IT Auditing

ESTIN
2023-2024
Chapter 1:
Introduction
 Introduction

 A security audit in information systems refers to a systematic evaluation of an

organization's information technology infrastructure, policies, procedures, and
controls to assess the effectiveness of its security measures.
 The primary goal of a security audit is to identify vulnerabilities, assess the level
of compliance with security policies and regulations, and ensure the overall
integrity, confidentiality, and availability of the organization's information assets.
 Motivation

 The evolution of information systems, driven by market globalization, positions

them as strategic elements for business growth.
 However, this rapid expansion poses challenges of compliance with standards
and risk management for information systems, requiring thorough evaluation
through IT auditing.
 This involves assessing compliance with standards and frameworks, while
identifying vulnerabilities and potential threats to ensure the security and
sustainability of information systems.
 What is a system ?!

 A system is a set of elements in relation to each other, forming a whole.

 It represents a perfectly identifiable unit evolving in an environment.
 There is therefore a boundary that separates the system from its environment.
 What is an Information System !?

 An Information System (abbreviated as IS) is an organized set of resources

(hardware, software, personnel, data, and procedures) that represents all the
elements involved in the management, processing, transport, and dissemination of
information within the company.
 Originally, information systems first appeared in the fields of computer science
and telecommunications. However, today we see the concept emerging in all
sectors, whether in private or public enterprises
 Keystones of an Information System

 An information system can be likened to the vehicle that enables communication

throughout the entire company.
 The structure of the system is made up of all resources (people, hardware, software) that
organize themselves to collect, store, process, and communicate information.
 The information system is the key coordinator of the company's activities and plays a
crucial role in achieving the objectives set by the latter.
 The information system is built around the 'business' processes and their interactions, not
just around databases or software that constitute it.
 The information system must be in line with the company's strategy.
 Why do we need information security ?

 For reasons of efficiency and profitability, a company today communicates with

its subsidiaries, partners, and even offers services to individuals, which implies a
massive openness to information.
 Through the opening of networks, security becomes a decisive factor in the smooth
operation of the company or organization.
 However, a company or organization possesses certain information that should
only be disclosed to a certain number of people, should not be modified, or
should be available transparently to the user. These pieces of information are
subject to attack because threats exist, and the system housing this information is
vulnerable.
 Security Evaluation Criteria

 We refer to information security as the set of technical, organizational, legal, and human means implemented to
address identified risks, in order to ensure the next criteria:
 Confidentiality: Information must not be disclosed to any unauthorized person, entity, or process. In other words, this
means that information is only accessible to those who have the right to access it (also known as 'need-to-know').
 Integrity: The correct and complete nature of assets must be preserved. In simple terms, this means that information can
only be modified by those who have the right to do so.
 Availability: Information must be made accessible and usable upon request by an authorized entity. This means that
information should be available under pre-agreed conditions (either 24/7, during business hours, etc.).
 Traceability (or 'Proof'): Ensures that access and attempted access to the considered elements are traced, and these traces
are kept and exploitable.
 Terminology

 Cryptology: It's a mathematical science comprising two branches: cryptography and

cryptanalysis.
 Cryptography: Cryptography is the study of methods that allow for the confidential transmission
of data over a given medium.
 Cryptanalysis: In contrast to cryptography, its goal is to recover plaintext from encrypted texts
by exploiting weaknesses in the algorithms used.
 Cryptosystem: It's defined as the set of all possible keys (key space), plaintexts, and ciphertexts
associated with a given algorithm.
 Ciphertext (encrypted text): Also known as a cryptogram, the ciphertext is the result of applying
encryption to plaintext.
 Key: This is the parameter involved and authorizing encryption and/or decryption operations."
 Malwares

