What is a security Audit?

An information security audit is a systematic evaluation of how effectively an organization security policy is being implemented. This is measured agains established criteria.

Of course, this assumes that the organization has a security policy in place, which, unfortunately, is not always the case.




Even today, there are hundreds of organizations lacking a written security policy. These polices are a means of standardizing security practices by having them codified in writing.

Staff should be aware of the security practices in place so they are understood and practiced by all. In some cases, these are signed of by staff as having been read and understood.

When security practices are unwritten or informal, they may not be generally understood and practiced by all employees in the organization. Furthermore, until all employees have read and signed off on the security policy, compliance of the policy cannot be enforced. Written security policies are not about questioning the integrity and competency of employees; rather, they ensure that everyone at every level understands how to protect company assets and agrees to fulfill their obligations in order to do so.

Advance Planning

Because of the breadth of data to be examined, auditors will want to work with the client to determine the scope of the audit. Factors to consider include:

  • Site business plan
  • Type of data being protected
  • Value/importance of that data to the client organization and its customers,
  • Previous security incidents
  • Time available to complete the audit
  • Competences of the auditors: good auditors will want to have the scope of the audit clearly defined, understood and agreed to by the client from the outset

Next, the auditors will develop an information security audit plan. This plan will cover how the audit will be executed, who is going to be involved, and what tools will be used. They will then discuss the plan with the requesting agency. Next they discuss the objective of the audit with site personnel along with some of the logistical details, such as the time of the audit, which site staff may be involved and how the audit will affect daily operations. Next, the auditors should ensure the audit objectives are understood.


Conducting the security audit

In undertaking the security audit, the auditor normally studies relevant documentation, conducts interviews with relevant staff and conducts a physical inspection of the property. Observations and responses are then compared to the security standard operating procedures (SOPS) and operating standards (OS) that have been laid down in the organization’s security policy. Where there are deficiencies these are then recorded and recommendations made.

Security auditors should review previous security incidents at the client organization to gain an idea of historical weak points in the organization’s security profile, and what action was taken to address those points. It should also examine current conditions to ensure that repeat incidents cannot occur.

The information security audit report should be objective, concise and cover all the relevant OS and SOPs in place. It should also include an overview of the company, executive summary of the major findings, observations and recommendations. The audit report is then presented to the client for consideration. It is usual following this that the client may wish the auditor to expand upon any points with a view to implementing the recommendations made.