What is a IT Security Audit?

Implementing effective cyber security involves a lot more than just applying the latest technology. You need to enact appropriate supporting policies/processes and ensure your staff are effectively trained  to follow them. These factors taken together are what is referred to as a Security Management System.

To instill confidence that your Security Management System is working as intended and providing the protection the business requires, a security audit can be performed. A security audit is a structured approach to assessing the security measures that a company has in place, using a set of defined criteria. Typically, the criteria will be a security framework such as ISO 27001, NIST Cyber Security Framework, Cyber Essentials or a technology specific standard such as EIDAS (ETSI EN 319 411).

During the audit, the auditor will look to identify the policy and or processes that have been defined, then seek evidence that the policy/process is being followed. When looking for evidence, the auditor will typically use a sampling approach.  Rather than look at every record to assert compliance, they will look at a randomly chosen sample.

Leave a Comment

Your email address will not be published. Required fields are marked *