Information security policies and procedures are alone not adequate to assure Compliance and protection of sensitive information. The effectiveness of the policies can only be gauged by performing an assessment on how they are implemented. This is when Information Security Audit comes into the picture. Information Security Audit is a comprehensive assessment of policies implemented and examining the technical, physical and administrative controls in the organization. The audit process conducted is to ensure the set policies and procedures are appropriately implemented and adopted by the staff across the organization. It is an on-going process which involves maintaining the effectiveness of security controls and policies. Information Security Audit is the most efficient and cost effective means of evaluating the information security posture of an organization.
Initial study of your business is to understanding your processes and environment. Document all operating systems, software applications and data centre equipment operating within scope.
Support to management in Scope Definition which includes timelines, roles and responsibilities of your project team.
Using a global standard such as ISO27001 or a customised framework: Review job descriptions of IT personnel in scope, Review the company's IT policies and procedures, Evaluate the company's IT budget and systems planning documentation, Review the Datacentre’s disaster recovery plan.
In sync with our Tech Team, our experts rank out the risks and help you strategise the Risk Treatment measures.
Conduct internal / external Vulnerability Assessment and penetration testing of your servers and networks.
Since PCI has a significant amount of Technology involved, our Infrastructure Advisory Services team shall support your internal team in rolling out the recommendations such as sanitized CDE (Card Data Environment) processing room, network segregation, log correlation, encryption, SIEM, product POC, NAC/WAF assessment, IPV6, etc.
Once all controls are confirmed to be in place, we can issue a legally admissible Audit certificate.
The Security Audit is applicable to any organization across industries looking to improve business processes and secure sensitive business information.
ISO27001 is an International Standard and industry best practice for Information Security Management. Some organisations in specialised areas do ask for InfoSec audit with a combination of ISO27001 and PCI DSS or HIPAA or GDPR or even SOC2.
Information Security Audit includes examining the design of the policies and procedures and then evaluating the effective implementation of policies and procedures, evaluation of firewalls, monitoring technologies, encryption software, network architectural design, asset management, change management, and logical access control solutions to name a few.
Our consultants will work with you to understand your requirements and formulate a long term strategy (1-2 years). The strategy is then further broken down into monthly/quarterly milestones for effective progress tracking and delivery management. This will include Compliance and Governance (ISO 27001, SOC 2, PCI DSS, GDPR, CMMC, HIPAA, etc) process compliance, Vulnerability Assessments, Penetration Testing, and Application Assessments. The Scoping will include critical processes such as Information Technology, Delivery, Marketing, Sales, Accounting, Finance and last but not the least Administration and HR.
Information Security Audit is an on-going process and should be performed every 6 months or at least once a year. This is the base minimum requirement for ISO27001, PCI DSS, HIPAA, GDPR, SOC2, PDPA and even from the regulatory standpoint such as the RBI or MAS.
Audit reports are for a point in time. The maximum timeframe that the same can be referred to is for one year.