This audit report focuses on a project baselining an organization’s information security practices, with the purpose of identifying opportunities to advance the information security function and raise the overall effectiveness of existing security processes. It compares ISO 27001 (Information Security Management Systems Requirements) to existing information-security-related policies, procedures and practices.
The following key observations were noted during the review:
- The company’s information security policies and procedures have not been formally approved by management and implemented throughout the organization.
- No procedures exist to review, update and redistribute information security policies on an ongoing basis.
- While the security manager has been assigned formal responsibility for supporting information security at the company, management has not introduced this role outside of the IT department.
- Affiliated businesses/partners are directly connected to the company’s internal network without necessary oversight from the security manager. In addition, the security manager does not have sufficient authorization to ensure that business partner access to the company’s internal network is in compliance with security policies.