Security Audit and Governance

As an organisation matures and it has identified certain risks through previous IT assessments, Cybersecurity assessments or Risk assessments, the organisation will implement certain controls through procedures, tools or both to remediate and control the gaps identified in those assessment results.

Once these remediation controls have been implemented the organisation may want to confirm that the controls in place are actually achieving results. This is when an organisation may institute the services of a security audit team to audit those controls and other controls of their environment in general, usually following a framework of standards.

In some cases, an organisation is mature enough to have controls already in place and may wish to implement policies to continually improve and govern those controls and set up a framework to continually discover and mitigate risk.

In other cases, some organisations within specific industries are required by law, or by governing bodies to comply with a certain standard. These organisations require an audit of their environment periodically in order to remain compliant.

If an organisation does not comply with a specific standard or framework but are considering auditing their controls to improve their overall security and governance, our auditing team at Secure-ISS will suggest using a formalised standard in order to achieve control goals.

Frameworks like the ACSC essentials 8 or the CIS 20 controls are fantastic for these type of organisations who are looking to align with a framework to test their remediation policies and tools in order to deliver some governance in the environment. In such instances, we can assist the organisation to determine their own set of governance goals and policies to adhere to, based on best practices and experience.

The Essentials 8 and 20 Controls allow an organisation to leverage the battle-tested expertise of the global IT community to defeat over 85% of common attacks which focus on proven best practices, not on any one vendor’s solution, and offer the perfect roadmap to execute compliance programs with mappings to PCI, NIST and ISO frameworks.

Secure-ISS can also audit an organisation that complies to ISO 27K, NIST, PCI-DSS or COBIT standards. These standards are designed for enterprises with mature policies and procedures in place to secure their IT resources as well as business resources, or the organisation’s industry requires that the business complies with a standard.

As examples, the PCI:DSS standard is the global data security standard adopted by the payment card brands for all entities that process, store or transmit cardholder data, whereas the ISO 27K standard is implemented in all government agencies in Queensland, as per the Queensland Government CIO.

Security - Security Audit

Key Benefits in adhering to a security standards framework:


Marketing Edge

Lowering Expenses

Putting Business In Order


It is odd to list this as the first benefit, but it often shows the quickest “return on investment” – if an organisation must comply to various regulations regarding data protection, privacy and IT governance (particularly if it is a financial, health or government organisation), a framework can bring in the methodology which enables to do it in the most efficient way.

Lowering Expenses

Information security is usually considered as a cost with no obvious financial gain. However, there is a financial gain if one lowers expenses caused by incidents. In all probability, there has been or will be an interruption in service, or data leakage, or disgruntled employees. The truth is, there is still no methodology and/or technology to accurately calculate how much money could be saved if such incidents were prevented, but if there are policies and procedures in place to counter such events, the cost to remediate after the fact would be much higher

Putting Business In Order

The most underrated benefit – if the organisation has been growing sharply for the last few years, problems like – who has to decide what, who is responsible for certain information assets, who has to authorize access to information systems etc, will be brought to the fore. Security standards are particularly good in sorting these questions out – it will force an organisation to define very precisely both the responsibilities and duties and therefore strengthen the internal organization.