Internal Audit Training, IT Audit Training Courses, Information Security Training - CPE Interactive

Continuing Professional Education for Audit, Assurance, & Info Security

View Training Register Now

Course Description

A good percentage of internal and external IT auditors’ scope relates to information security.  The assurance function must either place reliance on the management of the information function or perform extensive substantive procedures to satisfy compliance requirements.  Where reliance is placed, the auditor must depend on their assertions and records of the information management function. A mature information security function will translate into reduced fieldwork.  The internal auditor also is responsible for evaluating the effectiveness and efficiency of the information security function as part of their audit universe. ISO 31000 is the new standard (2009) for managing and assessing risk. But what is the risk associated with IT security management itself?

An inadequate level of skill or competence in IT security management can lead to serious negative consequences for the enterprise, including:

  • Inability to comply with statutes and regulations, such as Sarbanes-Oxley, HIPAA, FISMA, PCI-DSS, GLBA, Basel II, and governmental entities
  • Lack of preparedness for security incidents and/or inability to execute a timely recovery
  • Higher audit and insurance costs

Learning Objectives:

  • Identify objectives for evaluating IT security management
  • Describe expected levels of assurance in IT security management
  • Identify a standard approach for assessing technical and management competence
  • Define a method for rapidly assessing the demonstrated level of proactive risk management
  • Know common problems and how to detect them
  • Identify ten common warning signs of potential problems
  • Establish quantifiable metrics for evaluating IT security management
  • Learn a pragmatic approach to documenting the evaluation and providing clear concise reports to senior management

Bonus: You will receive the ISACA Information Security Management Audit/Assurance Program Using COBIT 4.1

Course Outline

Organizational Security

  • IT security governance
  • Governance frameworks: CobiT, ISO 27002, NIST, ITIL
  • Risk management frameworks: ISO 27005 and 31000, CobiT, ITIL
  • Roles and responsibilities in various sizes of enterprise

Best-in-Class IT Security Management

  • Skillsets and experience
  • Management structure
  • Integration of IT security management with business units and business management
  • Risk management deployment
  • Metrics
  • Maturity levels using the Capability Maturity Model (CMM)

Objectives  and Scope of an IT Security Management Assessment

  • How to satisfy the stakeholders
  • Addressing assurance needs
  • Avoiding scope creep,
  • Providing value

Evaluation Approach

  • Choosing a framework
  • Defining deliverable
  • Building the work program

Metrics for Measuring Risk Associated with IT Security Management’s Performance

  • Maturity models
  • SLA’s
  • SWOT analysis

Reporting Approaches for Maximum Impact with Senior Management and Stakeholders

  • Categorizing findings by control domains
  • Customizing reporting to audience
  • Delivering concise reports
  • Building scorecards

Additional Information

Who Should Attend
  • Internal Audit and IT Audit Managers and Directors
  • ISACA and IIA Chapters
  • Internal Audit departments seeking to establish a focused and responsive presence with their audit customers
  • Information Security professionals preparing for an audit of their operation
  • Risk managers evaluating their information security capabilities
Learning Level



Group-Live & Group Internet-Based



Advanced Preparation


Recommended Prerequisites

Basic understanding of information security frameworks and processes.

Session Duration

Online: Four 3-hour sessions

On Site: 2 Days

CPE Credits: 16