Information Systems Auditing Standards

Topics: Information Technology Infrastructure Library, Information security, Capability Maturity Model Pages: 53 (9312 words) Published: October 27, 2012
___________________________________________________________________________ Introduction
BS 7799
CMM - Capability Maturity Model
COBIT – IT Governance Model
ITIL (IT Infrastructure Library)
Systrust and Webtrust
SAS 70 – Statement of Auditing Standards for Service Organisations

___________________________________________________________________________ Introduction
Growing business requires computers, networking, video conferencing etc. Consequently, technology has also impacted auditing. Concept of Internal Control has diminished as: o Through computers, a single person performs functions of multiple persons who were earlier part of the internal control system


Batch controls have disappeared

Result: Need to develop new standards of Information Systems. Common feature of such modes of controls or standards are:

Every organization that uses IT uses a set of controls
Controls depends on the business objectives, budget, personality, and context of that organization Control objectives should be constant across organizations
Each organization could use the same control framework

IS Audit Standards
IS Audit Standards provide audit professionals a clear idea of the minimum level of acceptable performance essential to discharge their responsibilities effectively. Some of the standards by their year of birth are as follows: o 1994

o 1996
o 1998
BS 7799

Standard on Auditing (SA) –

Link to eBook has been given in the Institute study material (ISCA)

SA 315 – “Identifying and Assessing the Risk of Material Misstatement Through Understanding the Entity and its Environment”
SA 330 - “The Auditor’s Responses to Assessed Risks”

Chap 8 |

1 | May 2011

BS 7799
BS 7799 is an International Standard setting out the requirements for an Information Security Management System (“ISMS”). It helps identify, manage and minimize the range of threats to which information is regularly subjected. BS 7799 focuses on protecting the confidentiality, integrity and availability (-CIA-) of organizational information. The standard is composed of two parts (components):

1. BS 7799 (ISO 17799) Part 1 - Code of Practice on Information Security Management (ISM) 2. BS 7799 (ISO 27001) Part 2 – Specification for Information Security Management Systems (ISMS) The Code of Practice on Information Security provides a comprehensive set of security controls comprising the best information security practices in current use. It is strongly business-orientated, focusing on being a good management tool rather than being concerned with technical details

ISO 27001 – (BS 7799: Part II) – Information Security Management Standard The requirements of information security system as described by the standard are stated below. An organisation must consider these issues before trying to implement an ISMS

- General: Establish and maintain documented ISMS addressing assets to be protected, approach to risk management, control objectives and control, and degree of assurance required - Establishing Management Framework: This would includeo Define information security policy o


Prepare Statement of Applicability
Define scope of ISMS including functional, asset, technical, and locational boundaries Make appropriate risk assessment
Identify areas of risk to be managed and degree of assurance required Select appropriate controls

- Implementation: Effectiveness of procedures to implement controls to be verified while reviewing security policy and technical compliance
- Documentation: It shall consist of evidence of action taken while establishingo Management control o Management framework summary, security policy, control objective, and implemented control as per Statement of Applicability

o Procedure adopted to implement control
o ISMS management...
Continue Reading

Please join StudyMode to read the full document

You May Also Find These Documents Helpful

  • Generally Accepted Auditing Standards: Three Categories and Ten Standards Essay
  • Computer System Information System Paper
  • Health Information Systems Summary Essay
  • Management Information Systems Essay
  • business information system Essay
  • Financial information system Essay
  • information technology system Essay
  • Information System Assignment 3 Essay

Become a StudyMode Member

Sign Up - It's Free