Information security audit presents an independent assessment of the current state of an information system security that determines its level of compliance with the certain criteria. The purpose of such audit means to systematize the information security threats and to offer recommendations for their removal.
Complex audit of information security provides possibility to obtain a complete and objective picture of the entire information system of the enterprise and its separate life–cycles (business processes), localize the inherent problems with the aim to create the effective and optimal program for the information security system development.
The audit of information security of the enterprise shall consist of:
- analysis of the functions and technologies used in processing and transmission of information;
- detection of existing and potential threats for information security;
- ranking of the existing vulnerabilities of technological and organizational types of the enterprise;
- analysis and assessment of risks associated with the threats to the security of the information resources;
- evaluation of existing information security management system and development of recommendations for its improvement;
- audit of information security as to compliance with the international standards ISO / IEC 27001: 2005;
- development of proposals and recommendations to improve the effectiveness and launch effective mechanisms to ensure information security;
- the development of enterprise’s information security policy.