 Malicious software, or malware, is a program that infects a computer system. It

includes various types:
 Virus: Capable of infecting other programs by modifying them to reproduce. Types include macro-
viruses, resident viruses, boot viruses, slow viruses, defensive or retroviruses, and stealth viruses.
 Worm: Autonomous program that replicates and spreads through a network.
 Trojan Horse: Program that appears useful but hides code to create a system vulnerability
(backdoor).
 Spyware: Collects personal information from a user's computer without their consent, typically
transmitting the information to a company for profiling.
 Email spamming: Sending numerous identical messages to overload a mailbox.
 Access control systems

 Access control systems and access controls refer to a set of computer methods
aimed at:
 Administering access to resources (Administration).
 Controlling access rights (Identification and authentication).
 Identifying authorized or unauthorized users (Authorization).
 Access controls govern and regulate a subject's access to objects. The process
steps include administration, identification, authentication, and authorization.
Access Control Categories and Access Controls

 Access controls encompass preventive, detective, and corrective measures:

 Preventive controls aim to stop unauthorized activity.
 Detective controls focus on discovering unauthorized activity.
 Corrective controls are deployed to restore systems post-unauthorized activity.
 Access control systems implementation involves:
 Administrative access controls, governing policies and procedures.
 Logical and technical access controls, managing software and hardware.
 Physical access controls, employing physical barriers for system protection.
 Why do we protect ourselves ?

 Because it is considered that the loss of information could cause:

 Financial loss (e.g., destruction of customer files, retrieval of contracts by a competitor, etc.)
 Damage to the brand image (e.g., hacking of a bank, disclosure of a phone number on the
do-not-call list, etc.)
 Loss of efficiency or production (e.g., making a file server unavailable on which
collaborators are working).
 Information Security Policy

 An information security policy is a set of documents indicating the directives,

procedures, guidelines, organizational and technical rules to be followed
concerning information security and its management.
 It is a clear and firm stance and commitment to protect the integrity, confidentiality,
and availability of the informational assets of the company.
 The information security policy allows you to define, implement, maintain, and
improve information security within your company. It also enables you to protect
the critical infrastructures and assets of your company.
 Definition of RISK

 Potential for an event or incident to negatively impact the confidentiality,

integrity, or availability of an organization's information systems and assets.
 It represents the likelihood of a threat exploiting a vulnerability, resulting in
adverse consequences such as data breaches, system disruptions, financial losses,
reputational damage, or regulatory penalties.
 Risks in IT security audits are typically identified, assessed, and prioritized based
on their potential impact and likelihood, with the goal of implementing controls
and measures to mitigate or manage them effectively.
 Risk Management

 Risk = (Threat x Vulnerability)/Countermeasures

 Threat: Potential violation of a security property.
 Threat Types

 Accidental:
 Natural disasters ("acts of God"): fire, flood, etc.
 Involuntary human actions: data entry errors, typing mistakes, misconfigurations, etc.
 Unforeseen system performance: Design errors in software or hardware, Hardware malfunction, etc.

 Deliberate:
 System theft; Denial-of-service attacks; Information theft (breach of confidentiality)
 Unauthorized system modification.

 Vulnerability: Weakness or flaw: accidental or intentional fault introduced in the specification, design, or
configuration of the system.
 Attack: Deliberate attempt to violate one or more security properties.
 Intrusion: Actual violation of the security policy.
Some examples of threats!
 Security Countermeasures

 Countermeasures are the set of actions implemented to prevent threats.

 Data encryption.
 Software level controls.
 Part of the operating system,
 Software development control.
 Hardware controls.
 Hardware access control: identification and authentication.
 Physical controls: locks, surveillance cameras, guards, etc.
 About IT Auditing

 Audit involves identifying security needs, assessing computer risks to the

company, and their potential consequences;
 Laying out processes; Identifying needs
 The phase of identifying needs initially involves taking inventory of the
information system, particularly for the following elements:
 People and functions; Hardware, servers, and the services they provide;
 Network mapping (addressing plan, physical topology, logical topology, etc.);
 List of company domain names;
 Communication infrastructure (routers, switches, etc.)
 Sensitive data; Risk analysis
 About IT Auditing

