The IT Security Audits Procedure ensures your company’s IT security system performs as expected by conforming to legal, regulatory and your own requirements.

The IT Security Audits Procedure also ensures that the system is effectively implemented and maintained. The security audit procedure applies to all IT system and assets. (12 pages, 1572 words)

Your company should conduct internal audits of its security management system at planned intervals (annually, at a minimum) to determine if its control objectives, controls, processes, and procedures conform to legal/regulatory and company information security requirements; are effectively implemented and maintained; and perform as expected.

IT Security Audits Responsibilities:

Information Technology Managers are responsible for attending opening and closing meetings regarding the Information Technology Security audit, reviewing audit findings, and for final approval of the audit report.

The Audit Team Leader is responsible for: conducting and supervising the Information Technology Security audit, supervising audit team members, if any, conducting opening and closing meetings for the audit, preparing and presenting the final audit report.

The Information Technology Security Manager is responsible for reviewing findings of the Information Technology Security audit and overseeing corrective actions, if any.

Information Technology staff are responsible for complying with the Information Technology Security audit while in process and providing assistance to the security auditor, when needed.

IT Security Audits Definitions:

Audit criteria – Policies, practices, procedures, or requirements against which the auditor compares collected audit evidence about the subject matter.

Audit evidence – Records, statements of fact, and other information that are relevant to the audit criteria and verifiable.

Auditee – Party or parties whose processes, procedures, etc., are the subject of an audit.

Security audit – An examination of a computer system for security problems and vulnerabilities.

IT Security Audits Procedure Activities

IT Security Audit Planning
IT Security Audit Plan
IT Security Audit Review
IT Security Audit-Corrective Action

IT Security Audits Procedure References

ISO/IEC 27001:2013-Information Security Management Systems- Specification with Guidance for Use
ISO19011:2011-Guidelines for Quality and/or Environmental Management Systems Auditing