Menu Expand
Information Security Auditor

Information Security Auditor

Wendy Goucher

(2016)

Abstract

The role of an information security (or assurance) auditor is vital for identifying security gaps in an organisation's information systems. This practical book gives an excellent introduction to the role, covering areas such as purpose, required skills, responsibilities, interface and career progression as well as tools, standards and frameworks related to the role. It gives practical guidance to those new to the role or interested in developing a better understanding of what it entails.
Identifying security gaps in an organisation's information systems is a first and vital step in protecting data and information. This is what makes the role of an information security (or assurance) auditor so important. However, this is a role that is often maligned as a ‘check list monkey’ who adds nothing to the business. This practical book confronts this stereotype and gives an excellent introduction to the role, covering areas such as purpose, required skills, responsibilities, interface and career progression as well as tools, standards and frameworks related to the role. Based on the author's extensive experience, it gives practical guidance to those new to the role or interested in developing a better understanding of what it entails.
Wendy Goucher is a senior security consultant. Most of her work is focused on working with organisations to devise policy and procedures that are both compliant with external rules and operationally effective. This can be an interesting balancing act for which her first degree in psychology is useful.
'I believe that the book could be a useful little primer for a very important position within the IT Security field.'
Anthony Sutcliffe
'A refreshingly good book - easy to read with excellent guidance for both budding auditors and auditees. Wendy’s outline of a model Information Security Auditor outlines both the technical and personal skills required to succeed and it is her attention to the personal skill sets that is unique in this book.' Vernon Poole, CISM, CGEIT & CRISC - Head of Business Consultancy, Sapphire

Table of Contents

Section Title Page Action Price
Cover Cover
Advert i
Copyright vi
CONTENTS vii
LIST OF FIGURES ix
ABOUT THE AUTHOR x
ABBREVIATIONS xi
GLOSSARY xiii
PREFACE xv
1 INTRODUCTION TO INFORMATION SECURITY AUDITING 1
INFORMATION SECURITY 1
INFORMATION SECURITY IN THE WORLD OF WORK 10
WHAT IS INFORMATION SECURITY AUDITING? 10
TYPES OF AUDIT 11
AUDITING STAGES 17
THE BUSINESS BENEFITS OF IS AUDITS 24
2 THE ROLE OF THE INFORMATION SECURITY AUDITOR 32
THE GULF OF EXECUTION 32
POPULAR MISCONCEPTIONS ABOUT THE AUDIT ROLE 35
BUILDING A MODEL INFORMATION SECURITY AUDITOR 40
ATTRIBUTES OF A MODEL IS AUDITOR 41
SKILLS REQUIRED OF A MODEL IS AUDITOR 53
ON THE OTHER HAND 73
INTERFACE AND DEPENDENCIES 75
3 TOOLS, METHODS AND TECHNIQUES 86
STANDARDS 87
BEST PRACTICE FRAMEWORKS, PROCEDURES AND PROCESSES 109
4 CAREER PROGRESSION AND RELATED ROLES 117
ENTRY 117
CONTINUED PROFESSIONAL DEVELOPMENT 118
‘MODEL-BUILDING’ GUIDANCE IN THE REAL WORLD 124
PRACTICAL EXAMPLES FROM SFIA 128
5 CASE STUDY ‘A DAY IN THE LIFE OF AN AUDITOR’ 131
AND SO… 140
REFERENCES 141
INDEX 143
Back Cover 148