IT Security Audits Procedure | ITSD107

IT Security Audits Procedure

The IT Security Audits Procedure ensures your company’s IT security system performs as expected by conforming to legal, regulatory and your own requirements.

The IT Security Audits Procedure also ensures that the system is effectively implemented and maintained. The security audit procedure applies to all IT system and assets. (12 pages, 1572 words)

Your company should conduct internal audits of its security management system at planned intervals (annually, at a minimum) to determine if its control objectives, controls, processes, and procedures conform to legal/regulatory and company information security requirements; are effectively implemented and maintained; and perform as expected.

IT Security Audits Responsibilities:

Information Technology Managers are responsible for attending opening and closing meetings regarding the Information Technology Security audit, reviewing audit findings, and for final approval of the audit report.

The Audit Team Leader is responsible for: conducting and supervising the Information Technology Security audit, supervising audit team members, if any, conducting opening and closing meetings for the audit, preparing and presenting the final audit report.

The Information Technology Security Manager is responsible for reviewing findings of the Information Technology Security audit and overseeing corrective actions, if any.

Information Technology staff are responsible for complying with the Information Technology Security audit while in process and providing assistance to the security auditor, when needed.

IT Security Audits Definitions:

Audit criteria – Policies, practices, procedures, or requirements against which the auditor compares collected audit evidence about the subject matter.

Audit evidence – Records, statements of fact, and other information that are relevant to the audit criteria and verifiable.

Auditee – Party  or parties whose processes, procedures, etc., are the subject of an audit.

Security audit – An examination of a computer system for security problems and vulnerabilities.

IT Security Audits Procedure Activities

• IT Security Audit Planning
• IT Security Audit Plan
• IT Security Audit Review
• IT Security Audit-Corrective Action

IT Security Audits Procedure References

• ISO/IEC 27001:2013-Information Security Management Systems- Specification with Guidance for Use
• ISO19011:2011-Guidelines for Quality and/or Environmental Management Systems Auditing

IT Security Audits Procedure Forms

• IT Security Audit Report Form
• IT Nonconformity Report Form
• IT Security Audit Plan Form