 The risk analysis stage involves listing the various risks, estimating their
likelihood, and finally studying their impact.
 The best approach to analyzing the impact of a threat is to estimate the cost of the
damage it would cause (for example, an attack on a server or the deterioration of
vital data for the company).
 About IT Auditing

 The audit requester and the chief auditor must employ a precise approach to
assess risks, considering the constant innovations in information systems:
 Evaluate annually the specific evolution of information technology implementation to
identify potential risks.
 Review the IT department's short-term plans to adjust the assessment of information systems
risks.
 Update risk assessment at the start of each audit and be flexible in approach to adapt to the
organization's evolving risk profile.
 About IT Auditing

 Based on this, it may be interesting to create a risk table and their potential,
meaning their likelihood of occurring, by assigning them levels according to a
scale to be defined, for example:
 Not applicable (or unlikely): the threat is not relevant;
 Low: the threat has little chance of occurring;
 Medium: the threat is real;
 High: the threat is highly likely to occur.
 Lifecycle of Information Systems Security Audit

 The means and procedures for protecting the IS being defined in the security
policy, security audit is also called security policy audit.
 It is worth noting that the security audit process, through risk analysis and
management methods, can also be used to develop a security policy.
Lifecycle of Information Systems Security
Audit
Lifecycle of Information Systems Security
Audit
 Objectives of IT Auditing

 The objective of the Information Systems Audit course is to introduce

participants to key concepts in IT auditing. In more details:
 Presentation of various aspects of information systems auditing, covering the approach,
models, and audit categories used. Learning the general principles of IS auditing, including
rules, ethics, common mistakes to avoid, and elements of IT audit security policy.
 Acquiring professional standards and frameworks essential for conducting IS audits.
Providing concepts related to planning and organizing the development of the IS audit plan.
 What is an auditor ?

 This lecture focuses on the concepts and techniques used in auditing an

application.
 Auditors are employed for a wide range of tasks and responsibilities:
 Organizations employ internal auditors to evaluate company operations.
 The GAO (Government Accountability Office) and state governments employ auditors to evaluate
management performance and compliance with legislative intent.
 The Defense Department employs auditors to review financial records of defense contractors.
 Publicly-held corporations hire external auditors to provide an independent review of their
financial statements.
 Internal Auditor VS External Auditor

 This session is written primarily from the perspective of an internal auditor.

 They are directly responsible for helping management improve organizational efficiency and
effectiveness.
 They assist in designing and implementing an application that contributes to the entity’s goals.
 External auditors are primarily responsible to shareholders and investors.
 Only indirectly concerned with application effectiveness.
 But many internal audit concepts apply to external audits.
 Internal Auditor VS External Auditor

 Whether internal or external, your audit team must be able to:

 Determine and conduct appropriate tests
 Understand the data
 Prioritize threats
 Set benchmarks
 Create a plan based on audit findings
 Internal Auditor VS External Auditor

 An internal audit may be the best choice if you have a simple business and sufficiently skilled IT or
risk management employees.
 Advantages:

• Typically lower cost

• Greater control over procedures
• Customizable to fit organizational needs
 Disadvantages:

• Requires significant personnel time

• May not meet regulatory or industry standards
• Potential learning curve, particularly with limited security resources
• Decisions may be influenced by internal biases
 Internal Auditor VS External Auditor

 In the contrary to the previous case,

 Some companies are recognized by complex systems and sensitive data, highly trained
auditors, potentially with specific certifications, may be necessary, especially if operating
under regulations.
 As the generic auditing packages often lack customization and may require expertise for
evaluation, many companies outsource audits to ensure accuracy and save time.
 Internal Auditor VS External Auditor

 An independent (external) auditor adds objectivity and minimizes conflicts of

interest in the auditing process.
 Advantages:
 Experienced professionals with formal training
 Unbiased assessment
 Potential for increased efficiency
 Assurance of compliance with regulatory and industry standards
 Disadvantages:
 Longer duration of audit process
 Cost may be prohibitive for smaller organizations
 Complexity in coordinating with external auditors
 SKILLS of an Auditor

 Recognizing Security in Development (Quality)

