Challenges to a Smooth-Running Data Security Audits. Case: A Finnish National Security Auditing Criteria KATAKRI

An information security management system (ISMS) provides controls to protect organizations´ most fundamental asset, information. KATAKRI is a Finnish national security auditing criteria that is based on several ISMS standards and best practices. It was initially intended to be used by public sector to audit private sector service providers, but it has been adopted also as a baseline of requirements for private sector security standards. First, this paper explores the expectations for security auditing criteria, processes and auditors. The case study research (CSR) was conducted in the form of interviews (n=25), questionnaires (n=45) and observations. Second, a design science research (DSR) exploits the combined CSR results for designing a model for a well-run ISMS audit. The CSR results shows that the different goals of a security audit can be in conflict. The results also indicate that KATAKRI has defects due to its inconsistency. One task of auditing processes should be collecting information about shortcomings of applied criteria. This paper´s new model for KATAKRI audits includes this activity.