An artifact is an element created as an output from a process or project. An artifact can be a document, record, report or tool used to plan, organize, implement, monitor and control ISMS-related activities. It is proof that the activity actually took place.
In concrete terms, artifacts are tangible elements that confirm that a process, a practice or an action has indeed been taken by the organization.
You say you bought the book, so where’s the invoice?
As the auditor must confirm that the organization is in control of its security procedures and measures, the artifacts demonstrate to the auditor that this is the case.
For example, when an auditor asks the organization if an external neutral security test has been carried out in the last year. The auditor wants to see the signed contract proving that the external firm was hired, as well as the report produced.
When an organization implements an Information Security Management System (ISMS) to ISO 27001, it generates a variety of artifacts to document and support the operation of the ISMS. These artifacts are essential for demonstrating compliance during external audits.
Here are the different types of artifacts encountered and requested by auditors, this is by no means an exhaustive list. Artifacts can be physical or digital. In addition, artifacts can be direct evidence of an activity, or indirect.
Policy documents
Policy documents define the security rules and principles for the organization. Formal policies, such as the information security policy, access policy and security awareness policy, are key artifacts that auditors examine to assess the organization’scommitment to information security.
Documented procedures and processes
Documented procedures and processes are artifacts that describe the steps and responsibilities for implementing security controls. They cover areas such as security incident management, asset maintenance, access management and data backup. Auditors examine these documents to assess whether security controls are correctly defined and applied.
Registers and journals
Registers and event logs are artifacts that track and monitor the organization’s security activities. For example, they can include security incident logs, system access logs, asset maintenance logs and security training and awareness logs. Auditors use these artifacts to verify that security processes are effectively implemented and controlled.
Meeting minutes
Meeting minutes serve as evidence that information security issues are regularly addressed and discussed within the organization. Auditors will review the minutes of ISMS Steering Committee meetings, management review meetings and incident management meetings to assess management commitment and coordination of security efforts.
Plans and reports
Examples of planning and activity reports are artifacts that also demonstrate the monitoring of the organization’s security activities. These may include risk treatment plans, risk assessment reports, business continuity plans and internal audit reports. Auditors use these documents to ensure that a structured and systematic approach is in place to manage information security risks.
Manual or automatic artifacts?
Manual and automated artifacts are two distinct categories of elements created by individuals or systems. Each has its own characteristics and applications. Here are some notable differences between manual and automated artifacts, and their uses in various contexts.
Manual artifacts :
- Creation: Manual artifacts are created by individuals using non-automated processes, which can include writing, drawing, e-mailing, posting to a tracking system, etc.
- Originality: Handcrafted artifacts often have a personal touch and can reflect the individuality, skills and ideas of their creator.
- Control: Manual artifacts allow direct, intentional control over their creation, which can be essential in certain situations where precision and detail are paramount.
- Application: Manual artifacts are commonly used in less mature companies, where a lot of activity relies on a single individual or a small group.
Unfortunately, these artifacts are less reliable as they may have been manually created minutes before an audit.
Automated artifacts :
- Creation: Automated artifacts are generated by machines, software or automated systems, without direct human intervention.
- Uniformity: Automated artifacts are often more uniform and consistent, as they are produced following predefined rules and processes.
- Efficiency: Creating automated artifacts can be faster and more efficient than creating manual artifacts, because machines and systems can process large amounts of data and perform complex tasks in a short space of time.
- Application: Automated artifacts are commonly used in more mature companies with solid, repeatable procedures and larger teams.
Automated artifacts are generally more suitable and appreciated for their efficiency and accuracy.
Finally, we need to consider the preservation of these digital artifacts, which require the protection of data against corruptioncorruption loss and technological obsolescence by making backups, using standard formats or durable formats, and allowing easy upgrades or migrations to new systems.
Remember – artifacts must be credible, as reliable as possible, since you have to demonstrate your management skills to someone who is evaluating you.
I invite you to click on “Follow” to continue learning more about the field of information security.
