Information technology. Security techniques.
Information security management systems // Overview and vocabulary,
International Organization for Standardization. 2014. 31 p.
[23] ISO/IEC 27004:2009. Information technology. Security techniques.
Information security management systems // Measurement,
International Organization for Standardization. 2009. 55p.
[24] ISO 17021:2011. Conformity assessment -Requirements for bodies
providing audit and certification of management systems;