Computing information security on business

Authorities are always involved and in contact in case of any breach

A.6.1.7

Contact with special interest groups

No

We do not have any special interest group

ISO 27001 2013

Audit Report

Information Security Management - Audit Check list

Reference

Audit Area, Objective and Question

Results

Security Policy

Checklist

Standard

Section

Findings

Compliance

1

A.5.1.1

Information Security Policy

Information Security Policy Document

Information security policy not in place

NC

Asset classification and control

Checklist

Standard

Section

Findings

Compliance

2

A.7.1.1

Accountability of assets

Inventory of Assets

The maintenance of the records on the inventory assets is questionable as there is some level of unaccountability regarding the assets due to the mismanagement of the records on ownership of the assets

PNC

Physical and Environmental Security

Checklist

Standard

Section

Findings

Compliance

3

A.9.1

Secure Area

A.9.1.2

Physical Security Perimeter

Physical border security present with maintenance of logs

C

A.9.1.3

Securing Offices, rooms and facilities

Present whereby the rooms are kept under tight security under locks with access managed by biometrics

C

There is notable redundancy of the servers besides their replication on the Top floor in case of any disasters

C

The server room has no CCTV cameras hence the IT department is unable to monitor the access to the room

NC

A.9.1.5

Working in Secure Areas

A third parry company provides security services

C

Date: Audit conducted against:

Name of Auditor:

Organisational Unit being audited:

Management Summary

Findings from IT security Audit

List of Non-compliance

A.5.1.1 Information Security Policy- presently there is no information security policy for protecting the vital data

A.9.1.3 Securing Offices, rooms and facilities- the lack of CCTV cameras in the server room makes the devices vulnerable to attacks by malicious persons as the room is hardly monitored

List of Potential Non Compliance

(A.7.1.1) Inventory of Assets – the maintenance of the records on the inventory assets is questionable as there is some level of unaccountability regarding the assets due to the mismanagement of the records on ownership of the assets

Recommendations and Corrective Actions

A.7.1.1 There is necessity for documentation of asset ownership within the firm (Propose preventive action date: )

Proposed recommendations and correctives actions

The company needs to ensure the creation of the Information Security documentation to put in place appropriate policies and procedure for the prevention of potential breaches in its security (Proposed Corrective Action Date:)

The company need to ensure documentation of the assets whereby the ownership is clear and known to ensure accountability by the staff

The access to the user accounts need to be managed by the IT department with the users having key cards and the necessity for biometrics in accessing some of the crucial administrative accounts and sensitive areas in the company to prevent the potential of administrative account compromises

The security awareness amongst the staff need to be improved to prevent the potential of breaches due to negligence by the staff