The audit of Information Security is a comprehensive assessment, which is allowed, in order to assess the current condition of Information Security in the business and to plan timely actions in order to increase the level of security.
The audit of Information Security is conducted when a current necessity of independent assessment of the condition of Information Security is needed.
Why do you need internal audit?
There are a number of reasons to perform internal audits either one-time, ad-hock, or regularly. Some of these may be:
- If there is a change in the strategy of the company;
- In case of mergers or acquisitions;
- When there are significant changes in the organizational structure of the company or change of leadership;
- When there are new internal or external requirements for Information Security;
- In the event of significant changes in the business processes and IT infrastructure.
THE RULES OF AUDIT
When performing an internal audit, one needs to take into account and adhere to the following “rules”:
- Analysis of the organizational and administrative documents of the company;
- Interviews with employees of the organization: representatives from the business units, the administrators and developers of information systems, professionals in Information Security;
- Technology for inspection of office space in terms of physical security of the IT infrastructure;
- Analysis of the configuration settings of hardware and software;
- Auditing of special hardware (scanners, security analysis, control of the leakage of information, etc.);
- Penetration testing;
- Assessment of the knowledge of workers in the field of Information Security.
An extra special examination can be made that takes into account the particularities of the audited company. If necessary, in the phase of the study, additional information may be collected, that is needed for the implementation of other projects, which hereinafter will save additional resources for the organization and will help the distribution of its budget.
INDEPENDENT vs. INTERNAL IT AUDIT
Objective – An independent audit is usually performed either due to regulatory requirements or those of third parties wishing to enter in collaborative or supplier relations, an outsourcing partner, for example. Internal audits are usually mandated by management and are more focused on business operations and their continuity.
Auditors – An independent audit is carried out by an external team, while internal audits are performed by members of staff. While the independent auditor may provide a more “fair view” of the current state, the internal audit may reflect a business’s proprietary technological and organizational characteristics more closely, with in-depth findings.
Reporting – Usually, the independent IT audit will result in the main report being in a format required by auditing standards, with a focus on whether the Information Security claims of the company give a true and fair view and comply with requirements. These reports, whether formal or not, are designed to provide a status snapshot, rather than go into detailed recommendations on how to make things better.
Internal audit should produce a tailored report about how the risks and objectives are being managed – with a focus on helping the business move forward. As such, internal audit reports are expected to contain recommendations for improvement of the organization’s Information Security.