Audit, compliance assessment, certification
Verifying the level of information assets protection is one of the most important risk and information security management tasks of a company. At the same time, the “outside perspective” proves to be the most valuable to the information security system – performance of analysis by experienced and independent experts, who can indicate critical vulnerabilities and deficiencies in the business organisation and existing information protection, analysis of inconsistencies with current legal regulations.
Inspection can be performed in various forms and with various methods:
- Certification for compliance with regulatory requirements to information security (protection of state information systems, secure processing of personal data, security of PCS);
- Assessment of compliance with requirements of Provision of the Bank of Russia No. 382-P, the Standard of the Bank of Russia STO BR IBBS-1.0;
- Audit of the information security management system for compliance with ISO/IEC 27001 (GOST R ISO/IEC 27001);
- Inspection of engineering protection of a computer network (NIST standards, catalogues of vulnerabilities, recommendations of equipment and software manufacturers);
- Audit on the basis of the expert assessment of information security risks taking into account the relevant threats and potential damage they could cause;
- Integrated audit that includes inspection of compliance to several fields of information protection at once.
Works in this field consist of the following steps:
1. Preparations for the works, including clarification of the inspection field and criteria, planning further works.
2. Collecting data indicating compliance / non-compliance with established criteria.
3. Working out of reporting documents, including the description of performed works, remarks and recommendations to increase the level of information security.