Contribute to audit, compliance and assurance activities TECHIS60731 This standard covers the competencies required for assisting with auditing information systems security robustness. This includes checking for and verifying compliance with security policies and standards as well as external legal and regulatory requirements. Verifying that information systems meet the security criteria, including policy, standards and procedures. Undertaking security compliance audits in accordance with an appropriate methodology. Performance Criteria 1. record assets in an asset management and tracking system in line with organisational standards 2. conduct a range of information security audit activities accurately and in a timely manner, under the direction of others 3. assist verification of on-going conformance to security polices and requirements in line with organisational standards 4. verify compliance with security policies in line with organisational standards 5. accurately gather and collate the findings from security audit activities, assisting seniors with the identification and prioritisation of issues and risks arising 6. clearly and objectively report the results and findings from audit activities to supervisors work with senior auditors to perform audits in line with organisational standards 7. assist with the review and communication of the audit results and findings from with accountable owners and other stakeholders 8. assist others with the action planning resulting from any particular information security audit Knowledge and Understanding 1. what is meant by information security audit 2. the benefits and requirements of conducting information security audits 3. the approach to be taken during any particular information security audit and/or review, including the importance of operating with integrity, objectivity, confidentiality and competency 4. the common audit methodologies in use and how to apply these 5. the organisational policies, processes, and standards together with legislation and regulatory requirements that exist for information security audit 6. who are the individuals who need to be communicated with as part of any particular information security audit and/or review 7. which processes and documents need to be assessed as part of an information security review for any particular it/technology system or solution 8. the fact that information security audits may be required as part of the regulatory and legal governance framework of the organisation 9. how to correctly use the most appropriate processes, procedures, methods, tools and techniques to conduct information security audit and review activities 10. how to accurately identify and prioritise issues and risks arising from information security audits 11. the importance of information security audits in maintaining appropriate levels of compliance to internal and/or external standards 12. the importance of information security reviews in ensuring that compliance to internal and/or external standards is built into information systems and solutions 13. the fact that external conditions and threats to information security are changing constantly 14. the importance of ensuring that audit processes, procedures and approaches are maintained in line with emerging information security threats 15. the role of information security audits within the wider framework of information risk management 16. the value of information security audits in the detection of threats to information systems and information assets and the prevention of their impact on the organisation 17. the fact that information security audits may be required as part of the regulatory and legal governance framework of the organisation Carry out audit, compliance and assurance activities TECHIS60741 This standard covers the competencies required for conducting information security audits and assurance activities. This includes verifying that information systems and processes meet the security criteria (requirements or policy, standards and procedures). Also conducting compliance monitoring and security controls testing. Performance Criteria 1. define and implement processes to verify on-going conformance to security and/or regulatory requirements in line with organisational requirements 2. perform security compliance checks using a specified methodology and in line with organisational standards 3. plan and schedule information security audits and reviews in line with organisational standards 4. conduct information security audits to assess security compliance within the organisation's networked information system environment under supervision 5. implement and follow organisational policies, processes, and standards that exist for information security audit 6. objectively review the findings from information security audit activities, identifying and prioritising of issues and risks arising 7. clearly and objectively report the results and findings from information security audit activities to seniors 8. clearly record, report and communicate the results and findings from information security audits with accountable owners 9. develop clear and accurate action plans resulting from any particular information security audit Knowledge and Understanding 1. how the internal and/or external information security controls should be built into any information system or solution 2. the internal and/or external standards against which an information security audit is assessing compliance 3. the range of vulnerabilities that are being audited within any particular information security audit 4. the range of risks that have been identified for a particular information system or solution 5. the professional certifications that can or must be achieved in the security audit discipline for the business 6. the importance of scheduling regular information security audits 7. the importance of ensuring that information security audits and reviews are clearly scoped 8. the internal and external factors that may impact upon the effectiveness of information security audits and reviews 9. the fact that information security audits need to consider not only the effectiveness of controls against identified risks but also other threats that may not have been assessed 10. the fact that information security reviews consider the effectiveness of the current security status and make recommendations to allow for evolving internal and external drivers, to ensure 'fit-forpurpose' Manage audit, compliance and assurance activities TECHIS60751 This standard covers the competencies concerning with managing information security audit activities. Including managing resources activities and deliverables. This includes checking for and verifying compliance with security policies and standards as well as external legal and regulatory requirements. Planning, conducting and reporting on comprehensive security audit approaches, as well as designing and implementing organisational policies, standards and processes. Performance Criteria 1. be fully accountable for undertaking complex, accurate information security audits on all types of information systems 2. develop, implement and maintain audit plans, processes, procedures, methods, tools and techniques for information security activities and their deliverables 3. lead and manage an audit team to execute technical audit projects in line with organisational requirements 4. evaluate the effectiveness of information security governance, tools and operations 5. Evaluate the design, effectiveness and efficiency of information technology and security processes, procedures, and technical controls in line with organisational standards 6. use the results from risk and vulnerability assessments to inform audit activities 7. implement organisational logging and documentation standards to comply with audit requirements 8. clearly and accurately define the scope of information security audit activities 9. advise and guide others on all aspects of information security audit activities and their deliverables 10. clearly and effectively communicate information security audit results to a wide range of sponsors, stakeholders and other individuals Knowledge and Understanding 1. what are the available methods, tools and techniques used to conduct information security audit activities 2. how to use and apply information and data from risk, threat and vulnerability assessments, into information security audit activities 3. how to set the levels of resources allocated to information security audit activities and prioritises their work 4. how to conduct peer reviews of information security audit policies and procedures 5. the range of information security audit methodologies that may be in terms of usability, flexibility, and the outputs they produce 6. how to analyse, document and present surety audit outcomes 7. the importance of monitoring the quality and effectiveness of information security audit activities 8. how to identify and implement improvements to information security audit processes and procedures 9. the need to ensure that information security audits are undertaken professionally 10. the relevance of existing and new methods, tools and techniques used to support information security audit activities