What should we focus on when auditing information security governance and management?
To have a well-functioning information security management and governance is key in today’s businesses. Regulatory requirements as well as requirements from the society and customers are constantly increasing as the digitalization and automatization evolves in all types of industries.
As a result, information security governance needs to be audited by Internal Audit at least every 3-4 years. These audits can be based on different standards and frameworks, such as IEC/ISO 27002, COBIT or CIS top-20 but below I have listed some general areas that I believe are important to cover.
Has the organization implemented an information security management system, including policy, standards and procedures/instructions? Have these steering documents been properly communicated and understood by relevant stakeholders?
Are roles and responsibilities clearly defined, assigned and understood? Do key stakeholders such as information owners and system owners understand their responsibilities?
Has information been classified in terms of availability, confidentiality, integrity and traceability? Does the documentation include where (what systems, folders etc.) the information is located? Have the business defined protection requirements based on the information classification results?
Are all assets and information resources identified? Is it clear how information in different classes should be protected throughout the information lifecycle (create, manage, communicate, change, remove)? Have adequate protection measures been implemented based on business requirements?
How do top management show the importance of information security? How do they lead by example? Is there a continuous information security awareness program in place, that reaches all relevant stakeholders?
How is compliance and conformance with information security standards and requirements followed up? Are there any methods to perform regular self-assessments? How are information security risks identified and managed? How is information security reported to top management?
In addition to auditing the governance and management of information security; different areas within information security should be audited for operational effectiveness on a yearly basis.
Good luck with your audits!
/Magnus Thyllman, CIA, CISA, CISM, CRISC