So, today every organisation needs to protect its information of any forms (Honan, 2009). Guttman and Roback (1995) assert that executives should view information security as an important management issue and seek to protect their information resources as they would any other valuable assets.
The ISO 27001 information security standard offers companies a risk-based approach to securing their information assets. ISO 27001 defines an ISMS, or Information Security Management System, that is “a part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security” (Calder, 2009, p.4). In this system the development and implementation of the audit processes in order to assess the security level of the organisational information system is a very significant aspect. The main objective of any audit is to establish difference between the standard specifications and the reality from the organisations. Also as Honan points out, an audit “provides a means of being alerted to critical events as they happen, …[as well as] provides a historical view of what happened so that incidents can be investigated” (2009, p.253).
The security audit of computing resources used by students in the computing laboratories on the first floor of the King William Building was conducted by the auditor of the AuditSec Company in response to the request of the School of Computing & Mathematics Sciences (CMS) in the University of Greenwich.
My overall audit objective was to test the effectiveness of selected information security politics in the CMS and to ensure that employees and students of the CMS operate in accordance with the specified procedures and requirements in meeting the organisation’s goals in relation to information security.
As was specified in the audit request, the current audit did not have to cover all