This article is a look into IT audits as they pertain to information security risk management. One of our consultants has been doing a lot of IT audits as a beginning phase of the risk management process for our clients. He is a certified (CIA, CFSA, CISA) and highly experienced auditor and his perspectives provide insight into the requirements for successful preparation and execution of IT audits and risk management.
Maintaining certifications requires organizations conduct periodic audits to inspect and prove the continued compliance. These internal audits are performed within the designated timeframe of the recertification guidelines, which is usually one to two years. Typically the IT auditor creates an audit plan, which outlines the organization’s processes and the controls of the chosen standard(s) and then the implementation status’ are verified for compliance. A best practice for the auditor is to group the controls together by relevance such as IT equipment management or security access for physical entry points and system infrastructure, streamlining the implementation efforts.
When creating the audit program for each of the organization’s processes, the auditor often relies on checklists based on the controls and spread over a timeline, ensuring the compliance requirements are met prior to the official certification audit. Utilizing a GAP analysis like the tool built into RM Studio really comes in handy, as it contains references to the policies and procedures relevant to the evaluation of compliance. A proper and complete GAP analysis must contain the justification of the control’s status in order to assure the organization complies with the given control and the Statement of Applicability details the status of each control along with the justification of each.
Let’s look at a quick example: the ISO/IEC 27002:2013 Control 9.1.1 states that “an Access Control Policy should be established, documented and reviewed based on business and information security requirements.” The GAP analysis justification for the implementation of control 9.1.1 would then be a detailed reference to the organization’s Access Control Policy document available on the internal web server. The auditor would then reference the compliance in the evidence part of the checklist and then ask the question auditors are famous for asking, which is “show me.”
The use of this best practice method facilitates the making of an audit checklist without running the risk of compromising the integrity of the audit work. The primary purpose of IT audits is, after all, to verify compliance with a given control framework and then progressing to the testing phase of the audit process.
RM Studio has assisted organizations of all types and sizes on a global scale to establish a competent risk management strategy and successfully certify the ISO 27001, ISO 9001, PCI DSS and other international standards. Try it free for 15 days or contact us for a live online demonstration. RM Studio comes complete with the Gap Analysis, Risk Assessment & Risk Treatment module, and Business Continuity Management module.
The consultancy and audit work mentioned in the article is performed on a daily basis by our team. If you would like more information, please contact us and maybe we can provide our expertise for you.