 Setting up an HTTPS server and secure authentication
 Recognizing and reducing vulnerabilities (web)
 Defining and implementing an access control policy
 Questions auditors may answer

 What are the scope and objectives of audit work, and what major steps take place
in the audit process?
 What are the objectives of an information systems audit, and what is the four-step
approach for meeting those objectives?
 How can a plan be designed to study and evaluate internal controls in an
application?
 How can computer audit software be useful in the audit of an application?
 What is the nature and scope of an operational audit?
 Major Aspects of IT Audit

 Risk Assessment: Identifying and evaluating potential

risks and threats to the organization's information systems.
 Policy and Procedure Review: Examining existing
security policies and procedures to ensure they are
comprehensive, up-to-date, and aligned with industry best
practices and regulatory requirements.
 Major Aspects of IT Audit

 Access Controls: Reviewing user access permissions to

ensure that only authorized individuals have appropriate
access to data and systems.
 Network Security: Assessing the security measures in
place to protect the organization's network infrastructure
from unauthorized access, attacks, and data breaches.
 Major Aspects of IT Audit

 Data Protection: Evaluating the methods used to secure

sensitive data, including encryption, data backup, and data
storage practices.
 Incident Response: Assessing the organization's ability to
detect and respond to security incidents promptly.
 Major Aspects of IT Audit

 Physical Security: Examining the physical security

measures in place, such as access controls to data centers
and server rooms.
 Security Awareness Training: Assessing the level of
awareness and training provided to employees regarding
security best practices and policies.
 Major Aspects of IT Audit

 Compliance: Verifying compliance with relevant laws,

regulations, and industry standards governing information
security.
 Security Architecture: Evaluating the overall design and
architecture of the information systems to identify any
weaknesses or vulnerabilities.
 Major Aspects of IT Audit

 After conducting a security audit, organizations typically

receive a detailed report highlighting findings,
recommendations for improvement, and potential action
plans to enhance their overall security posture.
 Regular security audits are crucial for maintaining a
proactive and robust security stance in the face of evolving
cyber threats.
 Audit Planning

 The audit planning depends on various organizational factors, but the components
and role of the information system are crucial for assessing risks and determining
the areas to audit:
1. Which technologies support operational functions?
2. Is the IS environment simple or complex?
3. Is the IS environment centralized or decentralized?
4. To what extent are applications customized?
5. Are IS maintenance activities generally outsourced or specifically certain ones?
6. At what level is the annual evolution of the IS situated?
 Audit Planning

1. Which technologies support operational functions?

 This question aims to identify the technologies and systems that are critical for supporting the organization's operational
functions. Examples may include enterprise resource planning (ERP) systems, customer relationship management
(CRM) systems, email servers, collaboration tools, and other business-critical applications and infrastructure.
2. Is the IS environment simple or complex?
 This question seeks to assess the complexity of the organization's information systems (IS) environment. It considers
factors such as the number of applications, the complexity of integration between systems, the diversity of technologies
used, and the size and scale of the IT infrastructure.
3. Is the IS environment centralized or decentralized?
 This question explores the organizational structure of the IS environment, focusing on whether IT resources and
responsibilities are centralized within a single department or team, or decentralized across multiple departments or
business units. It considers the distribution of IT resources, decision-making authority, and governance processes.
 Audit Planning

4. To what extent are applications customized?

 This question examines the level of customization of the organization's applications, including off-the-shelf software
and internally developed applications. It assesses the extent to which applications have been tailored to meet the
organization's specific requirements and business processes.
5. Are IS maintenance activities generally outsourced or specifically certain ones?
 This question investigates the organization's approach to IT maintenance activities, including whether maintenance
tasks are outsourced to third-party vendors or managed internally. It considers the outsourcing of routine
maintenance tasks such as software updates, patch management, system backups, and hardware maintenance.
6. At what level is the annual evolution of the IS situated?
 This question examines the pace and direction of change within the organization's IS environment, focusing on the
annual evolution of IT systems, technologies, and processes. It considers factors such as the introduction of new
technologies, upgrades to existing systems, expansion of IT infrastructure, and adoption of emerging trends in IT.
 Nature of Auditing

 The American Accounting Association (AAA) defines auditing as:

 A systematic process of objectively obtaining and evaluating evidence.
 Regarding assertions about economic actions and events.
 To ascertain the degree of correspondence between those assertions and established
criteria.
 And communicating the results to interested users.
 Nature of Auditing

 Auditing requires a step-by-step approach.

