The aim of the audit procedure is to verify whether an audited object complies with a model or a norm. An external audit should be prepared by an independent subject (company, person or team), as this ensures that the audit procedure is objective.

Security audit

For companies that have already implemented an information security management system (ISMS) we recommend an external ISMS audit that would verify compliance with the norm PN/ISO-IEC 27001 – Information security management systems – Requirements.

Security assessment

For companies that have not developed their ISMS yet (as understood in the abovementioned norm), but want to know how safe their security controls are we recommend an IT security assessment. This type of assessment, sometimes referred to as a “preliminary audit”, is conducted on the basis of the norm PN-ISO/IEC 17799 – Code of practice for information security management. This norm contains a catalogue and description of security controls that are used in a majority of contemporary institutions. It covers formal issues (management, responsibility, compliance, etc.) as well as technical issues (e.g. IT security controls, access controls, physical security).

Note: The term “security audit” is often wrongly used to talk about such services as a configuration review, penetration test or application security testing. A detailed description of each of these services is available at our website.

Methodology

Our security audits and assessments are conducted on the basis of a formalised and specified audit methodology LP-A. The LP-A methodology defines what activities have to be performed during a security audit as well as what reports should be performed in its course. Application of this methodology makes the final acceptance procedure of an audit project easier and allows to ensure the project’s proper quality. The LP-A methodology results from the extensive experience of its authors, who are, at the same time, the leading auditors in our team.

Analyses conducted during a security audit and assessment are divided into two paths:

• formal path, i.e. formal assessment of information security and
• technical path, i.e. assessment of IT and technical security controls.

Such a scope of activities allows to sufficiently cover both, formal and technical aspects. In special situations, the paths can be implemented as separate services.

Related services

• Assessment of IT and technical security controls
• Formal assessment of information security
• Network and server security testing
• Application security testing
• Configuration security overview

Security System