Methodology for an IT audit
Assign topic to the user
Answer:
ISO 27001 is developed for the establishment of an Information Security Management System, which means that this standard is for the protection of the information, so, basically ISO 27001 gives you a framework to identify risks and treat them implementing security controls, many of them are directly related to IT (but not all). So, this standard is not specifically developed to perform an IT audit, but you can use their security controls, although in the Annex A of ISO 27001 you can find a brief description of 114 security controls, while in the ISO 27002 you can find the same security controls but with a guide about how to implement each control.
So, maybe you can use the Annex A of ISO 27001 to select a group of security controls that you want to audit (related to IT), and if you need more information about each control you can see ISO 27002.
This article can be interesting for you “The basic logic of ISO 27001: How does information security work?” : https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
And this article about how to develop a checklist for an internal audit for ISO 27001 can be also interesting for you “How to make an Internal Audit checklist for ISO 27001 / ISO 22301” : https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/
Finally, these materials will help you to know more about the security controls of ISO 27001 and how to audit them:
- free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- free online training ISO 27001 Internal Auditor https://advisera.com/training/iso-27001-internal-auditor-course/
- book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
Comment as guest or Sign in
Oct 06, 2016