Information Technology Reference
In-Depth Information
ularly request IS auditors to review the implementation or performance of the policy or
some parts of the policy. Senior management, being custodian of the security policy, will
determine the audit objectives and expected outcomes.
With reference to the chart above, let us review what the IS auditor is required to do as re-
gards the components of the ISO 27001:2013 standard.
•
Information Security Policies
- A policy is a guide developed by manage-
ment on how security should be implemented and managed in the enterprise.
The IS auditor will be required to have a good understanding of the policy
and be able to effectively audit the policy and its implementation.
•
Organisation of Information Security
- The enterprise should have an in-
formation security structure which can be used to implement and manage
security in the enterprise. Without a security structure, information security
might not be implemented effectively. The organisation could be a full-
fledged department headed by a director or manager. In smaller enterprises,
the security function can be managed by a security coordinator in a full- or
part-time role. The IS auditor should review the control structure of the se-
curity organisation and also regularly assess its effectiveness in managing
security in the enterprise.
•
Human Resource Security
- Procedures need to be put in place which will
ensure that correct and qualified human resources are recruited by the enter-
prise. The procedures will also ensure that the human resources comply with
various security policies. The IS auditor is required to ensure that security
procedures are in place for recruitment of staff, and security is one of the
considerations when hiring employees.
•
Asset Management
- IT assets need to be protected, and the IS auditor
should ensure that procedures are available for protecting IT assets. IT assets
are critical to the operation of the enterprise. Maintenance of an IT asset re-
gister is one way of ensuring that IT assets are tracked and monitored.
•
Access Controls
- Access controls ensure that only authorised users have ac-
cess to data and information. The IS auditor should regularly review access
rights in order to ensure that authorised users have appropriate access to the
systems. The IS auditor should also ensure that all users are authorised by
management.
Search WWH ::
Custom Search