auditing Information Security Management in ITIL

dtechcorp

Information Security Management is one of the process areas in ITIL (Service Design phase). We are about to conduct a mini-assessment or audit on a client. And on this process area ONLY. Could someone shed some light on any template we can use? What are the generic high-level steps you would undertake to perform the mini audit?

yoba222

1. Hire someone with experience doing this.
2. If you can't find someone, contract the project out to a third party infosec company.

Not to sound like a jerk, but you can't really download security auditing experience.

UncleB

Look at the ISO270001 books - I believe these have elements of what you are looking for.

genxfinalrevision

It sounds like you have not done an audit before. An improper security audit can leave an organization exposed to a number of risks (Sarbox, HIPPA, plain old getting hacked). By your questions, I would suggest that you farm it out.

After that, UncleB has the right of it. The ISO 27000 Standard is something that you could conceivable audit against. Unlike ITIL or COBIT, the ISO is not a body of knowledge. It's a concise document that explains clearly what must be in place, organizationally. But really it's not about having a checklist as much as understanding the methodology.

ItsmHarun

[FONT=&quot]According to ITIL, the objectives of Information Security Management are to ensure that:[/FONT]

• Information is available and usable when required, and the systems that provide it can appropriately resist attacks and recover from or prevent failures (availability)
• Information is observed by or disclosed to only those who have a right to know (confidentiality)
• Information is complete, accurate, and protected against unauthorized modification (integrity)
• Business transactions, as well as information exchanges between enterprises or with partners, can be trusted (authenticity and non-repudiation)