Information Security Management and Auditing

  1. Audit Execution and Evidence Collection
    1. Evidence Gathering Techniques
      1. Inquiry and Interview Methods
        1. Interview Planning
          1. Questioning Techniques
            1. Interview Documentation
            2. Observation Procedures
              1. Direct Observation
                1. Process Walkthroughs
                  1. Control Observation
                  2. Document and Record Examination
                    1. Document Review Procedures
                      1. Record Analysis
                        1. Documentation Assessment
                        2. Analytical Procedures
                          1. Data Analysis Techniques
                            1. Trend Analysis
                              1. Comparative Analysis
                              2. Physical Inspection
                                1. Asset Verification
                                  1. Facility Inspection
                                    1. Equipment Assessment
                                  2. Computer-Assisted Audit Techniques (CAATs)
                                    1. Automated Testing Tools
                                      1. Vulnerability Scanners
                                        1. Configuration Assessment Tools
                                          1. Log Analysis Software
                                          2. Data Analytics in Auditing
                                            1. Data Extraction and Analysis
                                              1. Statistical Sampling
                                                1. Exception Reporting
                                                2. Continuous Auditing Technologies
                                                  1. Real-Time Monitoring
                                                    1. Automated Control Testing
                                                      1. Dashboard and Reporting
                                                    2. Control Testing and Evaluation
                                                      1. Test of Controls
                                                        1. Control Design Testing
                                                          1. Control Operating Effectiveness
                                                            1. Control Deficiency Identification
                                                            2. Substantive Testing
                                                              1. Transaction Testing
                                                                1. Balance Verification
                                                                  1. Accuracy Testing
                                                                  2. Compliance Testing
                                                                    1. Policy Compliance Verification
                                                                      1. Regulatory Compliance Testing
                                                                        1. Standard Adherence Assessment
                                                                      2. Audit Finding Development
                                                                        1. Finding Identification and Documentation
                                                                          1. Condition Description
                                                                            1. Criteria Specification
                                                                              1. Cause Analysis
                                                                                1. Effect Assessment
                                                                                2. Risk Assessment of Findings
                                                                                  1. Finding Severity Rating
                                                                                    1. Business Impact Analysis
                                                                                      1. Risk Prioritization
                                                                                      2. Root Cause Analysis
                                                                                        1. Cause Identification Methods
                                                                                          1. Contributing Factor Analysis
                                                                                            1. Systemic Issue Identification

                                                                                        Previous

                                                                                        6. Information Security Auditing Fundamentals

                                                                                        Go to top

                                                                                        Next

                                                                                        8. Audit Reporting and Follow-up