The different types of Information Security audit
The role of security in organizations is growing increasingly important. The impact and likelihood of suffering a security incident should be minimized as far as possible. This is why many organizations are opting for proactive protection, by including Information Security audit in their security roadmaps.
This type of process can objectively identify security vulnerabilities and gaps. These vulnerabilities are linked to threat vectors that may compromise Information Security, such as people, processes, services, information, technology, facilities, and suppliers.
We can classify the different types of security audit into three main blocks based on the subject of the audit and the techniques used. These blocks are:
- Information Security best practice audits
- Information Security legal and regulatory compliance audits
- Ethical Hacking audits
In this article, we will look at each of these types of audits, defining how and under what criteria they are performed. We will also identify the type of expert involved in each one and, finally, we will analyses how they can help enhance security in organizations.
Information Security best practice audits
Firstly, we’ll discuss Information Security best practice audits.
When performing this type of audit, benchmarks or frameworks (either national or international) are commonly used. We use them to contrast the status of our organization with the security controls in the benchmarks.
Typically, these frameworks effectively cover every aspect that may compromise an organization’s assets.
Some of the most well-known reference frameworks in this field are:
- International Organization for Standardization (ISO 27000)
- National Institute of Standards and Technology (NIST)
- National Security Framework (ENS)
Frequently, organizations that have significant numbers of security requirements regarding their business processes define their own reference frameworks in line with the organization’s needs. This comprehensive approach aims to provide a single, centralized view that prevents reworks.
This type of audit is generally performed by IT professionals who are specialists in Information Security and familiar with the reference frameworks of the audit.
Legal and regulatory compliance audits
One of the aspects to be considered in this type of audit is the effects of legal and regulatory obligations on Information Security in the organization. That’s why the second type of audit we will look at is the legal and regulatory compliance audits.
This type of audit assesses compliance with security laws and regulations. Some of the most important are listed below:
- Organic Law on Data Protection (LOPD)
- General Data Protection Regulation (GDPR)
- Law on Information Society Services (LSSICE)
- Intellectual Property Law (LPI)
- Critical Infrastructure Protection Law (PIC)
- Prevention of Occupational Hazards Law (LPRL)
- National Security Framework (ENS)
This type of audit is performed from a legal standpoint focusing on Information Security. That is why it requires a multidisciplinary team of specialist security lawyers and IT auditors that hold extensive knowledge of the applicable laws and regulations in this field.
Another critical area of a best practice audit is the protection of an organization’s technological infrastructure, which must be audited, separately, from a more technical angle. That is why, in the third and final place, we will discuss Ethical Hacking.
This type of audit realistically simulates the actions of cyber attackers using technical tools and resources to test the robustness of technological infrastructure and, specifically, information systems.
In Ethical Hacking audits, we can distinguish between vulnerability audits, penetration tests, and Red Team testing. Each of these types of audit has specific features and restrictions, such as scope and the type of technical resources to be used. However, the aim of these tests is to find security vulnerabilities or gaps in the organization’s technological infrastructure.
This type of audit uses methods and standards to ensure effective results. Some of the most widely used methods are Open Source Security Methodology Manual (OSSTMM), Center for Internet Security (CIS), Open Web Application Security Project (OWASP), and MITRE ATT&CK.
This type of audit is generally performed by IT professionals who are specialists in cybersecurity. They have extensive technical expertise and in-depth knowledge of programming and information security.
As we have seen in this post, we can differentiate between three main blocks of security audit which are performed by experts with different skillsets.
On the one hand, best practice audits are aimed at risk management and help us assess the threat exposure of an organization to provide an overall view of the status of its Information Security.
On the other hand, legal and regulatory compliance audits assess the organization’s culture of compliance with the ultimate aim of avoiding fines. Lastly, Ethical Hacking audits aim to test the resilience and protection of the organization’s technological security infrastructure.
Each of these types of audits helps provide indicators that enhance the security maturity of the organization as part of the process of continuously improving Information Security Governance.