4.2.1: Information Security Audit

Last updated
Save as PDF

Page ID: 88864

\( \newcommand{\vecs}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} } \) \( \newcommand{\vecd}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash {#1}}} \)\(\newcommand{\id}{\mathrm{id}}\) \( \newcommand{\Span}{\mathrm{span}}\) \( \newcommand{\kernel}{\mathrm{null}\,}\) \( \newcommand{\range}{\mathrm{range}\,}\) \( \newcommand{\RealPart}{\mathrm{Re}}\) \( \newcommand{\ImaginaryPart}{\mathrm{Im}}\) \( \newcommand{\Argument}{\mathrm{Arg}}\) \( \newcommand{\norm}[1]{\| #1 \|}\) \( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\) \( \newcommand{\Span}{\mathrm{span}}\) \(\newcommand{\id}{\mathrm{id}}\) \( \newcommand{\Span}{\mathrm{span}}\) \( \newcommand{\kernel}{\mathrm{null}\,}\) \( \newcommand{\range}{\mathrm{range}\,}\) \( \newcommand{\RealPart}{\mathrm{Re}}\) \( \newcommand{\ImaginaryPart}{\mathrm{Im}}\) \( \newcommand{\Argument}{\mathrm{Arg}}\) \( \newcommand{\norm}[1]{\| #1 \|}\) \( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\) \( \newcommand{\Span}{\mathrm{span}}\)\(\newcommand{\AA}{\unicode[.8,0]{x212B}}\)

Phases of the Audit process

An information security audit is comprised of 6 steps. Depending on what source is consulted, there may be more or less than 6 steps, they may be named differently, and they may be in a slightly different order.

Preliminary audit assessment

The auditor is responsible for assessing the current technological maturity level of a company during the first stage of the audit. This stage is used to assess the current status of the company and helps identify the required time, cost and scope of an audit. First, identify the minimum security requirements:

Security policy and standards
Organizational and Personal security
Communication, Operation and Asset management
Physical and environmental security
Access control and Compliance
IT systems development and maintenance
IT security incident management
Disaster recovery and business continuity management
Risk management

The auditor also has the task of gathering knowledge and inputs on the following aspects of the object to be audited:

Organization’s operating environment and its function.
The criticality of the IT system, whether it is a mission-critical system or a support system
Structure of the organization
Nature of software and hardware in use
Nature and extent of the perils affecting the organization

Planning & preparation

The auditor should plan a company's audit based on the information found in previous step. Planning an audit helps the auditor obtain sufficient and appropriate evidence for each company's specific circumstances. It helps predict audit costs at a reasonable level, assign the proper manpower and time line and avoid misunderstandings with clients.

An auditor should be adequately educated about the company and its critical business activities before conducting a data center review. The objective of the data center is to align data center activities with the goals of the business while maintaining the security and integrity of critical information and processes. To adequately determine whether the client's goal is being achieved, the auditor should perform the following before conducting the review:

Meet with IT management to determine possible areas of concern
Review the current IT organization chart
Review job descriptions of data center employees
Research all operating systems, software applications, and data center equipment operating within the data center
Review the company's IT policies and procedures
Evaluate the company's IT budget and systems planning documentation
Review the data center's disaster recovery plan

Adapted from:
"Information security audit" by Various authors, Wikipedia is licensed under CC BY-SA 3.0