Information Systems Auditing Standards

Only available on StudyMode
  • Topic: Information Technology Infrastructure Library, Information security, Capability Maturity Model
  • Pages : 53 (9312 words )
  • Download(s) : 70
  • Published : October 27, 2012
Open Document
Text Preview
Chap 8 – INFORMATION SYSTEMS AUDITING STANDARDS, GUIDELINES, BEST PRACTICES
___________________________________________________________________________ Introduction
BS 7799
CMM - Capability Maturity Model
COBIT – IT Governance Model
CoCo
ITIL (IT Infrastructure Library)
Systrust and Webtrust
HIPAA
SAS 70 – Statement of Auditing Standards for Service Organisations

___________________________________________________________________________ Introduction
Growing business requires computers, networking, video conferencing etc. Consequently, technology has also impacted auditing. Concept of Internal Control has diminished as: o Through computers, a single person performs functions of multiple persons who were earlier part of the internal control system

o

Batch controls have disappeared

Result: Need to develop new standards of Information Systems. Common feature of such modes of controls or standards are:
1.
2.
3.
4.

Every organization that uses IT uses a set of controls
Controls depends on the business objectives, budget, personality, and context of that organization Control objectives should be constant across organizations
Each organization could use the same control framework

IS Audit Standards
IS Audit Standards provide audit professionals a clear idea of the minimum level of acceptable performance essential to discharge their responsibilities effectively. Some of the standards by their year of birth are as follows: o 1994

COSO, CoCo
o 1996
HIPAA, COBIT
o 1998
BS 7799

Standard on Auditing (SA) –



Link to eBook has been given in the Institute study material (ISCA)

SA 315 – “Identifying and Assessing the Risk of Material Misstatement Through Understanding the Entity and its Environment”
SA 330 - “The Auditor’s Responses to Assessed Risks”

Chap 8 | www.iscanotes.com

1

www.excelnext.in | May 2011

BS 7799
BS 7799 is an International Standard setting out the requirements for an Information Security Management System (“ISMS”). It helps identify, manage and minimize the range of threats to which information is regularly subjected. BS 7799 focuses on protecting the confidentiality, integrity and availability (-CIA-) of organizational information. The standard is composed of two parts (components):

1. BS 7799 (ISO 17799) Part 1 - Code of Practice on Information Security Management (ISM) 2. BS 7799 (ISO 27001) Part 2 – Specification for Information Security Management Systems (ISMS) The Code of Practice on Information Security provides a comprehensive set of security controls comprising the best information security practices in current use. It is strongly business-orientated, focusing on being a good management tool rather than being concerned with technical details

ISO 27001 – (BS 7799: Part II) – Information Security Management Standard The requirements of information security system as described by the standard are stated below. An organisation must consider these issues before trying to implement an ISMS

- General: Establish and maintain documented ISMS addressing assets to be protected, approach to risk management, control objectives and control, and degree of assurance required - Establishing Management Framework: This would includeo Define information security policy o

o
o
o
o

Prepare Statement of Applicability
Define scope of ISMS including functional, asset, technical, and locational boundaries Make appropriate risk assessment
Identify areas of risk to be managed and degree of assurance required Select appropriate controls

- Implementation: Effectiveness of procedures to implement controls to be verified while reviewing security policy and technical compliance
- Documentation: It shall consist of evidence of action taken while establishingo Management control o Management framework summary, security policy, control objective, and implemented control as per Statement of Applicability

o Procedure adopted to implement control
o ISMS management...
tracking img