Description of the IT systems security audit service
Audit is a technique for investigating the functionality and compliance of a complex process, project / product, or organization, based on a system of criteria / benchmarks, that allows the auditor to issue an independent and qualified opinion, and make recommendations for functionality and / or compliance. studied processes.
Information security auditors analyze IT&C processes and the technologies involved in their development to outline IT systems with reference to ISACA auditing standards and best practices in information systems auditing, in accordance with the provisions of L362 / 2018. The InfoSec (information security) audit is defined as the multitude of audit tests performed by the auditor on an ICT system or components and aimed at identifying the compliance of the measures implemented with:
- • legal regulations in force in the field of activity
- • international standards in the field of information security
- InfoSec best practices
The audit will take into account the physical, logical, procedural, personnel security rules as well as the requirements for compliance with:
- • L362 / 2018 on ensuring a high common level of security of computer networks and systems
- L365 / 07.06.2002 on electronic commerce
- GD 1308/2002 for the approval of the methodological norms for the application of L365 / 2002
- • ISACA auditing standards and guidelines ISACA;
- • controls defined by the SR ISO / IEC 27001 standard SR ISO/IEC 27001
- risk assessment in accordance with ISO / IEC 27005, ISO 31000 and ISI 31010 ISO/IEC 27005, ISO 31000 si ISI 31010
- the requirements and technical specifications (procurement data sheet) of the various projects
- L333 / 2003 and GD301 / 2012 regarding the protection of objectives, goods, values and protection of persons
The main objective of the audit activity is to increase the security level of the IT&C network to ensure the development of the organization's processes in conditions of availability, confidentiality and integrity of data and IT services.
How to provide the service
In order to create an objective opinion and a comprehensive audit report, the audit team will perform the following activities:
- Establishing an audit program - defining audit objectives and methods and agreeing with the client on an audit schedule.
- Analysis of the internal and external context of the organization - gathering relevant information about the client and the IT&C system for use in the next stages. This information includes: system details, internal organization details, work rules and procedures, IT organization details, technologies and systems used, systems operation, specific processes, personnel, and any other relevant documents.
- Identifying specific risks, threats and vulnerabilities. Quantitative and qualitative risk assessment., amenintarilor si vulnerabilitatilor specifice. Evaluarea cantitativa si calitativa a riscurilor.
- Preparation of the list of risk control mechanisms to be implemented or updated / improved - the audit team undertakes the evaluations and tests provided in the audit program, in order to verify the achievement of the established control objectives.
- Reporting - preparation of the audit opinion and the audit report documenting the operations and tests performed, as well as the results obtained, the conciliation meeting and the signature of the report
The audit activities are performed by a team with extensive experience in implementation and auditing projects in the country and abroad, with nationally and internationally recognized training and accreditation.
 Înaintea de inceperea activitatilor se semneaza obligatoriu un Acord de Confidențialitate.