When was the last time your business had an information security review?
commissum's detailed audit:
- Focuses on selected elements of information systems, networks, or security process and practice.
- Close inspection of security policy, practice, technology or other components.
- Conducted by observation, inspection and interview.
- Follows ISO27001/2.
commissum will provide:
- An expert, unbiased opinion.
- Advice on adequacy of security technology or practice.
- Indications where improvements can be made.
- Confirmation of the adequacy of controls.
- Indication of unnecessary controls, which may be an overhead.
Detailed audit issues
An organisation may have particular concerns about specific parts of its information systems, networks, or security process and practice. These could be operating procedures, back-up arrangements, password management, user management or development procedures. The organisation may be concerned about a particular application or architectural component such as a DMZ (De-Militarised Zone). The concerns may arise from issues raised by a higher-level audit, from regulator's requirements, or from concern about the manageability of security in a particular area.
The detailed audit involves close inspection of security policy, practice, technology or other components. It concludes whether the existing security controls are:
- Appropriate to the organisation's needs.
- Correctly configured and adequate for the task.
- Sufficiently documented.
- Well-operated and demonstrably so.
An audit will normally be conducted by observation, inspection and interview. In some cases, system or software testing will be conducted to augment the auditor's work. Tools to interrogate logs and other records may be required.
The elements of an audit are:
- Agree the scope and objectives of the audit.
- Identify people and locations and establish a schedule.
- Conduct preliminary documentation review and other necessary research.
- Conduct inspections and interviews.
- Draw up preliminary findings and report back to client.
- Negotiate differences of opinion.
- Produce final report (reporting on strong, adequate and weak practice).
- Deliver final report and recommendations.
The commissum audit will follow ISO27001/2, but due to the detail normally required, will go deeper than the clauses of ISO27002 - for example the technical sections will need to be interpreted for specific technologies and platforms.
Detailed audit customer benefits
commissum will provide an expert, unbiased opinion on the adequacy of security technology or practice in a specific part of the business or IT operation, indicating where improvements can be made and the steps needed to achieve these. The client will also receive confirmation of the adequacy of controls and conversely, indication of unnecessary controls. The latter may be an impediment to doing business effectively.
commissum Managed Security services allow us to free up your resources and lighten your workload with our first-class range of management services. These include our outsourced CISO offering, Managing your alignment to ISO27001, helping you to manage critical Business Continuity, and at a more technical level, regular managed testing of your network, applications, and blended code review.
Get in touch with one of our security consultants today
- No obligation
- Expert advice
- Tailored solutions
"We have now used commissum several times covering a range of security activities and found all their people friendly, highly professional and effective in delivery and application of their portfolio of services.”
Mr David C, Information Management, Government Agency
Tue 21 May, 2013 //
Wed 08 May, 2013 //
Tue 30 Apr, 2013 //