 Should be carefully planned and techniques should be judiciously selected and executed.
 Auditing involves collecting, reviewing, and documenting audit evidence.
 The auditor uses criteria such as the principles of management control to develop
recommendations.
 Nature of Auditing

 Auditors used to audit around the computer and ignore the computer and programs.
 Assumption: If output was correctly obtained from system input, then processing must be reliable.
 Current approach: Audit through the computer.
 Uses the computer to check adequacy of system controls, data, and output.
 SAS-94 (Auditing Standards No. 94) requires that external auditors evaluate how audit strategy is affected by an
organization’s use of IT.
 Also states that auditors may need specialized skills to:
 Determine how the audit will be affected by IT; Assess and evaluate IT controls; Design and perform both tests
of IT controls and substantive
tests.
 Nature of Auditing

 Why auditors used to ignore the computer and programs while auditing ?
 What do we mean by sas-94 ?
 Nature of Auditing

 Why auditors used to ignore the computer and programs while auditing ?
 This statement refers to a historical approach to auditing where auditors primarily focused on manually checking
physical documents and records rather than delving into the computerized systems and programs themselves.
 Essentially, they would verify the accuracy and integrity of data before it entered the computer and after it came out,
but pay little attention to the processes happening inside the computer.
 This approach was based on the assumption that computer systems were reliable and accurately processed data
according to the instructions programmed into them.
 This shift led to the development of computer-assisted audit techniques (CAATs) and a more comprehensive approach
to auditing that includes evaluating the controls and security measures within computer systems and programs.
 Nature of Auditing

 What do we mean by sas-94 ?

 SAS 94" refers to Statement on Auditing Standards No. 94, issued by the Auditing Standards Board (ASB) of the
American Institute of Certified Public Accountants (AICPA).
 This standard addresses the impact of information technology (IT) on the auditor's assessment of internal controls
when conducting a financial statement audit.
 SAS 94 provides guidance to auditors on how to assess and respond to the risks associated with IT systems and
controls.
 It emphasizes the importance of understanding the client's IT environment, including the IT infrastructure,
applications, and data processing procedures.
 Nature of Auditing

 Questions to be addressed in IT audit, include:

 What are the scope and objectives of audit work, and what major steps take place in the audit
process ?
 What are the objectives of an information systems audit, and what is the four-step
approach for meeting those objectives?
 How can a plan be designed to study and evaluate internal controls in an application?
 How can computer audit software be useful in the audit of an application?
 What is the nature and scope of an operational audit?
 Steps of IT Audit

1. Establish consensus on objectives. Engage all stakeholders in discussions to determine the

audit's intended outcomes.
2. Define the audit scope. Enumerate all assets slated for evaluation, encompassing computer
hardware, internal documentation, and processed data.
3. Execute the audit and pinpoint threats. Enumerate potential threats associated with each
asset, encompassing data loss, equipment compromise, or unauthorized access. Assess security
and risks.
4. Evaluate the likelihood and impact of each identified threat, along with the organization's
defense capabilities. Identify necessary controls.
5. Determine the security measures required to mitigate risks effectively or enhance existing
safeguards.
 Types of Audit

 In a company, three different types of audits are commonly performed.

