The role of security in organisations is growing increasingly important. The impact and likelihood of suffering a security incident should be minimised as far as possible. This is why many organisations are opting for proactive protection, by including audits in their security roadmaps.
This type of process can objectively identify security vulnerabilities and gaps. These vulnerabilities are linked to threat vectors that may compromise Information Security, such as people, processes, services, information, technology, facilities, and suppliers.
In my opinion, we can classify the different types of security audit into three main blocks based on the subject of the audit and the techniques used. These blocks are:
- Information Security best practice audits
- Information Security legal and regulatory compliance audits
- Ethical Hacking audits
In this article we will look at each of these types of audit, defining how and under what criteria they are performed. We will also identify the type of expert involved in each one and, finally, we will analyse how they can help enhance security in organisations.
Information Security best practice audits
Firstly, we’ll discuss Information Security best practice audits.
When performing this type of audit, benchmarks or frameworks (either national or international) are commonly used. We use them to contrast the status of our organisation with the security controls in the benchmarks. Typically, these frameworks effectively cover every aspect that may compromise an organisation’s assets.
Some of the most well-known reference frameworks in this field are:
- International Organization for Standardization (ISO 27000)
- National Institute of Standards and Technology (NIST)
- National Security Framework (ENS)
Frequently, organisations that have significant numbers of security requirements regarding their business processes define their own reference frameworks in line with the organisation’s needs. This comprehensive approach aims to provide a single, centralised view that prevents reworks.
This type of audit is generally performed by IT professionals who are specialists in Information Security and familiar with the reference frameworks of the audit.
Legal and regulatory compliance audits
One of the aspects to be considered in this type of audit is the effects of legal and regulatory obligations on Information Security in the organisation. That’s why the second type of audit we will look at are the legal and regulatory compliance audits.
This type of audit assesses compliance with security laws and regulations. Some of the most important are listed below:
- Organic Law on Data Protection (LOPD)
- General Data Protection Regulation (GDPR)
- Law on Information Society Services (LSSICE)
- Intellectual Property Law (LPI)
- Critical Infrastructure Protection Law (PIC)
- Prevention of Occupational Hazards Law (LPRL)
- National Security Framework (ENS)
This type of audit is performed from a legal standpoint focusing on Information Security. That is why it requires a multidisciplinary team of specialist security lawyers and IT auditors that hold extensive knowledge of the applicable laws and regulations in this field.
Another critical area of a best practice audit is the protection of an organisation’s technological infrastructure, which must be audited, separately, from a more technical angle. That is why, in third and final place, we will discuss Ethical Hacking.
This type of audit realistically simulates the actions of cyberattackers using technical tools and resources to test the robustness of technological infrastructure and, specifically, information systems.
In Ethical Hacking audits we can distinguish between vulnerability audits, penetration tests, and Red Team testing. Each of these types of audit has specific features and restrictions, such as scope and the type of technical resources to be used. However, the aim of these tests is to find security vulnerabilities or gaps in the organisation’s technological infrastructure.
This type of audit uses methods and standards to ensure effective results. Some of the most widely used methods are Open Source Security Methodology Manual (OSSTMM), Center for Internet Security (CIS), Open Web Application Security Project (OWASP), and MITRE ATT&CK.
This type of audit is generally performed by IT professionals who are specialists in cybersecurity. They have extensive technical expertise and in-depth knowledge of programming and information security.
As we have seen in this post, we can differentiate between three main blocks of security audit which are performed by experts with different skillsets.
On the one hand, best practice audits are aimed at risk management and help us asses the threat exposure of an organisation to provide an overall view of the status of its Information Security. On the other hand, legal and regulatory compliance audits assess the organisation’s culture of compliance with the ultimate aim of avoiding fines. Lastly, Ethical Hacking audits aim to test the resilience and protection of the organisation’s technological security infrastructure.
Each of these types of audits help provide indicators that enhance the security maturity of the organisation as part of the process of continuously improving Information Security Governance.