Intermediate

Protection of Information Assets (ISACA)

This domain — Information Asset Security and Control — together with its companion domain, Security Event Management, accounts for 26% of the CISA examination, the single largest weightin...

Auditing the protection of information assets is grounded in understanding the principles of security and privacy: information asset security frameworks/standards/guidelines, privacy principles, and data classification. The purpose of data classification is to ensure that all data or information receives an appropriate level of protection.

Every standard has value because it provides a structure that a security program can be modeled on, and that auditors can review against. Auditing standards are also cross-recognized: a review performed against ISO 27001, for example, is generally accepted worldwide. However, every standard must be tailored to the organization — a military organization, a government agency, a not-for-profit, and a commercial enterprise are all different, so the standard must be implemented in a way suitable to that specific organizational context. The auditor's job is not to check whether the organization did things identically to every other organization, but whether the standard was implemented appropriately for that organization — and whether it is actually enforced (e.g., configurations are checked against minimum security baselines), not merely documented.

...

Sign in to read this course

A free account unlocks all 514 courses. 20 are readable without one.

What's inside

5 sections
  1. 1 Table of Contents
  2. 2 Module 1: Security and Privacy Principles
  3. 3 Module 2: Auditing Security Implementations
  4. 4 Module 3: Securing Information Technologies
  5. 5 Summary

More Governance, Risk & Compliance courses

View all 12

Interested in this course?

Contact us to book it or get a custom training plan for your team.