Direct and be fully accountable for information security audit
URN: ESKISP6086.01
Business Sectors (Suites): Information Security
Developed by: SDS
Approved on:
01 Feb 2013
Overview
This standard covers the competencies concerning with directing information security audit activities. It includes setting the strategy and policies for information security auditing, and being fully accountable for successful information security audit activities and deliverables.
This includes defining and implementing information security processes to verify on-going conformance to security requirements. Undertaking security compliance audits in accordance with an appropriate methodology.
Performance criteria
You must be able to:
You must be able to:
P1 be fully accountable for information security audit
P2 define the information security audit strategy, policies and standards
P3 develop plans for risk-based audit coverage of the organisations information systems for inclusion in audit planning
P4 ensure audit coverage is sufficient to provide the business with full assurance of adequacy and integrity
P5 oversee the development of the audit planning and review process
P6 monitor the quality and effectiveness of information security audit activities, critically reviewing the approach and process and making recommendations for improvement where appropriate
P7 design procedures, tools and techniques relating to information security audit activities
P8 provide timely and objective advice and guidance to others on all aspects information security audit activities including best practice and the application of lessons learned
P9 authorises the issue of formal reports to management on the effectiveness and efficiency of information security control mechanisms
P10 direct resource allocation and professional development strategy for information security audit activities
P11 provide thought leadership on the discipline of information security audit, contributing to internal best practice and to externally recognised publications, white papers etc
Knowledge and Understanding
You need to know and understand:
You must be able to:
K1 the need to advise and guide others on all aspects of information security audit activities
K2 how lessons learned may be applied to information security audit activities of other programmes
K3 sources of best practice in information security audit activities
K4 how to design and develop the strategy, policies, plans and standards for information security audit activities to ensure the alignment with all relevant legislation, regulations and external standards
K5 the need to ensure that timely and effective review of information security audit procedures takes place
K6 how to objectively analyse the findings from reviews of information security audit activities and report to sponsors and stakeholders
K7 the importance of using lessons learned in order to inform future information security audit activities
Scope/range
Scope Performance
Scope Knowledge
Values
Behaviours
Skills
Glossary
Links To Other NOS
External Links
Version Number
1
Indicative Review Date
01 Dec 2015
Validity
Current
Status
Original
Originating Organisation
e-skills UK
Original URN
ESKISP6086.01
Relevant Occupations
Information and Communication Technology, Information and Communication Technology Officer, Information and Communication Technology Professionals, IT Service Delivery Occupations, Software Development
SOC Code
Keywords
Cyber Security; Information Security