ISO 17799 Audit Checklist
This 7799 checklist can be used to audit an organisation's information
security posture. This checklist does not provide vendor specific
security considerations. Instead it provides a generic checklist
of security considerations. It is 47 pages long. Definitely worth
IS Standards, Guidelines and Procedures for Auditing and Control
IS Auditing Standards are mandatory requirements for certification
holders’ reports on the audit and its findings. IS Auditing
Guidelines and Procedures are detailed guidance on how to follow
those standards. The IS Auditing Guidelines are guidance an IS
auditor will normally follow with the understanding that there
may be situations where the auditor will not follow that guidance.
In this case, it will be the IS auditor's responsibility to justify
the way in which the work is done. The procedure examples show
the steps performed by an IS auditor and are more informative
than IS Auditing Guidelines. The examples are constructed to follow
the IS Auditing Standards and the IS Auditing Guidelines and provide
information on following the IS Auditing Standards. To some extent,
they also establish best practices for procedures to be followed.
Templates - AuditNet
The AuditNet templates section contains hundreds of submissions.
The concept of AuditNet is a central electronic resource for the
audit community that provides a communication link for auditors
worldwide. It also provides a network of resources.
NSA INFOSEC Assessment Methodology (IAM)
The IAM consists of a standard set of activities required to perform an INFOSEC assessment. In other
words, the methodology explains the depth and breadth of the assessment activities that must be performed
to be acceptable within the IATRP. The IAM "sets the bar" for what needs to be done for an activity to be
considered a complete INFOSEC Assessment.
Information System Security Assessment Framework (ISSAF)
The ISSAF is a peer reviewed structured framework that categorizes
information system security assessment into various domains &
details specific evaluation or testing criteria for each of these
domains. It aims to provide field inputs on security assessment
that reflect real life scenarios. ISSAF should primarily be used
to fulfill an organization's security assessment requirements
and may additionally be used as a reference for meeting other
information security needs. ISSAF includes the crucial facet of
security processes and, their assessment and hardening to get
a complete picture of the vulnerabilities that might exists.
OSSTMM - Open Source Security
Testing Methodology Manual by Pete Herzog
The Open Source Security Testing Methodology Manual (OSSTMM) is an open standard methodology for
performing security tests. When you use an internal testing methodology, you leverage the brain trust
of a handful of security experts. The OSSTMM is powerful because it provides the collective best
practices, legal, and ethical concerns of the global security testing community.
IT Examination Handbook - FFIEC
Financial institutions protect their information by instituting
a security process that identifies risks, forms a strategy to
manage the risks, implements the strategy, tests the implementation,
and monitors the environment to control the risks. Examiners may
use this booklet when evaluating the financial institution’s
risk management process, including the duties, obligations, and
responsibilities of the service provider for information security
and the oversight exercised by the financial institution.
Continuous Auditing: Implications
for Assurance, Monitoring, and Risk Assessment - IIA (44 pages)
This guide focuses on assisting Chief Audit Executives identify what must be done to make effective use of
technology in support of continuous auditing and highlights areas that require further attention. It
provides continuous audit guidance that will benefit the organization by significantly reducing instances
of error and fraud, increasing operational efficiency, and improving bottom-line results through a
combination of cost savings and a reduction in overpayments and revenue leakage.
Technology Assessment - Cybersecurity for Critical Infrastructure
The GAO conducted this technology assessment on the use of cybersecurity
technologies for CIP in response to a request from congressional
committees. This assessment addresses the following questions:
(1) What are the key cybersecurity requirements in each of the
CIP sectors? (2) What cybersecurity technologies can be applied
to CIP? (3) What are the implementation issues associated with
using cybersecurity technologies for CIP, including policy issues
such as privacy and information sharing?