Here is a simple checklist for your IT Security Audit.
Most IT Security Audits are based on a specific framework. Most if not all frameworks require some form of risks assessment that addresses threats, vulnerabilities and impacts to critical IT assets and processes. Once this information has been identified, then the organization will decide how they will deal with those threats and their impact.
Here is a very high level checklist for completing your IT Security Audit.
- Identify the framework that you are being assessed against
- Perform a risk assessment of your Critical assets, and processes.
- Create a risk treatment plan based on the risk tolerance of your organization.
- Document the information from steps 2 and 3.
- Implement or find the activities that address the risk treatment items from step 3 and document them.
- All of your activities to address risk treatment should generate some form of output (IT tickets, calendar events, memos, etc) collect the output for these activities in a central location and have some form of management review.
- Once have collected or documented the activity outputs from the step above (articfacts) then compare them against the items in the framework that you are being audited against.
- for items that do note require a specific control implementation, note that the risk doesn’t justify control implementation. This is perfectly fine, and if done well will be appreciated by your auditor and can significantly decrease the amount of time needed to complete your audit.
Recent Comments