Last updated: April 29, 2026
A Kolkata cooperative bank passed its annual ISO 27001:2022 surveillance audit four years in a row. Then a real incident — a phishing-led BEC fraud — exposed that change-management evidence had been fabricated for two of those four years by a junior IT-ops person under pressure to “make audit go away.” The certification was suspended; the bank’s reputation took years to recover. Audit isn’t a thing that happens once a year; it is a continuous control programme. This module covers running a security audit function that produces real assurance, not theatre.
Three lines of defence
The standard model:
- 1st line — operating teams running controls (engineering, IT-ops, business)
- 2nd line — security/risk function defining controls and monitoring 1st line
- 3rd line — independent internal audit; reports to audit committee, not to CISO
The Kolkata bank had collapsed 2nd and 3rd lines into the same team. Self-attestation passed external audit because nobody independent verified. Real assurance requires actual independence.
Get a DPDP gap assessment
Free 30-minute call. We map your data flows against DPDP §8 obligations and tell you exactly which gaps to fix first. Auditor-defensible output.