 Financial audit; Information systems audit; Operational or management audit

 In information systems, security audits are essential for assessing and enhancing
the security posture of an organization's IT infrastructure and data assets.
 Security audits can be conducted to address different aspects of information
security.
 Types of Audit

 Vulnerability Assessment: Identifies weaknesses and vulnerabilities in the

organization's IT systems, networks, and applications.
 This audit involves scanning systems for known vulnerabilities and misconfigurations, and
assessing their potential impact on security.
 Penetration Testing (Pen Testing): Simulates real-world cyber attacks to identify
vulnerabilities that could be exploited by malicious actors.
 Penetration testers attempt to breach the organization's defenses and gain unauthorized
access to systems, demonstrating potential security risks and recommending remediation
measures.
 Types of Audit

 Security Configuration Audit: Reviews the configurations of IT systems, devices, and

software applications to ensure compliance with security best practices and
organizational policies.
 This audit helps identify insecure configurations that could be exploited by attackers to
compromise security.
 Access Control Audit: Evaluates the effectiveness of access controls and permissions
governing user access to IT resources, such as systems, databases, and applications.
 This audit ensures that users have appropriate access rights based on their roles and
responsibilities, and helps identify and remediate excessive or unauthorized access.
 Types of Audit

 Security Policy and Procedure Audit: Reviews the organization's security policies,
procedures, and guidelines to ensure alignment with industry standards, regulatory
requirements, and best practices.
 This audit assesses the adequacy of security controls, incident response procedures, and
security awareness training programs.
 Incident Response Audit: Assesses the organization's readiness to detect, respond to,
and recover from security incidents.
 This audit evaluates the effectiveness of incident detection and response mechanisms, incident
response plans, and coordination with internal and external stakeholders during security
incidents.
 Types of Audit

 Encryption Audit: Reviews the implementation of encryption technologies to protect

sensitive data at rest and in transit.
 This audit assesses the strength of encryption algorithms, key management practices, and
encryption controls to ensure the confidentiality and integrity of data.
 Third-Party Security Audit: Evaluates the security posture of third-party vendors,
suppliers, and service providers that have access to the organization's systems or data.
 This audit assesses third-party security controls, contractual obligations, and compliance with
security requirements.
 Internal auditing Standards

 The Institute of Internal Auditors (IIA) (1) references (guidelines) and (2) sets
standards for internal auditing, including audit scope standards.
 IIA's standards primarily focus on internal auditing principles and practices are
certainly related to security audits in information systems.
 However, the IIA's standards may not specifically address all aspects of
security audits in information systems.
 (1) References of Internal auditing

 The CobiT (Control Objectives for Information and Related Technology ) method serves as the
primary reference framework for governing and auditing information systems.
 It focuses on managing IS governance over time and is built on best practices gathered
from IS experts.
 EBIOS (Expression des Besoins et Identification des Objectifs de Sécurité) method enables the
assessment and management of risks associated with information systems security
(ISS).
 It facilitates communication within the organization and with partners to aid in the ISS
risk management process.
 (1) References of Internal auditing

 The ISMS method (Information Security Management System) is a

comprehensive approach rather than a reactive one that deals with problems.
 Plan: Shift from a reactive to proactive stance.
 Do: Develop processes following a security framework.
 Control: Audits and intrusion testing.
 Act: Risk analysis of needs and stakes.
 (1) References of Internal auditing

 Rule Elaboration: Develop rules and procedures to implement across various

departments of the organization for identified risks; remain realistic and avoid being
overly ambitious, starting with low objectives and meeting them is preferable.
 Monitoring: Monitor and detect vulnerabilities in the information system and stay
informed about flaws in the applications and hardware used.
 Actions: Define actions to be taken and the individuals to contact in case of threat
detection.
 (1) References of Internal auditing

 Strategy: Information System Security Policy (PSSI) must be an integral part of

the company's strategy:
 Security lapses can be costly!
 Include a general notion of security based on 4 points:
 Protecting sensitive business applications within the IS
 Reducing vulnerabilities
 Ensuring the security of the IS itself
 Ensuring continuity in the event of a disaster
 (1) References of Internal auditing

 Methods: The steps are as follows:

 Context analysis: Essential elements (a set of entities of different types)
 Needs expression:
 Threat analysis: Type/cause
 Expression of security objectives
 Determination of security requirements
 (2) Internal auditing Standards

