Xchanging 2009, no part of this document may be circulated, quoted or reproduced without prior written approval of Xchanging.

Information Security Audit and Compliance Cambridge ITO

Xchanging 2009, no part of this document may be circulated, quoted or reproduced without prior written approval of Xchanging.

Agenda

Role of Internal Audit Group

Information Security Audit Process Audit Planning

Auditing
Audit Reporting

3
Xchanging 2009, no part of this document may be circulated, quoted or reproduced without prior written approval of Xchanging.

Role of Internal Audit group in Information Security

Ensure Information security audit and compliance

Monitoring & adherence to Information security as outlined in ISMS Manual Information security policy

Check compliance against ISO 27001 Standards by conducting audit

Help identify security threats and vulnerabilities in information assets Communicate risks to business units Address appropriate countermeasures.

4
Xchanging 2009, no part of this document may be circulated, quoted or reproduced without prior written approval of Xchanging.

Information Security Audit Process

Internal Audit Group organizes and conducts internal information security audits
Documented audit procedure for conducting audit Trained Auditors shall carry out audits Auditors drawn from a pool of Auditors

Establish Information Security audit Calendar

communication to Auditee/ Business unit/Location Conduct Audit as per ISO 27001 Standards

5
Xchanging 2009, no part of this document may be circulated, quoted or reproduced without prior written approval of Xchanging.

Information Security Audit Planning

Establish Information Security audit Calendar

1. Audit Scope 2. Audit Objectives (Various controls) 3. Statement of applicability (SOAs)

Auditors are drawn from a pool of auditors

Approval by CISO

Communication to Auditee/ Business unit/Location Conduct Audit

6
Xchanging 2009, no part of this document may be circulated, quoted or reproduced without prior written approval of Xchanging.

Information Security Auditing

Auditors to understand the standards and objectives based established controls Conduct Audit as per audit calendar Check compliance using checklist for various controls Prepare Audit Report Record Non compliance Communicate to Auditee who takes corrective and preventive action Follow up audit conducted to verify the corrective action taken by the Auditee

7
Xchanging 2009, no part of this document may be circulated, quoted or reproduced without prior written approval of Xchanging.

Information Security Audit Reporting

Audit

Report and Non compliance are recorded

Communicated to Auditee who takes corrective and preventive action team verifies the corrective action taken by the Auditee

Audit

Records of audits are kept with the internal audit group

8
Xchanging 2009, no part of this document may be circulated, quoted or reproduced without prior written approval of Xchanging.