Direct and be fully accountable for information security audit

URN: ESKISP6086.01
Business Sectors (Suites): Information Security
Developed by: SDS
Approved on: 01 Feb 2013

Overview

This standard covers the competencies concerning with directing information security audit activities. It includes setting the strategy and policies for information security auditing, and being fully accountable for successful information security audit activities and deliverables. 
This includes defining and implementing information security processes to verify on-going conformance to security requirements. Undertaking security compliance audits in accordance with an appropriate methodology.


Performance criteria

You must be able to:

​You must be able to: 

P1 be fully accountable for information security audit 

P2 define the information security audit strategy, policies and standards 

P3 develop plans for risk-based audit coverage of the organisations information systems for inclusion in audit planning  

P4 ensure audit coverage is sufficient to provide the business with full assurance of adequacy and integrity 

P5 oversee the development of the audit planning and review process 

P6 monitor the quality and effectiveness of information security audit activities, critically reviewing the approach and process and making recommendations for improvement where appropriate 

P7 design procedures, tools and techniques relating to information security audit activities 

P8 provide timely and objective advice and guidance to others on all aspects information security audit activities including best practice and the application of lessons learned  

P9 authorises the issue of formal reports to management on the effectiveness and efficiency of information security control mechanisms 

P10 direct resource allocation and professional development strategy for information security audit activities 

P11 provide thought leadership on the discipline of information security audit, contributing to internal best practice and to externally recognised publications, white papers etc 


Knowledge and Understanding

You need to know and understand:

​You must be able to: 

K1 the need to advise and guide others on all aspects of information security audit activities 

K2 how lessons learned may be applied to information security audit activities of other programmes  

K3 sources of best practice in information security audit activities 

K4 how to design and develop the strategy, policies, plans and standards for information security audit activities to ensure the alignment with all relevant legislation, regulations and external standards 

K5 the need to ensure that timely and effective review of information security audit procedures takes place  

K6 how to objectively analyse the findings from reviews of information security audit activities and report to sponsors and  stakeholders  

K7 the importance of using lessons learned in order to inform future information security audit activities


Scope/range


Scope Performance


Scope Knowledge


Values


Behaviours


Skills


Glossary


Links To Other NOS


External Links


Version Number

1

Indicative Review Date

01 Dec 2015

Validity

Current

Status

Original

Originating Organisation

e-skills UK

Original URN

ESKISP6086.01

Relevant Occupations

Information and Communication Technology, Information and Communication Technology Officer, Information and Communication Technology Professionals, IT Service Delivery Occupations, Software Development

SOC Code


Keywords

Cyber Security; Information Security