 The responsibilities outlined in the IIA standards include planning and executing
audits, defining objectives and scope, allocating resources, documenting findings,
and ensuring alignment with organizational goals.
 These standards help internal auditors conduct effective and efficient audit
engagements while maintaining integrity, objectivity, and professionalism.
 (2) Internal auditing Standards

 Standard 2010 – Planning: This standard emphasizes the importance of developing

a comprehensive audit plan. It requires auditors to consider the organization's
objectives, risks, and control environment when planning audit activities.
 Standard 2201 – Engagement Objectives: Auditors must clearly define the
purpose, scope, and objectives of each audit engagement. This ensures alignment
with organizational goals and helps focus audit efforts on areas of greatest
significance.
 (2) Internal auditing Standards

 Standard 2210 – Engagement Scope: Defining the scope of audit engagements is

crucial for ensuring that audit resources are directed towards areas with the highest risk
or importance. This standard emphasizes the need to clearly delineate the boundaries
of audit work.
 Standard 2220 – Engagement Resource Allocation: Auditors must allocate
appropriate resources to audit engagements based on their significance and complexity.
This ensures that audit teams have the necessary expertise and tools to conduct
thorough and effective audits.
 (2) Internal auditing Standards

 Standard 2230 – Engagement Execution: This standard outlines requirements

for executing audit engagements in line with the audit plan and objectives. It
emphasizes the importance of conducting audit activities efficiently and
documenting findings accurately.
 (2) Internal auditing Standards

 Standards: What are the Security Standards of an Information Security

Management System:
 ISO 27001: Process approach (PDCA) and 133 baseline measures in plan development
 ISO 17799: Thematic segmentation corresponding to the realities of the organization's
structure
 (2) Internal auditing Standards

 ISO 27001, as a management standard, aligns with ISO 9001 through the
adoption of a process approach and the PDCA (Plan-Do-Check-Act)
methodology in establishing and managing the information security management
system. It emphasizes the following points:
 The need to define an information security policy based on expressed requirements in this
area,
 The operational implementation of information security measures based on the risks that may
impact the organization's business activities,
 Monitoring the implemented system for effectiveness,
 Continuous improvement based on objective assessments.
 Importance of IT Audit

 There are multiple motives for conducting a security audit, encompassing these
six objectives:
 Detect security issues, vulnerabilities, and system weaknesses.
 Establish a foundational security standard for comparison in future audits.
 Ensure adherence to internal organizational security policies.
 Fulfill external regulatory compliance requirements.
 Assess the sufficiency of security training programs.
 Identify and eliminate unnecessary resources.
 Approach and Best Practices of Auditing

 The ISO 19011:2011 standard presents a set of recommendations regarding the

conduct of the audit mission. In more details:
 The standard provides guidelines on auditing management systems (including audit
principles, managing an audit program, and conducting audits of management systems).
 Audit Initiation and Preparation Phase

 Mission starts with a request from the sponsor.

 Mission letter drafted and signed by requester.
 Audit provider appoints audit manager.
 Manager communicates with audited organization.
 Define audit objectives, scope, criteria.
 Discuss communication channels and allocate resources.
 An audit agreement must be established between the audit sponsor and the audit provider at the beginning
of the assignment and must be validated and signed by both stakeholders.
 Audit Initiation and Preparation Phase

 Specifies audited organization's commitment to providing

 An audit agreement should include:
necessary documents.
 Established between audit sponsor and provider.
 Establishes communication methods (contacts,
 Contains stakeholder information: Names, Responsibilities, Roles. representatives, etc.).
 Presents audit objectives.  Identifies resources and logistics required for audit
 Defines audit scope and details (deliverables, goals, milestones, execution and success (logistical arrangements, material
resources, human resources, etc.).
duration, etc.).
 Includes confidentiality clauses essential for project
 Sets audit criteria (security policy, standards, frameworks, etc.).
conduct.
 Determines audit dates and locations.
 Audit Execution and Findings Analysis Phase:
Opening Meeting

 Validate audit workload and schedule.

