Information security audits – the key to effective information security

There is no doubt that the boards of most enterprises are becoming increasingly aware of the risks posed by cyber crime. The board is, of course, responsible for information security governance in relation to protecting assets, fiduciary aspects, risk management, and compliance with laws and standards. But how can the directors ensure that their information security programme is effective and delivering a true return on their often significant investment?

At the heart of best practice and standards

Information security audits provide the assurance required by information security managers and the board. Auditing and the production of clear audit reports are crucial to ensuring the effective management of information systems. They are also mandatory in many IT best-practice frameworks and standards, including ITIL®PRINCE2®COBIT® 5, the PCI DSS and ISO 27001.

For an organisation to achieve certification to the ISO 27001 standard, regular internal audits must be completed, along with an external audit performed by an auditor from a certification body (such as BSI, LRQA or DNV).

The ISO 27001 internal auditor is responsible for reporting on the performance of the information security management system (ISMS) to senior management. They also continually monitor the effectiveness of the ISMS and help senior managers determine if the information security objectives are aligned with the organisation’s business objectives.

At the core of information security management training and qualifications

Effective auditing is at the core of our Lead Auditor and Internal Auditor training course portfolio, which covers the ISO 27001 information securityISO 22301 business continuity and ISO 20000 service management standards. Auditing skills are also covered in our COBIT 5 Foundation, Implementation and Assessor classroom courses.

Last – but definitely not least – all delegates attending our CISA Exam Preparation course will be examined on Domain 1 – The Process of Auditing Information Systems. This includes answering questions on audit planning, reporting on audit findings, and making recommendations to key stakeholders to communicate the results and effect change when necessary.

Introduced in 1978, Certified Information Systems Auditor (CISA) is the ‘granddaddy’ of the ISACA range of certificates and is held by over 118,000 IT professionals worldwide. It is globally recognised as proof of competency and experience in providing assurance that critical business assets are secured and available.