Skip to main content
Library homepage
 
Engineering LibreTexts

4.2.1: Information Security Audit

  • Page ID
    88864
  • \( \newcommand{\vecs}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} } \) \( \newcommand{\vecd}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash {#1}}} \)\(\newcommand{\id}{\mathrm{id}}\) \( \newcommand{\Span}{\mathrm{span}}\) \( \newcommand{\kernel}{\mathrm{null}\,}\) \( \newcommand{\range}{\mathrm{range}\,}\) \( \newcommand{\RealPart}{\mathrm{Re}}\) \( \newcommand{\ImaginaryPart}{\mathrm{Im}}\) \( \newcommand{\Argument}{\mathrm{Arg}}\) \( \newcommand{\norm}[1]{\| #1 \|}\) \( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\) \( \newcommand{\Span}{\mathrm{span}}\) \(\newcommand{\id}{\mathrm{id}}\) \( \newcommand{\Span}{\mathrm{span}}\) \( \newcommand{\kernel}{\mathrm{null}\,}\) \( \newcommand{\range}{\mathrm{range}\,}\) \( \newcommand{\RealPart}{\mathrm{Re}}\) \( \newcommand{\ImaginaryPart}{\mathrm{Im}}\) \( \newcommand{\Argument}{\mathrm{Arg}}\) \( \newcommand{\norm}[1]{\| #1 \|}\) \( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\) \( \newcommand{\Span}{\mathrm{span}}\)\(\newcommand{\AA}{\unicode[.8,0]{x212B}}\)

    Phases of the Audit process

    An information security audit is comprised of 6 steps. Depending on what source is consulted, there may be more or less than 6 steps, they may be named differently, and they may be in a slightly different order.

    Preliminary audit assessment

    The auditor is responsible for assessing the current technological maturity level of a company during the first stage of the audit. This stage is used to assess the current status of the company and helps identify the required time, cost and scope of an audit. First, identify the minimum security requirements:

    • Security policy and standards
    • Organizational and Personal security
    • Communication, Operation and Asset management
    • Physical and environmental security
    • Access control and Compliance
    • IT systems development and maintenance
    • IT security incident management
    • Disaster recovery and business continuity management
    • Risk management

    The auditor also has the task of gathering knowledge and inputs on the following aspects of the object to be audited:

    • Organization’s operating environment and its function.
    • The criticality of the IT system, whether it is a mission-critical system or a support system
    • Structure of the organization
    • Nature of software and hardware in use
    • Nature and extent of the perils affecting the organization

    Planning & preparation

    The auditor should plan a company's audit based on the information found in previous step. Planning an audit helps the auditor obtain sufficient and appropriate evidence for each company's specific circumstances. It helps predict audit costs at a reasonable level, assign the proper manpower and time line and avoid misunderstandings with clients.

    An auditor should be adequately educated about the company and its critical business activities before conducting a data center review. The objective of the data center is to align data center activities with the goals of the business while maintaining the security and integrity of critical information and processes. To adequately determine whether the client's goal is being achieved, the auditor should perform the following before conducting the review:

    • Meet with IT management to determine possible areas of concern
    • Review the current IT organization chart
    • Review job descriptions of data center employees
    • Research all operating systems, software applications, and data center equipment operating within the data center
    • Review the company's IT policies and procedures
    • Evaluate the company's IT budget and systems planning documentation
    • Review the data center's disaster recovery plan

    Adapted from:
    "Information security audit" by Various authorsWikipedia is licensed under CC BY-SA 3.0


    This page titled 4.2.1: Information Security Audit is shared under a CC BY-SA license and was authored, remixed, and/or curated by Patrick McClanahan.

    • Was this article helpful?