The IT Governance Audit and Review is an in-depth and detailed evaluation of an organisation’s cyber security posture in relation to its compliance with UK government security objectives, policies, standards and processes.
It is designed to provide public and private-sector organisations with an audit of their compliance readiness in relation to the standard for which they seek accreditation. In other words, this consultancy service is a risk- and compliance-based audit.
The objective of our cyber security audit and review
The objective of our Audit and Review service is to assist clients by providing independent risk- and compliance-based audit assessments of their compliance with HMG security objectives, policies, standards and processes such as HMG SPF (Security Policy Framework), National Cyber Security Strategy, HMG IAMM (IA Maturity Model), and other relevant schemes, regulations and standards, such as the NIS Regulations (Network and Information systems Regulations 2018), ISO 27001, Cyber Essentials, 10 Steps to Cyber Security, Cloud Security Principles and the PCI DSS (Payment Card Industry Data Security Standard).
Who is the cyber security audit and review designed for?
IT Governance’s Audit and Review consultancy service is primarily designed for public-sector and CNI (critical national infrastructure) organisations of any size that require independent risk- and compliance-based audit assessments. It is also beneficial for private-sector organisations that seek to provide a high level of assurance and instil confidence among their public-sector customers and stakeholders.
What the service delivers
You will receive consultancy support and advice on:
- Verifying that information processes are in line with security policy criteria and procedural requirements;
- Defining and implementing processes and techniques to ensure ongoing compliance with security policies, standards, and legal, regulatory and contractual requirements;
- Carrying out security compliance audits in accordance with an appropriate methodology, standard or framework;
- Providing impartial assessment and audit reports covering security compliance audits, investigations and information risk management;
- Providing an independent opinion on whether your organisation is meeting information assurance control objectives;
- Developing audit plans and audit regimes that match your organisation’s business needs and risk appetite;
- Identifying your organisation’s systemic trends and weaknesses in security;
- Recommending responses to audit findings and appropriate corrective actions;
- Recommending appropriate security controls;
- Assessing the management of information risk across the organisation or business unit;
- Recommending efficiencies and cost-effective options to address non-compliance issues and information assurance gaps identified during the audit process; and
- Objectively assessing the maturity of an existing information auditing function using cross-government benchmark standards.
Depending on the type of audit and review engagement, the audit will focus on one or a combination of the following policies, standards and frameworks:
- HMG Security Policy Framework
- NCSC Policies and Guidelines
- 10 Steps to Cyber Security
- 20 Critical Controls for Cyber Defence
- IA Maturity Model
- NIS Regulations
- 14 Cloud Security Principles
- Cyber Essentials
- EU GDPR (General Data Protection Regulation)
- ISO 27001
- NHS DSP (Data Security and Protection) Toolkit
- NHS DCB 1596 Secure Email Standard
- PCI DSS