
Welcome to the course How to Perform an Information Security Audit.
Define confidentiality as access only for permitted individuals, ensure data integrity through error checking for completeness and accuracy, and maintain data availability with timely, reliable access and possible local mirrors.
Explain segregation of duties: users update data through application programs, while application programmers cannot update production data or programs, with changes submitted to the change control unit.
Establish a baseline performance for systems, networks, storage, and resources, and monitor usage for unexpected changes. Maintain change controls, test backups, and inventory IT assets—hardware, networks, and software—to identify vulnerabilities.
Explores information security frameworks, notably ISO 27001, highlighting governance, risk management, risk assessment, residual risk, action plans, and the path to certification through internal audits and external verification.
Plan the engagement with a detailed risk assessment to identify significant risks and controls, using risk inventories, heat maps, and a flowchart to uphold due professional care and ethics.
We are glad to bring you a course to learn how to perform information security audits.
This course is ideal for:
IT and information security professionals who wish to learn techniques on how to assess the security of their information and the vulnerability of their information systems; and
Auditors or others performing assessments who wish to learn more about performing information security audits.
The course will give you the knowledge and tools necessary to perform information security audits, starting from how to plan them, how to perform and how to report on the results of the engagement. It will teach you about which threats to assess and which controls should be put in place.
It is taught by Adrian Resag, an experienced and CISA certified information security auditor who has decades of experience evaluating information security, IT and ISO 27001 in many organizations.
The course covers:
Performing Information Security Audits
Planning Engagements
Understand how to properly plan engagements by determining their objectives, criteria and scope.
Know how to create working papers to document an audit and learn about different ways to staff an audit.
Performing Engagements
Learn how to collect engagement information and then analyze and evaluate it. Learn how to supervise engagements.
Communicating Progress and Results
Learn how to communicate engagement results and the process of acceptance of risks. Learn how to monitor progress on the implementation status of internal audit recommendations.
Information Security Threats and Controls
Threats to information security
Know about which threats to information security should be assessed, including threats to the integrity of data, confidentiality and the availability of data.
Be able to evaluate privacy risks, risks from smart devices, insider threats, illicit software threats and cybersecurity threats amongst others.
Be able to evaluate risks by using the Asset-Threat-Vulnerability triangle.
Controls over information security
Know about the different types of information security controls, including IT general controls.
Be able to put in place a solid governance over information security, such as by putting in place IT management and governance controls.
Be able to implement the segregation of IT duties and IT departmentalization, an information security framework and cybersecurity governance and policies.
Be able to apply the Three Lines of Defense Model in cybersecurity.
Learn about controls such as identity access management and authentication, encryption and firewalls, data privacy and protection controls.
Know about application and access controls, technical IT infrastructure controls, external connections controls and 3rd party information security controls.