Identifying All Documented IT Security Policies, Standards, Procedures, and Guidelines

The organizational security policy framework is the foundation for the management of information security. This foundation provides internal direction and support as well as providing direction for assessments and audits. The quality of the entire information security program depends on the policies in place. Fortunately, policies can be one of the least expensive controls. Unfortunately, they are often the most difficult to implement effectively. In fact, the first control objective within the International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27002 standard states that management should set a clear policy direction by implementing and reviewing the security policy document. The policies provide reference documents for auditors and provide the statement of management intent throughout the organization. As a result, the policy framework, which also includes standards, procedures, and guidelines, will help guide the organization and audits.

Although frameworks such as ISO/IEC 27002 provide guidance for policy development, the scope and maturity of policies vary widely across organizations. It is not uncommon to find companies that lack any type of policy framework at all. Only slightly better are organizations that have a basic or boilerplate policy in place. In these situations, audit and compliance groups are valuable resources to help review the proposed policies, making sure they are realistic, in line with business objectives, and enforceable.

During the audit preparation, the governing policy document should have already been reviewed. During the course of the audit, however, this policy will help identify the standards, procedures, and guidelines needed to effectively understand and assess the IT environment. Although explicit audits against the documented policies and supporting documents are common, the existence and extent of such documentation should always be considered regardless of the type of audit. In other words, the auditor should always identify and evaluate policies, standards, and procedures. Even though ISO/IEC 27002 has a control objective dedicated to security policies, it references individual policies, standards, and procedures throughout all the other controls as well.

The IT infrastructure audit requires the auditor to rely heavily on the documented policy framework. This helps identify the gaps for improvements to the policy as well as fulfill the responsibilities to evaluate adequate controls. Ultimately, the goal is to gain assurance around the strategic view and use of IT controls. Realizing this goal is built on the security policy framework.