|
We wrote this white paper to elaborate on the broad business (commercial) benefits of implementing a standards-compliant Information Security Management System. It is a case study based on an IT services organization that installed an ISMS based on BS 7799:1 (now ISO/IEC 27002) and was certified against BS 7799:2 (now called ISO/IEC 27001).
[The case study has now been  and republished at ISO27001security.com, along with a  complementary paper: a generic cost-benefit analysis (business case) for ISO27k.]
Gary Hinson wrote a ‘state of the nation’ piece about IT auditing for EDPACS journal. The relevant issue of EDPACS has been made available as a free download to showcase this venerable peer-reviewed journal. [By the way, EDPACS is looking for comprehensive articles about IT audit and security, governance and risk management, and auditing in general. If you feel the urge to see your work in print, contact the EDPACS editor, Dan Swanson, or other members of the EDPACS editorial board.]
The IT Audit FAQ turned five! Sorry if you missed the party. We should have saved you some cake.
The answers to Frequently Avoided Questions about IT Auditing give a tongue-in-cheek introduction to modern IT auditing for anyone unfamiliar with the specialism, including those who are about to be audited, who are considering a career in IT audit, who are interviewing candidates for IT audit positions, or are answering obscure questions on cryptic crosswords. Practicing IT auditors (as well as those who have mastered the art) will hopefully enjoy it and are very welcome to contribute to its continued development. It is tweaked every few weeks when either inspiration or boredom strikes.
Here’s some of the generous feedback from appreciative FAQ readers:
“Hello Gary, I small feedback to congratulate you, I spent my evening reading your "Frequently Avoided Questions about IT auditing". I had great fun I get a lot of valuable informations.” (thanks Cédric and good luck!) “Hi Gary, I have just read your CA FAQ and please accept my profound compliments on an excellent example of literary output. As a career IT auditor of some 25+ years and an ISACA Chapter President, I thoroughly endorse your comments and views. This was the most enjoyable read in a long while.” (thanks Kevin) “I’ve just been ‘volunteered’ to be an auditor and your site has lifted the gloom a wee bit. Might make it to the weekend now! Thanks for the info and humour - great work.” “Thanks for the informative FAQ’s. I have surfed everywhere for information on Computer Auditing and your site is the best bar none. I am applying for a job as a computer auditor, although I do not have any formal audit qualifications I do have 20 years experience in IT and IT quality systems. Your FAQ’s have answered some of the concerns I have.” “What an entertaining (call the medics!) and informative read. I didn’t realise I did all that! Incredibly readable, if you can do that with auditing then you must be a star!” (No, not a star, just a bright spark maybe.) “During my audit career I have tried to bring humor to the process ...something between an uphill struggle and pushing a string. I have a co-worker who is interested in getting into this field and I have referred him to your FAQ”. “I would just like to pass on my thanks for “Frequently Avoided Questions about Computer Auditing”. The document is extremely informative and has helped to answer many questions that I have never been able to find the answers to! Furthermore, the humor throughout makes reading up on Computer Audit a real pleasure.” (oh stop it, you’ll make me blush!). “Just wrote in to say I really enjoyed this FAQ you made. Great and impressive task. Now, it's easier to just link to this FAQ than to explain that "No, I don't do tax calculations, I'm an IT auditor." I'm an IT auditor of six years and though I've usually encountered being treated like the Ravenous Bugblatter Beasts of Traal, at least we're more palatable than Vogon Poetry... possibly.” “Thanks you so much for your time and efforts and blood and sweat and tears and what ever else you spent in writing this ...” “I am a CPA from the Philippines and I just want to let you know that I spent my entire lunch break being entertained by your FAQs about IT auditors. I normally would not be interested in this subject, but something urged me to keep on reading, and I am glad I did. Although I still will not qualify as an IT Auditor (I am a tax auditor), I really enjoyed your FAQ, especially since, were it not for the hilarious bits of humor injected in the entire subject, it would otherwise have bored me to death/ or near death.” (thanks Amy)
This short discussion piece draws analogies between the principles of QA and governance. It concludes by defending ISO/IEC 27002’s use of information security control objectives and control recommendations instead of mandating specific controls.
We reviewed Sean Convery’s textbook for those tasked with designing network security architectures. There are several more recent book reviews on our NoticeBored website.
This is a discussion paper proposing that the Executive Board should include someone responsible for directing those functions specifically associated with corporate governance, and co-ordinating governance activities distributed amongst senior and middle management and the rest of the organisation.
Presents a strategic programme to improve information security controls through a logical sequence of six steps.
Feedback welcome! Please contact us
to comment on any of these papers.
|
