Organisational audit
We verify that the policies and procedures defined ensure that the audited information system is maintained in operational and security conditions and comply with our client's needs, the state of the art and current security standards. We also verify that these policies and procedures properly complement the technical measures put in place and are effectively implemented.
Goals
- Check the presence and completeness of security policies and procedures
- Study their compliance with security needs and state of the art
- Qualify their technical efficiency and coverage
- Check their application within the information system
Steps
- Documentation collection and analysis
Ex: BCP, Contract, Installation guide, Operating procedures - Interview with key collaborators
Ex: CISO, Architecture manager, Security engineer - Technical audit by sampling
Ex: server configuration, security incident report
Topics covered
The themes addressed in the context of our organizational audits are based on the ISO 27002 methodology:
- Security policies
- Security organization
- Human resources security
- Company asset management
- Access control
- Encryption
- Physical security
- Security operations
- Communications security
- Acquisition, development and maintenance of the system
- Relationship with third parties
- Security incident management
- Business continuity management
Technical control points
- Physical access
- Remote administration
- Access control
- Authorization management
- Protection against intrusion
- Strengthening configurations
- Network partitioning
- Internet access
- Equipment connection
- Supervision and alerts
- Event management
- Backup / restore management
- Application of updates and patches
- Platform redundancy
- Business continuity and resumption
- Training / Awareness
- Supplier relationship
- Staff entry / exit