Conducting security audits against standards

Conducting security audits against standards

You’ve recently looked at governance and the importance of governance controls for organisational culture.

Now, you’ll move onto looking at audits and reviews, which constitute a key part of the checks and balances an organisation needs to conduct on an ongoing basis. 

Regular information security audits and reviews are essential for the organisation's focus on security – at least for the period of the audit. Reviews should cover physical, technical, and personal security matters, so there may be different teams required to cover each of these areas. Audit failures will have many ramifications. Therefore, this is a good time for the Information Security Manager to meet with senior management to discuss security awareness and the security team’s annual budget. 

Ideally, an impartial team should conduct the audit. This could include staff in the business who aren’t involved in running security systems or setting policy, or external independent security auditors.  

In some cases, expert knowledge is required to undertake the audit. For example, if the review relates to the perimeter security technology, then experts in firewall and network technology solutions will be required. Similarly, if the review is of building security, the auditors need to be familiar with door entry systems, security guarding protocols and social engineering techniques. 

The contractual arrangements between the organisation and the auditors (or the internal agreement, if the group are within the organisation) should include a non-disclosure agreement, or NDA. This will help protect the organisation’s intellectual property and reduce the risk of vulnerabilities being disclosed to unauthorised third-parties or competitors.   

Prior to the review, the scope of the testing should be agreed with the auditors to ensure they know what’s required of them. The levels of access they need to complete the job should also be determined. This might involve giving the auditors special user accounts on the systems, providing network access for penetration testing, or arranging for individuals to be interviewed. 

The results of the audit review should be delivered in a concise report, showing where the organisation is compliant, non-compliant and partially compliant, depending on the nature of the test. It should also include recommendations for improvement. This should then trigger a set of internal meetings to discuss the findings with the security and business stakeholders affected by the audit. 

Like so many processes in the risk management cycle, this is part of an iterative process. So, after any remedial action has been undertaken, documents have been updated and systems have been improved, the resulting set of documents becomes the baseline for the next audit. 

Decorative image: Pens over a document – about to sign a contract

What's next?

Now you've seen the importance of auditing and its role in the risk management process, you're next going to look at Policies.


In this course, you will discover the structures policies and practices which provide a basis for developing the organisation’s information security.

About the Author
Learning Paths

A world-leading tech and digital skills organization, we help many of the world’s leading companies to build their tech and digital capabilities via our range of world-class training courses, reskilling bootcamps, work-based learning programs, and apprenticeships. We also create bespoke solutions, blending elements to meet specific client needs.