Sl. Audit Area Test Procedures No. 1 Security Interview senior management on their commitment for information security Management Check minutes of board meeting, Security reports submitted, reporting framework frequency of security reports to management Check action and follow up by senior management on security initiatives Verify adequacy of security budget 2 Information Check whether Information Security Policies have been created, approved by security policies management, and communicated to concerned users. Whether the policy states management commitment and sets out the organizational approach to managing information security. Ensure that security policies have link with risk assessment and suitable policies for organization’s need are appropriately developed. 3 Review of Check whether the Information Security Policies are reviewed at planned Informational intervals, or if significant changes occur to ensure its continuing suitability, Security Policies adequacy and effectiveness. Check whether the results of the management review are taken into account. Check whether management approval is obtained for the revised policy. 4 Confidentiality And Check whether the organization’s need for Confidentiality or Non-Disclosure Non-Disclosure Agreement (NDA) for protection of information is clearly defined and regularly Agreements reviewed.
5 Independent Check whether the organization’s approach to managing information security,
review of and its implementation, is reviewed independently and periodically or when information substantial changes to security policies occur. security 6 Identification of Check whether risks to the organization’s information and information systems, risks related to 3rd from 3rd party access, are identified and appropriate control measures parties implemented before granting access. 7 Exception process Check if the exception process is defined and implemented Verify if exception is against compensating controls and is for limited period of time and management has a plan to close the exceptions Ensure exceptions are reviewed periodically Interview approver for exceptions that they are aware of associated risks. 8 Procedures, Check the internal standards for system configuration, documentation standards standard, segmentation and security baseline are defined and implemented Review the documented operating procedures for security controls and ensure these are reviewed and updated.