Security Audit and Governance
As an organisation matures and it has identified certain risks through previous IT assessments, Cybersecurity assessments or Risk assessments, the organisation will implement certain controls through procedures, tools or both to remediate and control the gaps identified in those assessment results.
Once these remediation controls have been implemented the organisation may want to confirm that the controls in place are actually achieving results. This is when an organisation may institute the services of a security audit team to audit those controls and other controls of their environment in general, usually following a framework of standards.
In some cases, an organisation is mature enough to have controls already in place and may wish to implement policies to continually improve and govern those controls and set up a framework to continually discover and mitigate risk.
In other cases, some organisations within specific industries are required by law, or by governing bodies to comply with a certain standard. These organisations require an audit of their environment periodically in order to remain compliant.
If an organisation does not comply with a specific standard or framework but are considering auditing their controls to improve their overall security and governance, our auditing team at Secure-ISS will suggest using a formalised standard in order to achieve control goals.
Frameworks like the ACSC essentials 8 or the CIS 20 controls are fantastic for these type of organisations who are looking to align with a framework to test their remediation policies and tools in order to deliver some governance in the environment. In such instances, we can assist the organisation to determine their own set of governance goals and policies to adhere to, based on best practices and experience.
The Essentials 8 and 20 Controls allow an organisation to leverage the battle-tested expertise of the global IT community to defeat over 85% of common attacks which focus on proven best practices, not on any one vendor’s solution, and offer the perfect roadmap to execute compliance programs with mappings to PCI, NIST and ISO frameworks.
Secure-ISS can also audit an organisation that complies to ISO 27K, NIST, PCI-DSS or COBIT standards. These standards are designed for enterprises with mature policies and procedures in place to secure their IT resources as well as business resources, or the organisation’s industry requires that the business complies with a standard.
As examples, the PCI:DSS standard is the global data security standard adopted by the payment card brands for all entities that process, store or transmit cardholder data, whereas the ISO 27K standard is implemented in all government agencies in Queensland, as per the Queensland Government CIO.