Information Security Audit Checklist

According to the Information Security Forum, security management is “keeping the business risks associated with information systems under control within an enterprise.”

Requirements for security management include clear direction and commitment from the top, the allocation of adequate resources, effective arrangements for promoting good information security practice throughout the enterprise, and the establishment of a secure environment.

An information security program is a critical component of every organization’s risk management effort, providing the means to protect the organization’s information and other critical assets. Therefore, the information security program should be assessed at planned intervals to ensure it is meeting requirements and achieving objectives, as well as, to identify opportunities for security improvements.

The audit team should look for evidence that the information security program is well organized and well managed. The security program must also specifically mitigate risks in satisfying key business objectives, and this traceability must be clear.

The information security audit should confirm that key risks to the organization are being identified, monitored, and controlled; that key controls are operating effectively and consistently; and that management and staff have the ability to recognize and respond to new threats and risks as they arise.

The information security audit’s goals, objectives, scope, and purpose will determine the actual audit procedures and questions that are required. The IT Compliance Institute has published a series of IT Audit Checklists. To see the Information Security Checklist written by Dan Swanson, click here.