Information security audits – the key to effective information security

There is no doubt that that an increasing awareness of the risks posed by cyber crime is reaching the boards of directors of most enterprises. The board is, of course, responsible for information security governance in relation to protecting assets, fiduciary aspects, risk management, and compliance with laws and standards. But how can the directors ensure that their information security programme is effective?

The answer is they ask their chief security officer or information security manager (or maybe just the IT manager), who then says, “Don’t worry, we have an information security plan”, and explains the details of the security measures that have been implemented.

The directors then ask, “How do we know it’s working and is our significant capital investment paying off?”

At the heart of best practice and standards

Information security audits provide the assurance required by information security managers and the board. Auditing and the production of clear audit reports are crucial to ensuring the effective management of information systems. They are also mandatory in many IT best practice frameworks and standards, including ITIL®PRINCE2®COBIT® 5, the PCI DSS and ISO 27001.

For an organisation to achieve certification to the ISO 27001 standard, regular internal audits must be completed along with an external audit performed by an auditor from the certification body (such as BSI, LRQA or DNV).

The ISO 27001 internal auditor is responsible for reporting on the performance of the information security management system (ISMS) to senior management. They also continually monitor the effectiveness of the ISMS and help senior managers determine if the information security objectives are aligned with the organisation’s business objectives

At the core of information security management training and qualifications

Effective auditing is at the core of our Lead Auditor and Internal Auditor training course portfolio, which covers the ISO 27001 information securityISO 22301 business continuity and ISO 20000 service management standards. They are also crucial skills covered in our COBIT 5 Foundation, Implementation and Assessor classroom courses.

Last – but definitely not least – all delegates attending our CISA Exam Preparation course will be examined on Domain 1 – The Process of Auditing Information Systems. This includes answering questions on audit planning, reporting on audit findings, and making recommendations to key stakeholders to communicate the results and effect change when necessary.

Introduced in 1978, Certified Information Systems Auditor (CISA) is the ‘granddaddy’ of the ISACA range of certificates and is held by over 118,000 IT professionals worldwide. It is globally recognised as proof of competency and experience in providing assurance that critical business assets are secured and available.