Welcome to the tenth issue of ISO17799 News, designed to keep you abreast of developments and news with respect to ISO 17799 and information security. The information within the newsletter is totally free to subscribers and provides guidance on various practical issues, as well as commentary on recent Information Security incidents.
Included in this edition are the following topics:
PREPARING FOR AN INFORMATION SECURITY AUDIT
For an Information Security audit to be effective it must be planned and have adequate preparation. A common purpose of conducting the audit is to enable the Information Security Officer (or the person who is responsible for the security of information) to measure the level of compliance with the organization’s Information Security Policies and associated procedures.
At the highest level, the Information Security Officer should initially prepare an audit program which ensures that all key risk areas are audited and reviewed on a regular basis. The greater the threats, and the higher the risk or probability of an Information Security incident, the more often the audit should be conducted.
Once the risk area to be audited has been selected, the Information Security Officer should prepare a list of the INFORMATION that needs to be collected to carry out the audit.
The Information Security Officer will also decide on which PERSONNEL need to be audited and arrange an interview schedule. In the same example, the following personnel would be audited: A sample of the user population who use portable computers, The issuers of portable computers, Ancillary staff.
As with many tasks, pre-planning is sometimes seen as a necessary evil, and there is a temptation to short-cut. However, in most cases, there is little doubt that the quality of the planning is likely to go a long way in determining the quality of the audit itself.
Note: This information extracted from the Interactive Security Manual and used with permission: Security Manual