Security audit is essentially an assessment of how effectively the organization's security policy is being implemented. This assumes that the organization has a security policy in place which, unfortunately, is not always the case. Even today, it is possible to find a number of organizations where a written security policy does not exist. Security policies are a means of standardizing security practices by having them codified (in writing) and agreed to by employees who read them and sign off on them. When security practices are unwritten or informal, they may not be generally understood and practiced by all employees in the organization. Furthermore, until all employees have read and signed off on the security policy, compliance of the policy cannot be enforced. Written security policies are not about questioning the integrity and competency of employees; rather, they ensure that everyone at every level understands how to protect company data/ Assets and agrees to fulfill their obligations in order to do so.
The security audit should seek to measure security policy compliance and recommend solutions to deficiencies in compliance. The policy should also be subject to scrutiny:


»Is it a living document, accurately reflecting how the organization protects its assets on a daily basis?


»Does the policy reflect industry standards for the type of resources in use throughout the organization?


Natural tensions frequently exist between workplace culture and security policy. Even with the best of intentions, employees often choose convenience over security Pre-Audit In addition to reviewing the results of any previous audits that may have been conducted, there may be several tools they will use or refer to before. 
The first is a site survey. This information can provide a general framework. Security questionnaires may be used as to follow up the site survey. These questionnaires are, by nature, subjective measurements, but they are useful because they provide a framework of agreed-upon security practices. These controls include: management controls, authentication/access controls, physical security, outsider access to systems, system administration controls and procedures, connections to external networks, remote access, incident response, and contingency planning.
Site surveys and security questionnaires should be clearly written with quantifiable responses of specific requirements. They should offer a numerical scale from least desired (does not meet requirements) to most desired (meets requirements and has supporting documentation). Both should include electronic commerce considerations if appropriate to the client organization. For instance, credit card companies have compliance templates listing specific security considerations for their products. These measure network, operating system, and application security as well as physical security.
We would review previous security incidents at the client organization to gain an idea of historical weak points in the organization's security profile. It should also examine current conditions to ensure that repeat incidents cannot occur.

Our team will work with you to have the scope of the audit clearly defined, understood and agreed to by the client. Factors to consider would include:

»Current security systems

»Physical security set-up

»Electronic Surveillance systems

»Visitor Management Systems

»Material management

    »the site business plan,

    »the type of material/ data being protected and its value/importance to the client organization,

    »previous security incidents,

»Thefts reported



    the time available to complete the audit

The audit plan will be developed based on the above points. This plan will cover how will audit be executed, with which personnel, and using what tools. The same is discussed with site personnel along with some of the logistical details, such as the time of the audit, which site staff may be involved and how the audit will affect daily operations. Next, the auditors should ensure audit objectives are understood.