ISACA CISA

Roles and responsibilities of information security auditor

Graeme Messina
December 11, 2018 by
Graeme Messina

Most people break out into cold sweats at the thought of conducting an audit, and for good reason. Auditing the information systems of an organization requires attention to detail and thoroughness on a scale that most people cannot appreciate. There are system checks, log audits, security procedure checks and much more that needs to be checked, verified and reported on, creating a lot of work for the system auditor. Becoming an information security auditor is normally the culmination of years of experience in IT administration and certification.

It is for this reason that there are specialized certifications to help get you into this line of work, combining IT knowledge with systematic auditing skills. We will go through the key roles and responsibilities that an information security auditor will need to do the important work of conducting a system and security audit at an organization. Not all audits are the same, as companies differ from industry to industry and in terms of their auditing requirements, depending on the state and legislations that they must abide by and conform to.

This article will help to shed some light on what an information security auditor has to do on a daily basis, as well as what specific audits might require of an auditor.

Basic duties list

Information security audits are conducted so that vulnerabilities and flaws within the internal systems of an organization are found, documented, tested and resolved. The findings from such audits are vital for both resolving the issues, and for discovering what the potential security implications could be. Security breaches such as data theft, unauthorized access to company resources and malware infections all have the potential to affect a business’s ability to operate and could be fatal for the organization.

In order to discover these potential security flaws, an information security auditor must be able to work as part of a team and conduct solo operations where needed. Determining the overall health and integrity of a corporate network is the main objective in such an audit, so IT knowledge is essential if the infrastructure is to be tested and audited properly. Issues such as security policies may also be scrutinized by an information security auditor so that risk is properly determined and mitigated.

Information security auditors are not limited to hardware and software in their auditing scope. In fact, they may be called on to audit the security employees as well. Members of staff may be interviewed if there are questions that only an end user could answer, such as how they access certain resources on the network. Members of the IT department, managers, executives and even company owners are also important people to speak to during the course of an audit, depending on what the security risks are that are facing the organization.

Roles and responsibilities on the job

Information security auditors are usually highly qualified individuals that are professional and efficient at their jobs. They are able to give companies credibility to their compliance audits by following best practice recommendations and by holding the relevant qualifications in information security, such as a Certified Information Security Auditor certification (CISA).

They must be competent with regards to standards, practices and organizational processes so that they are able to understand the business requirements of the organization. This helps them to rationalize why certain procedures and processes are structured the way that they are and leads to greater understanding of the business’s operational requirements.

Auditing a business means that most aspects of the corporate network need to be looked at in a methodical and systematic manner so that the audit and reports are coherent and logical. Auditors need to back up their approach by rationalizing their decisions against the recommended standards and practices.

This means that any deviations from standards and practices need to be noted and explained. The planning phase normally outlines the approaches that an auditor will take during the course of the investigation, so any changes to this plan should be minimal.

Additional job requirements

The role of security auditor has many different facets that need to be mastered by the candidate — so many, in fact, that it is difficult to encapsulate all of them in a single article. However, we’ll lay out all of the essential job functions that are required in an average information security audit. First things first: planning.

The planning phase of an audit is essential if you are going to get to the root of the security issues that might be plaguing the business. You will be required to clearly show what the objectives of the audit are, what the scope will be and what the expected outcomes will be.

You will need to execute the plan in all areas of the business where it is needed and take the lead when required. You’ll be expected to inspect and investigate the financial systems of the organization, as well as the networks and internal procedures of the company. All of these systems need to be audited and evaluated for security, efficiency and compliance in terms of best practice. All of these findings need to be documented and added to the final audit report.

Strong communication skills are something else you need to consider if you are planning on following the audit career path. Looking at systems is only part of the equation as the main component and often the weakest link in the security chain is the people that use them. This means that you will need to interview employees and find out what systems they use and how they use them. By conducting these interviews, auditors are able to assess and establish the human-related security risks that could potentially exist based on the outcomes of the interviews.

After the audit report has been completed, you will still need to interact with the people in the organization, particularly with management and the executives of the company. This means that you will need to be comfortable with speaking to groups of people. You will need to explain all of the major security issues that have been detected in the audit, as well as the remediation measures that need to be put in place to mitigate the flaws in the system.

Something else to consider is the fact that being an information security auditor in demand will require extensive travel, as you will be required to conduct audits across multiple sites in different regions. The amount of travel and responsibilities that fall on your shoulders will vary, depending on your seniority and experience.

Conclusion

The roles and responsibilities of an information security auditor are quite extensive, even at a mid-level position. This is by no means a bad thing, however, as it gives you plenty of exciting challenges to take on while implementing all of the knowledge and concepts that you have learned along the way.

Auditing is generally a massive administrative task, but in information security there are technical skills that need to be employed as well. With the right experience and certification you too can find your way into this challenging and detailed line of work, where you can combine your technical abilities with attention to detail to make yourself an effective information security auditor.

Graeme Messina
Graeme Messina

Graeme is an IT professional with a special interest in computer forensics and computer security. When not building networks and researching the latest developments in network security, he can be found writing technical articles and blog posts at InfoSec Resources and elsewhere.