A computer audit consists of a control and evaluation of the systems and technological resources of an organization . The ultimate goal is to ensure the protection of information as well as to make the teams work efficiently.
Security analysis must first be done internally. Then, to obtain an ISO certificate, a computer audit must be carried out with an external auditor . It is necessary to have professionals specifically trained to carry out this task. In this way, the organization ensures that the computer system complies with all current regulations and laws.
Fundamental Steps Of A Computer Audit
When conducting a computer audit, it is important to remember that it should always be carried out by an independent entity that has no interests in our company, in order to carry out a thorough and objective analysis without any kind of influence.
This company, when carrying out the computer audit , must carry out three fundamental steps :
- Project planning: establishes the general framework for the project.
- Risk analysis: determines what assets are like, how much they are worth and how they are protected.
These steps are part of the MAGERIT methodology , developed by the Superior Council of Electronic Administration (CSAE). This methodology arises as a response to the incredible computing dependency that companies have today. Let’s take a closer look at each of these steps.
Also Read : Best Free WordPress Templates
Within this project planning we find, in turn, an initial step of analysis. This previous step becomes the most important since without a correct analysis of the company’s needs it is not possible to carry out a satisfactory audit. It is at this stage where all the problems (objectives) arise to be dealt with in the later stages of the audit process.
As we can imagine, not all companies have the same requirements when commissioning a computer audit. It may be that in one case the computer network is perfect and they do not have problems with their physical equipment, but they have flaws in their security systems. In another case, the opposite may happen and we find a perfect security system , but failures in the network and physical systems.
This is why the auditor, in close collaboration with the employees and personnel involved, must establish personalized objectives for each case. Determining the objectives to be met and making an inventory of all aspects concerning the computer systems and uses in the company.
After the establishment of the audit objectives through the analysis stage, the inventory of the existing computer components and the uses that are given to these within the company, we come to the planning itself. It is at this time where the audit is planned, that is, how we are going to approach the achievement of each of the objectives that we have established with the previous analysis.
IT risk analysis
At this stage, all computer assets must be identified , the vulnerabilities they present, what threats they are exposed to, and what probability and impact they have once they occur. Thanks to this identification, the relevant controls can be determined to accept, reduce, transfer or completely avoid the occurrence of these risks.
If we adhere to the official regulations (ISO / IEC 27001), the risk analysis includes the following points to be addressed:
- Identification of the assets, legal and business requirements relevant to the process.
- Valuation of said assets and the impact that would imply their vulnerability.
- Identification of vulnerabilities and threats that may occur.
- Risk assessment of these vulnerabilities and threats .
- Risk calculation.