In this essay we would like to prove that the information security audit is useless and waste of money unless it is conducted to get a certification of information security. Instead of the audit, we strongly recommend the companies just to implement the generally implemented information security measures. By the 'generally implemented information security measures' we mean the measures that are actually implemented for improving the information security in the companies in the same industry or of the same size as your company.

Before starting our argument, we would like to provide the definition of basic terminologies. The 'information security' means to ensure confidentiality, integrity and availability of information in a certain company by implementing the appropriate measures. The 'information security audit' is the audit conducted by an audit corporation or a information security vendor in order to assess the current status of information security in the audited company. The deliverables of information security audit usually contains the report of current status of information security, the analysis of the current status and the recommendation of countermeasures for improving the information security in the audited company.

If the information security audit is possible, there should be in advance the defined criteria to differentiate the 'insecure' status from the 'secure' status. In the deliverables of the information security audit, the audited companies naturally expect that their current status of information security is evaluated according to a certain criteria. If the audited company goes beyond the criteria, the auditor concludes the information security of the audited company has no problem. If not, the auditor provides some recommendations to improve the information security. The criteria must consist of the items or targets that will be assessed in the audit and the way of quantifying how each target is secure.

Regarding the scope of targets assessed in the information security audit, many audit corporations seem to adopt a certain international standard, such as ISO17799. ISO17799 itself is the summary of the behaviors commonly observed in various companies all over the world. So it is appropriate to adopt such an international standard as the scope criteria to limit the objects assessed in the information security audit. For example, the audit targets include the following items, such as hardware (laptop PCs, servers, mainframe computers, network appliances, etc), software (package software, internally developed software, etc), organizational aspects (laws and regulations, internal rules and standards, employee rules, etc).

But regarding the way of quantifying how each target is secure, things are not so simple. In order to quantify the security, the first thing you must do is to define how many threats can be foreseen regarding a certain target, for example 'server'. Then you must define the probability and impact of each threat, for example 'intrusion into a server via network'. By defining the probability and impact of each threat, you can quantify the efforts necessary to avoid each threat. If you can quantify the efforts, you can quantify the security level of each target by assessing how many efforts are already implemented in the audited company.

However, it is impossible to define the number of threats of each target. For example, can you define exactly how many threats a laptop PC has? In effect, it is impossible by definition to define the number of threats regarding each target, consequently the total number of threats regarding all the audited targets. The reason lies in the definition of 'threat'. 'Threat' is what does not actually happen yet but what can happen in the future in the company. We can never define the exact number regarding what can happen in the future. Therefore it is totally useless to try to define the total number of threats. Regarding the total number of threats, there is a typical mistake we can usually observe in many companies. Many people tend to think that there are the threats that can happen only in our company but will never happen in the other companies. They maintain that the information security threats varies from company to company. But regarding what does not actually happen yet, how can you assert that it can happen only in your company and never in the other companies? The threats are pure possibility or probability by definition. Nobody can talk about a threat specific to a certain company. What is probable to a certain company is also probable to every company. So all we can do is to limit the number of threats regarding each audited target by referring to various international standards.

For the same reason why you can't talk about the threats that can happen only in a certain company, you must deal with the probability of each threat. Again the probability of a certain threat is equal to every company. It is nonsense to maintain that a certain threat has different probabilities from company to company. For example, the probability of a huge earthquake in the eastern part of Japan never varies in every company. It goes without saying that the earthquake can happen regardless of the existence of company A or company B. Some people seem to have a misunderstanding also about the probability. They maintain that the probability of computer virus incidents is higher in their company than in other companies. But this is simply wrong. The probability of computer virus incidents is equal to every company. But the actual impact will be different in every company according to how each company has already implemented the anti-virus measures.

