The term “audit” can trigger shivers down the spine of the most battle-hardened manager. Financial audits are the most common examinations a business manager encounters. This is a familiar area for most executives: they know that financial auditors are going to examine the financial records and how those records are used. However, they are unlikely to be acquainted with information security audits; that is, an audit of how the confidentiality, availability and integrity of an organization’s information is assured. They should be. An information security audit is one of the best ways to determine the security of an organization’s information without incurring the cost and other associated damages of a security incident.
Technology changes much more rapidly than business policies and must be reviewed more often. Software vulnerabilities are discovered daily. A yearly security assessment by an objective third party is necessary to ensure that security guidelines are followed.
Security audits aren’t a one-shot deal. Don’t wait until a successful attack forces your company to hire an auditor. Annual audits establish a security baseline against which you can measure progress and evaluate the auditor’s professional advice. Even if you use different auditors every year, the level of risk discovered should be consistent or even decline over time. Unless there’s been a dramatic overhaul of your infrastructure, the sudden appearance of critical security exposures after years of good reports casts a deep shadow of doubt over previous audits.