Information Technology Reference
In-Depth Information
The IS auditor should also check that the policy is reviewed at regular intervals or accord-
ing to enterprise policy on review of policies. The policy should always be current and re-
flect changes in the enterprise. If the enterprise undergoes a major change in business pro-
cesses and IT systems, this might impact the security policy of the enterprise.
The IS auditor should also check that the security policy has been properly implemented
and documented. In many enterprises, IS auditors would find that a policy does exist but
not implemented. The IS auditor would also come across situations where only parts of the
policy have been implemented. It is important that the IS auditor has a good understanding
of the level of implementation of security policy. This information can be collected from
the security function and validated by management and employees from various functions
in the enterprise. It should be noted that information security is about everyone in the en-
terprise that is, from the board to the lowest employee.
It is recommended that the security policy developed and implemented by the enterprise
should be based on accepted best practice or international standard. There are various se-
curity standards which can be used, and common ones include ISO/IEC 27001, ISO/IEC
27014, ISO/IEC 17799, and BS 7799. Other information technology management inter-
national frameworks such as COBIT and ITIL have information security incorporated in
the frameworks. ISACA has developed COBIT 5 for information security, which focuses
on the management of information security in the enterprise and to support business pro-
cesses. The 27000 series standards include various areas of security and can be found on
the ISO international standards website. Below is the structure of ISO 27001:2013 stand-
ard. Enterprises have the option of implementing all or part of the standard as required by
management.
Structure of ISO 27001:2013 standard
Figure 7.1 Structure of ISO 27001:2013
Auditing a security policy is one important activity of ensuring that an information security
infrastructure is effective in securing business resources and protecting data and inform-
ation. Most enterprises implement security policies which are generally in line with ISO
security standards such as ISO 27001. The IS auditor will find that other enterprises make
modifications to the standards to fit their unique operations. Senior management will reg-
Search WWH ::




Custom Search