 Outline audit activities and confirm communication channels.
 Provide clarifications.
 Deliverables:
 Quality assurance plan
 Scope note
 Forecasted schedule
 Audit Execution and Findings Analysis Phase:
Audit Execution

 Audit execution involves conducting planned tests, including interviews and

immersions.
 Audit findings are documented and categorized as compliant or non-compliant
with audit criteria.
 Immediate communication of major risks and proposed solutions to the audited
organization is crucial.
 Regular updates and coordination between the audit sponsor, provider, and
audited organization ensure smooth progress and problem-solving during the
audit.
 Audit Execution and Findings Analysis Phase :
Records of the Execution Phase

 Technical records, including:

 These documents include:  Files containing security scan results.
 Validated and signed reports by the representatives of the audited  Vulnerability analysis report.
organization.
 Samples of captured traffic.
 Completed discrepancy sheets. A discrepancy sheet typically includes:
 The results of technical audit tests primarily
 Auditor findings. consist of:
 Recommendations.  The list of vulnerabilities (network, systems,
 Commitments and/or actions proposed by the audited organization. applications, etc.).
 Auditor comments related to the previous point.  The list of equipment configuration anomalies
(firewall and network equipment configurations).
 A maturity level evaluation grid concerning the initially defined
security objectives must be filled out.
 Audit Execution and Findings Analysis Phase:
Records of the Execution Phase

 The records from the audit execution phase must be evaluated, analyzed, and
consolidated by the audit team. This consolidation is achieved through the
following actions:
 Presentation of reliable and relevant findings, clearly formulated and summarized.
 Validation of audit conclusions.
 Preparation of recommendations.
 Definition of audit follow-up procedures.
 Closing Phase

 The audit provider is responsible for drafting the audit report, which will be presented in a closing meeting
to the audited organization's management. Both the audited organization and the audit sponsor should attend
this meeting to ensure understanding and acceptance of the audit findings and conclusions.
 The audit report must be issued within the predetermined timeframe. In case of delays, the reasons should be
communicated to the audit sponsor, and a new issuance date should be set.
 The audit report should be distributed to designated parties by the audit sponsor and must remain
confidential.
 The audit mission concludes upon completion of all defined audit tasks and the dissemination of the final
audit report.
 Closing Phase :Deliverables

 Security audit report comprising:

 Results of various conducted activities
 Comprehensive recommendations plan and prerequisites for their implementation.
 It should be noted that the deliverables of an audit mission should be discussed and defined at the
beginning of the mission. They typically include the following documents:
 Security policy.
 Charter for the use of IT resources.
 SI risk matrix and mapping.
 Specifications for selected solutions.
 SI procedures manual (inventory procedure, physical access management procedure, backup procedure,
etc.)
 Q&A

 What is a security audit?

 A security audit is a comprehensive assessment of your organization’s IT security controls and posture.
 How does a security audit work?
 A security audit works by testing your organization’s security controls against a set of specified criteria (like a
framework or regulation), resulting in a report that outlines any gaps, recommendations, and/or observations. From
there, an organization can use the results of the security audit to take action.
 What does a security audit consist of?
 A security audit consists of, among other things, selecting audit criteria, assessing staff training, reviewing logs,
identifying vulnerabilities, and implementing protections.
 How do you perform a security audit?
 Performing a security audit depends on the criteria your organization is looking to audit against and can be performed
by internal audit or external auditors.
 Q&A

 How to Prioritize Risks?

 What is an audit ? What are its major steps ?
 How many types of Audit ? What are its levels ?
 What is the difference between a standard and a referential ?
 Present EBIOS, and COBIT.
 What are the main component of an audit agreement ?
 What are the deliverables of an opening meeting of IT audit’ execution phase
 Give examples of technical reports and auditor may provide after audit execution.
 What is a Completed discrepancy sheets
 Conclusion

 [Link]
 [Link]
 [Link]
 [Link]