Now comes the next question about the impact of each threat. How can we define the impact of a threat which does not actually happen yet? All we can do is to depend upon various estimations based on the probability theory. We can never know how big the impact will be until it actually happens in your company. All you can learn in advance is the estimated impact people can expect regarding the threat. So the estimated impact is also equal to every company. It is a total nonsense to maintain that the impact of a threat is larger or smaller in your company than in another company. Even the information security audit can never tell you the actual impact of each threat. It can tell you only the estimated impact of each threat in your company. By the way, how can the auditor estimate the impact of each threat in your company? The only way to estimate it is to compare the current status of your company with a certain criteria, i.e. the estimated impact of the threat regarding to every company (that has exactly the same meaning as 'regardless of any company'). Although the latter, i.e. the estimated impact of the threat regardless of any company can be calculated purely based on the probability theory, how is the current status of your company defined? The only way to estimate the current status of your company is to assume a 'perfect status' regarding the threat in question. For example, if you want to estimate the current status of your company's vulnerability to computer virus, you must assume the status of no vulnerability in advance. Now the question is how you can define the perfect status of no vulnerability regarding each threat. In order to define the perfect invulnerability, you must know the whole scope of the impact of each threat. But let's remember the definition of 'threat'. Threat is what does not actually happen yet but what can happen in the future. Regarding what does not actually happen yet, we can never know the whole scope of its impact. So you can't know the perfect invulnerability of any threat. And you can't estimate the current status of the vulnerability of any threat in your company. This means you can't estimate the impact of any threat in your company. All you can get is the estimated impact of each threat regardless of any company.

Regarding both the probability and impact of threats, all information you can get is the estimated probability and impact regardless of any company. You completely fail to estimate the probability and impact of threats that are different from other companies. The probability and impact of threats can be estimated based on a probability theory only when they are indifferent to companies. Let's call this the 'objective' probability and impact of threats. In addition, we have already confirmed that we can't say the total number of possible threats is different in your company from in others. Regarding the total number of possible threats, we can also talk about only the 'objective' number of possible threats. It is calculated at most based on various international standards, such as ISO17799.

Now we've learned that there is neither company-specific scope of audited targets, scope of threats of each audited target, probability nor impact of each threat. In a word, all we have is the 'objective' criteria that are estimated based on some probability theory. There can be no company-specific status of information security. But this is self-evident. Regarding a pure probability, how can we say it is different in our company by this amount from other companies? We can never identify the difference of a pure probability from company to company.

If we admit that we can't identify the current status of information security in a company that is different from in another company, what are the auditors doing in the information security audit? What are they reporting in the deliverables? You might expect the metaphor of green, yellow and red traffic lights on the final report of your company's information security audit. What do all these traffic lights mean? In effect, the auditors never assess the current status of your information security or the probability and impact of each threat of each audited target. The auditors shows only what your company doesn't implement yet out of the generally implemented set of information security measures. You can call this 'best-practice' or 'bench-mark'. All that the information security auditors can show you is the comparison between the information security measures already implemented in your company and the 'best-practice'. Regarding the information security, the most important thing is this 'generally implemented set of information security measures' because this is the only criteria that allows you to compare your company with other companies. In addition, these generally implemented information security measures are widely believed to reduce the probability or impact of corresponding security threats. I can't repeat the following sentence too much. The information security audit can never teach you the 'current status' of your company's information security because it is a complete nonsense to talk about the current status of probable things (in the case of information security, the current status of probable information security threats). All you can learn from an information security audit is the difference between your company's practice and the generally implemented information security measures.

Then, why don't you skip the information security audit and immediately start the implementation project of 'generally implemented information security measures'? You can't improve your information security by an information security audit. Until you implement the generally implemented information security measures, you can never reduce the probability and impact of security threats. It is the only way to improve your company's information security because it is the only criteria if there is any 'criteria' regarding the information security. You can optimize the implementation cost of various information security measures by the multi-project management. But you can't get back the time you waste in conducting the information security audit. If there is any reason why you conduct the information security audit separately from the implementation projects of each security measure, it is to get certified of a certain international standard.