ANSI

Home

Audit

National Alert level

Documentary References

Audit Legislation

Audit Standards

Audit Methodologies

The mission of the security of audit is a process that includes various components that have direct relations with the system of information concerning human, organizational, technical, physical, environmental factors and even the same factors'quality, which makes the audit process quite complex and quite extensive. This aspect has forced the auditors to develop clear and comprehensive approaches to cover the entire audit process. These approaches have been taken as a kind of methodologies to define clear and effective methods for the mission. The methodologies are generalized to provide a kind of standard that can be a support to auditors.

Auditing methods of computer security are in the basis of an effective policy and, often, of actional choices of risk management.

The methods owe their increased success to their flexibility: they can be applied to companies of all sizes in any field of activity.

There are currently several methodologies for private and public audit including:

The oldest of these methods is called MARION (Methodology Risk Analysis by Computer Oriented Levels). Developed by CLUSIF (Club of french information security Systems), it has mainly been applied in the 1980s and 1990s. The audited company will submit a number of questionnaires resulting in different grades from 0 to 4 (a total of 27 indicators divided into 6 categories) evaluating its performance compared at the same time to a standard - satisfactory - but also compared to other companies having audit procedures. There are currently several audit methodologies, including:

1- Methodologies from public institutions

EBIOS Expression of Needs and Identification of Security Objectives