Security Audits
“Finding a partner that we could work with and share a mutually beneficial relationship was important to us. Sapphire’s consultants went the extra mile to understand our business. They worked with us, rather than for us and offered advice and guidance throughout the process.”
Tony Smith, IS Security Coordinator, Northumbrian Water
Sapphire's Information security consultants have a wealth of audit experience in the areas of gap analysis, internal audit, ISO 27001 system compliance audits and a range of specific security audits across business units within an organisation against the international standard for best practice information security ISO 27002 (formally ISO/IEC 17799:2005).
The Sapphire consultants have a range of audit skills and experience in the field of information governance compliance in the areas of CISM, CISA, and ITIL and indeed have qualified lead auditors to ISO 27001 who sit on the International Register of Certificated Auditors (IRCA).
Further specialised types of audit services that Sapphire offers are detailed below:
- General Security Audit
- Financial Sector Audit
- Internal Audit
- Full System Mock Compliance Review
- Pandemic Flu Gap Analysis
General Security Audit
Sapphire offers a detailed security audit service for organisations that are not necessarily claiming compliance to ISO 27001 at the moment or indeed do not currently have the intention of moving in line with ISO 27001 in the near future but require a general security based audit.
This audit service is provided in order to highlight possible areas for improvement i.e. in order to detect any significant areas of weakness in an organisation which should be considered as a matter of urgency.
This audit is very flexible as it can be tailored specifically to areas of the organisation that are of the most concern at the time i.e. rather than an organisation paying for a full system audit it enables the client to choose which of the sections for best practice security they require a review of and pay only for an audit to be conducted in those areas, (listed below).
- Security Policy
- Organising Information Security
- Asset Management
- Human Resources Security
- Physical and Environmental Security
- Communications and Operations Management
- Access Control
- Systems Acquisition, Development and Maintenance
- Information Security Incident Management
- Business Continuity Management
- Compliance
A full report is produced alongside the completed audit questionnaire detailing the main areas of concern borne out of the review with specific advice and suggestions for the improvement of security within the organisation.
Financial Sector Audit
Sapphire has developed a financial sector audit questionnaire based on best practice security requirements for large financial houses. This audit can be specifically tailored for large or small finance bodies and again like the security audit above can be targeted at the areas of the financial institution that are of the most concern at the time.
This audit covers the following areas:
- Asset classification
- Business continuity management
- Compliance
- Computer and Network Management
- Information Security
- Organisation and management
- Personnel Security
- Physical and Environmental
- System Access
- System development
A full report is produced alongside the completed audit questionnaire detailing the main areas of concern borne out of the review with specific advice and suggestions for the improvement of security within the organisation.
Internal Audit
A requirement of ISO 27001 is internal audit of the information security management system in order to claim formal compliance or indeed to achieve certification. Internal audit training is provided as a matter of course within the ISO 27001 consultancy services however Sapphire can also carry out the internal audit function for the organisation once the management system is in place.
The internal audit function must cover all aspects of the management system within a three yearly cycle so the system has received a full review before the tri-annual re-certification audit by the external certification body (BSI, BVQI, SGS etc).
Internal audit can cover process, legal compliance, the auditing of policy and procedure and departmental audits, all forms are acceptable for compliance purposes as long as the management system receives a full review before an external re-certification audit.
Full System Mock Compliance Review
Once an organisation has implemented an information security management system a continual cycle of improvement within the organisation is key to maintaining compliance as part of the PLAN-DO-CHECK-ACT to improve process of ISO 27001.
Should an organisation gain certification to the standard Sapphire can provide a system-wide consultancy compliance review to highlight any non conformities within the system which require the implementation of corrective and preventative measures before the certification body returns for the external review.
This audit is a safety net which gives an organisation further confidence and identifies problems which can be rectified before they are raised at the audit that really matters. Examples of some of the forms and documentation including the areas of the review are detailed below.
A full mock compliance audit report is completed once the review has taken place covering the following areas:
- ISMS Effectiveness
- Metrics
- Continual Improvement
- IS Audit Arrangements
- Operational Improvements
- HR Issues
The duration of the full system review will vary depending upon the size of the scope of the organisations information security management system.
Pandemic Flu Gap Analysis
With the outbreak of Swine Flu in April 2009 and the risk of a stronger strain and a higher impact pandemic in 2010, organisations are being forced to review their existing resilience plans; appoint deputies for key roles and implement new remote working strategies. Most organisations realise that disruption to critical services e.g. no access to email or the Internet can damage its ability to operate and undermine its reputation.
Business continuity management controls specifically written with regard to a flu pandemic outbreak ensure that your organisation’s processes are protected from disruption and that your workforce is able to respond positively and effectively should an incident occur.
If you are currently unsure as to what impact a flu pandemic would have on your organisation, the following questions need to be considered:
- Has your organisation documented who its key personnel are for each department?
- What are your critical services?
- If key members of staff were off for a long period of time does your organisation know what impact this would have on your organisation’s critical service provision?
- What current alternative business continuity arrangements are in place should key personnel go off on long term sick?
- Who are your organisations key 3rd party service delivery providers?
- What would happen if these service providers halted operations or slowed service provision because they are affected by the pandemic?
- What are their current business continuity arrangements with regard to flu pandemic, if any?
- Do you have alternative arrangements should 3rd party service providers be affected?
- What current home working or remote working provisions does your organisation have in place?
- Which groups of staff would be able to work remotely and if they did what effect on business continuity would this have?
If your organisation cannot definitively answer these questions then Sapphire can provide a one day gap analysis geared specifically to the threat of a pandemic outbreak.
Upon completion a current state report will be produced which will provide your organisation with the key tasks in order to improve business continuity resilience to the H1N1 influenza strain.
Back to top
- Support 0845 58 27999
- General 0845 58 27001
- Request a Call / Quote
