Historically, traditional auditing has been limited to certifying an organization’s compliance with certain standards or regulations, a mere formality that can be summed up in the phrase: “We need to get them to certify that we comply.” However, modern industrial cybersecurity auditing has evolved to go far beyond simple certification.
The strategic approach of the current Audit
Today, auditors not only review standards, but also analyze a conceptual flow focused on process sustainability, with the following phases:
- Review and justify the organization’s Risk Map.
- Analyze the mitigating controls assigned to that Map, based on standards such as ISO 62443, NIST, or SGCI.
- Evaluate the implementation and actual and effective functioning of these controls.
- Issue an Audit Report that identifies the root causes of the weaknesses and deficiencies observed, so as not to focus solely on the symptoms.
Ultimately, this process translates into a maturity assessment. The ultimate goal is to reach the “Optimized” level, the only one that guarantees the organization’s true long-term sustainability.
To carry out this maturity assessment, both during audits and as a preventive measure, we rely on powerful tools such as MACIN.
This application, offered and developed by the CCI, reviews the organizational structure, the scheme of roles, responsibilities, and capacities for action, analyzing in detail:
- 10 domains and 45 logical cybersecurity objectives.
- 175 practices evaluated across four key dimensions: Processes, Technology, People, and Results.
- 5 maturity levels: Initial (1), Repeatable (2), Defined (3), Managed (4), and Optimized (5).
Value for Senior Management
The use of the MACIN tool provides a provisional Maturity Level, which the auditor is responsible for confirming with evidence.
It is a very valuable tool, both for the manager of an industrial facility and for the industrial control systems auditor. It allows both to obtain a strategic vision based on verifiable data.
With the help of MACIN, the Audit Report has two well-documented parts: on the one hand, it details the Significant Events (findings and operational weaknesses) and, on the other, it indicates the Level of Maturity to Senior Management in a justified manner, providing a clear strategic vision of the barriers that must be overcome to achieve resilient and sustainable industrial cybersecurity.