When Was the Last Time Your Business Had an Information Security Review?
Commissum’s detailed audit:
- Focuses on selected elements of information systems, networks, or security process and practice
- Close inspection of security policy, practice, technology or other components
- Conducted by observation, inspection and interview
- Follows ISO 27001/2
Commissum will provide:
- An expert, unbiased opinion
- Advice on adequacy of security technology or practice
- Indications where improvements can be made
- Confirmation of the adequacy of controls
- Indication of unnecessary controls, which may be an overhead
Security Audit Issues
An organisation may have particular concerns about specific parts of its information systems, networks, or security process and practice. These could be operating procedures, back-up arrangements, password management, user management or development procedures. The organisation may be concerned about a particular application or architectural component such as a DMZ (De-Militarised Zone). The concerns may arise from issues raised by a higher-level audit, from regulator’s requirements, or from concern about the manageability of security in a particular area.
The detailed audit involves close inspection of security policy, practice, technology or other components. It concludes whether the existing security controls are:
- Appropriate to the organisation’s needs
- Correctly configured and adequate for the task
- Sufficiently documented
- Well-operated and demonstrably so
A security audit will normally be conducted by observation, inspection and interview. In some cases, system or software testing will be conducted to augment the auditor’s work. Tools to interrogate logs and other records may be required.
The elements of a security audit are:
- Agree the scope and objectives of the audit
- Identify people and locations and establish a schedule
- Conduct preliminary documentation review and other necessary research
- Conduct inspections and interviews
- Draw up preliminary findings and report back to client
- Negotiate differences of opinion
- Produce final report (reporting on strong, adequate and weak practice)
- Deliver final report and recommendations
The Commissum audit will follow ISO 27001/2, but due to the detail normally required, will go deeper than the clauses of ISO 27002 – for example the technical sections will need to be interpreted for specific technologies and platforms.
Commissum will provide an expert, unbiased opinion on the adequacy of security technology or practice in a specific part of the business or IT operation, indicating where improvements can be made and the steps needed to achieve these. The client will also receive confirmation of the adequacy of controls and conversely, indication of unnecessary controls. The latter may be an impediment to doing business effectively.
Download the Security Health Check PDF now (42.5 KB)