Udemy
    •  
    •  
    •  
    •  
    •  
    •  
    •  
    •  
Turn what you know into an opportunity and reach millions around the world.
Learn More
Your cart is empty.
Keep shopping
How to Perform an Information Security Audit
Rating: 4.5 out of 5(55 ratings)
349 students

How to Perform an Information Security Audit

What you need to know to perform information security audits
Last updated 4/2025
English

What you'll learn

  • Understand how to properly plan engagements by determining their objectives, criteria and scope.
  • Know how to create working papers to document an audit and learn about different ways to staff an audit.
  • Learn how to collect engagement information and then analyze and evaluate it. Learn how to supervise engagements.
  • Learn how to communicate engagement results and the process of acceptance of risks. Learn how to monitor progress on the implementation status of internal audit
  • Know about which threats to information security should be assessed, including threats to the integrity of data, confidentiality and the availability of data.
  • Be able to evaluate privacy risks, risks from smart devices, insider threats, illicit software threats and cybersecurity threats amongst others.
  • Be able to evaluate risks by using the Asset-Threat-Vulnerability triangle.
  • Know about the different types of information security controls, including IT general controls.
  • Be able to put in place a solid governance over information security, such as by putting in place IT management and governance controls.
  • Be able to implement the segregation of IT duties and IT departmentalization, an information security framework and cybersecurity governance and policies.
  • Be able to apply the Three Lines of Defense Model in cybersecurity.
  • Learn about controls such as identity access management and authentication, encryption and firewalls, data privacy and protection controls.
  • Know about application and access controls, technical IT infrastructure controls, external connections controls and 3rd party information security controls.

Course content

3 sections89 lectures10h 34m total length
  • Information Security5:36

    Welcome to the course How to Perform an Information Security Audit.

  • Data Integrity, Confidentiality and Data Availability2:48

    Define confidentiality as access only for permitted individuals, ensure data integrity through error checking for completeness and accuracy, and maintain data availability with timely, reliable access and possible local mirrors.

  • IT General Controls8:30
  • Segregation of IT Duties5:07
  • Question on Segregation of IT Duties1:48

    Explain segregation of duties: users update data through application programs, while application programmers cannot update production data or programs, with changes submitted to the change control unit.

  • Threats and Controls to Physical Security7:04
  • Question on Threats and Controls to Physical Security1:34
  • Question on Threats and Controls to Physical Security2:08
  • Identity Access Management2:36
  • Access and Authorization Controls - Risks7:02
  • Identity Access Management - Activities6:29
  • Authentication1:04
  • IT Departmentalization6:40
  • Question on IT Departmentalization 1 of 22:30
  • Question on IT Departmentalization 2 of 22:51
  • Types of Information Security Controls11:41
  • Encryption1:59
  • Firewalls4:35
  • Data Privacy and Protection6:59
  • Data Protection Framework12:25
  • Question on Data Protection Framework2:00
  • Smart Devices and Their Risks7:57
  • Question on Smart Devices and Their Risks3:31
  • Question on Data Protection Framework4:59
  • Asset-Threat-Vulnerability Triangle8:05
  • Cybersecurity Risks2:17
  • Cybersecurity Threats33:41
  • Question on Cybersecurity Threats 10:26
  • Question on Cybersecurity Threats 20:59
  • Question on Cybersecurity Threats 31:01
  • Question on Cybersecurity Threats 40:35
  • IT Management and Governance Controls Against Cybersecurity Threats7:12
  • Application and Access Controls7:05
  • Technical IT Infrastructure Controls2:31

    Establish a baseline performance for systems, networks, storage, and resources, and monitor usage for unexpected changes. Maintain change controls, test backups, and inventory IT assets—hardware, networks, and software—to identify vulnerabilities.

  • External Connections Controls3:54
  • Verifying 3rd Party Information Security6:54
  • Illicit Software Use7:49
  • Insider Threat9:09
  • Question on Insider Threat0:28
  • Question on Data Privacy and Protection2:06
  • Cybersecurity Governance and Policies5:51
  • Information Security Framework5:23

    Explores information security frameworks, notably ISO 27001, highlighting governance, risk management, risk assessment, residual risk, action plans, and the path to certification through internal audits and external verification.

  • The Three Lines of Defense Model in Cybersecurity3:37
  • Question on Cybersecurity Governance and Policies2:28

Requirements

  • No prior experience or knowledge is required.

Description

We are glad to bring you a course to learn how to perform information security audits.

This course is ideal for:

  1. IT and information security professionals who wish to learn techniques on how to assess the security of their information and the vulnerability of their information systems; and

  2. Auditors or others performing assessments who wish to learn more about performing information security audits.

The course will give you the knowledge and tools necessary to perform information security audits, starting from how to plan them, how to perform and how to report on the results of the engagement. It will teach you about which threats to assess and which controls should be put in place.

It is taught by Adrian Resag, an experienced and CISA certified information security auditor who has decades of experience evaluating information security, IT and ISO 27001 in many organizations.


The course covers:

Performing Information Security Audits

Planning Engagements

  • Understand how to properly plan engagements by determining their objectives, criteria and scope.

  • Know how to create working papers to document an audit and learn about different ways to staff an audit.

Performing Engagements

  • Learn how to collect engagement information and then analyze and evaluate it. Learn how to supervise engagements.

Communicating Progress and Results

  • Learn how to communicate engagement results and the process of acceptance of risks. Learn how to monitor progress on the implementation status of internal audit recommendations.

Information Security Threats and Controls

Threats to information security

  • Know about which threats to information security should be assessed, including threats to the integrity of data, confidentiality and the availability of data.

  • Be able to evaluate privacy risks, risks from smart devices, insider threats, illicit software threats and cybersecurity threats amongst others.

  • Be able to evaluate risks by using the Asset-Threat-Vulnerability triangle.

Controls over information security

  • Know about the different types of information security controls, including IT general controls.

  • Be able to put in place a solid governance over information security, such as by putting in place IT management and governance controls.

  • Be able to implement the segregation of IT duties and IT departmentalization, an information security framework and cybersecurity governance and policies.

  • Be able to apply the Three Lines of Defense Model in cybersecurity.

  • Learn about controls such as identity access management and authentication, encryption and firewalls, data privacy and protection controls.

  • Know about application and access controls, technical IT infrastructure controls, external connections controls and 3rd party information security controls.

Who this course is for:

  • Current or future IT and information security professionals who wish to learn techniques on how to assess the security of their information and the vulnerability of their information systems.
  • Auditors or others performing assessments who wish to learn more about performing information security audits.