Security Audit

When was the last time your business had an information security review?

commissum's detailed audit:

• Focuses on selected elements of information systems, networks, or security process and practice.
• Close inspection of security policy, practice, technology or other components.
• Conducted by observation, inspection and interview.
• Follows ISO27001/2.

commissum will provide:

• An expert, unbiased opinion.
• Advice on adequacy of security technology or practice.
• Indications where improvements can be made.
• Confirmation of the adequacy of controls.
• Indication of unnecessary controls, which may be an overhead.

Detailed audit issues

An organisation may have particular concerns about specific parts of its information systems, networks, or security process and practice. These could be operating procedures, back-up arrangements, password management, user management or development procedures. The organisation may be concerned about a particular application or architectural component such as a DMZ (De-Militarised Zone). The concerns may arise from issues raised by a higher-level audit, from regulator's requirements, or from concern about the manageability of security in a particular area.

The detailed audit involves close inspection of security policy, practice, technology or other components. It concludes whether the existing security controls are:

• Appropriate to the organisation's needs.
• Correctly configured and adequate for the task.
• Sufficiently documented.
• Well-operated and demonstrably so.

Security-Healthcheck-PDF (42.5 KB)

Approach

An audit will normally be conducted by observation, inspection and interview. In some cases, system or software testing will be conducted to augment the auditor's work. Tools to interrogate logs and other records may be required.

The elements of an audit are:

• Agree the scope and objectives of the audit.
• Identify people and locations and establish a schedule.
• Conduct preliminary documentation review and other necessary research.
• Conduct inspections and interviews.
• Draw up preliminary findings and report back to client.
• Negotiate differences of opinion.
• Produce final report (reporting on strong, adequate and weak practice).
• Deliver final report and recommendations.

The commissum audit will follow ISO27001/2, but due to the detail normally required, will go deeper than the clauses of ISO27002 - for example the technical sections will need to be interpreted for specific technologies and platforms.

Detailed audit customer benefits

commissum will provide an expert, unbiased opinion on the adequacy of security technology or practice in a specific part of the business or IT operation, indicating where improvements can be made and the steps needed to achieve these. The client will also receive confirmation of the adequacy of controls and conversely, indication of unnecessary controls. The latter may be an impediment to doing business effectively.

commissum Managed Security services allow us to free up your resources and lighten your workload with our first-class range of management services. These include our outsourced CISO offering, Managing your alignment to ISO27001, helping you to manage critical Business Continuity, and at a more technical level, regular managed testing of your network, applications, and blended code review.

• Cyber Security Strategy
• ISO 27001/2 Gap Analysis
• CLAS
• Security Health Check
• Security Audit
• ISO 27001 transition
• PCI DSS
• Secure Software Development
• Business Continuity Consulting
• Education