Technology Security Audit

About IT Security

IT Security is not an absolute; that is to say that no organisation can be completely secure. Further measures can always be taken to improve the security of an organisation, and to minimise the risk to that organisation of an IT security breach. However not all security measures represent a good investment of IT resources. IT security is therefore a risk management process, which aims to reach a delicate balance between required functionality, security and cost. Following ISO/IEC 27001:2015 & 27002:2015 “to the letter of the law” may not achieve this practical approach
to security so the standard needs to be taken in context to the functionality, security and cost requirements of the organisation.

The value of information goes beyond the written words, numbers and images: knowledge, concepts, ideas and brands are examples of intangible forms of information. In an interconnected world, information and related processes, systems, networks and personnel involved in their operation, handling and protection are assets that, like other important business assets, are valuable
to an organisation’s business and consequently deserve or require protection against various hazards.

Assets are subject to both deliberate and accidental threats while the related processes, systems, networks and people have inherent vulnerabilities. Changes to business processes and systems or other external changes (such as new laws and regulations) may create new information security risks.

Therefore, Given the multitude of ways in which threats could take advantage of vulnerabilities to harm the organisation, information security risks are always present. Effective information security reduces these risks by protecting the organisation against threats and vulnerabilities, and then reduces impacts to its assets.

Information security is achieved by implementing a suitable set of controls, including policies, processes, procedures, organisational structures and software and hardware functions. These controls need to be established, implemented, monitored, reviewed and improved, where necessary, to ensure that the specific security and business objectives of the organisation
are met. We take a holistic, coordinated view of the organisation’s information security risks in order to implement a comprehensive suite of information security controls under the overall framework of a coherent management system.

Many information systems have not been designed to be secure in an modern internet connected world. The security that can be achieved through technical means is limited and should be supported by appropriate management and procedures. Identifying which controls should be in place requires careful planning and attention to detail. A successful ISMS requires support by all employees in the organisation. It can also require participation from shareholders, suppliers or other external parties. Specialist advice from external parties can also be needed.

In a more general sense, effective information security also assures management and other stakeholders that the organisation’s assets are reasonably safe and protected against harm, thereby acting as a business enabler.

It is essential that an organisation identifies its security requirements. There are three main sources of security requirements:

– The assessment of risks to the organisation, taking into account the organisation’s overall business strategy and objectives. Through a risk assessment, threats to assets are identified, vulnerability to and likelihood of occurrence is evaluated and potential impact is estimated;
– The legal, statutory, regulatory and contractual requirements that an organisation, its trading partners, contractors and service providers have to satisfy, and their socio-cultural environment; and
– The set of principles, objectives and business requirements for information handling, processing, storing, communicating and archiving that an organisation has developed to support its operations.

Resources employed in implementing controls need to be balanced against the business harm likely to result from security issues in the absence of those controls. The results of a risk assessment will help guide and determine the appropriate management action and priorities for managing information security risks and for implementing controls selected to protect against
these risks.

Our Methodology

We conduct the audit in conformity with Standards Australia ISO/IEC 27001:2015 & 27002:2015 – Information Technology – Code of practice for information security management. The basis for this is that the standard provides a common basis for developing organisational security standards and effective security management practice as well as providing confidence in inter-organisational dealings.

ISO/IEC 27001:2015 & 27002:2015 establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organisation. The objectives outlined provide general guidance on the commonly accepted goals of information security management. ISO/IEC 27001:2015 & 27002:2015 contains best practices of control objectives and controls in the following areas of information security management:

– Security policy;
– Organisation of information security;
– Asset management;
– Human resources security;
– Physical and environmental security;
– Communications and operations management;
– Access control;
– Information systems acquisition, development and maintenance;
– Information security incident management;
– Business continuity management;
– Compliance.

The audit consists of an interview with your organisation’s key staff and a questionnaire is then completed by your IT support staff or provider. Once all information has been gathered a comprehensive report is provided which includes the findings, a rating based on the business risk for any issues found and recommendations for resolution of those issues and where needed, recommendations for improvements to your current practises. POA