Practical IT Audit and Information Security Audit

In the digital age, IT audits are essential for ensuring that an organisation's IT systems are reliable, secure, and compliant with regulations, while also aligning with strategic goals. These audits assess the effectiveness and security of IT infrastructure, operations, and policies, identifying vulnerabilities and inefficiencies to recommend improvements. This helps in protecting data, maintaining stakeholder trust, ensuring compliance with legal requirements, and supporting strategic objectives, thereby significantly contributing to the organisation's overall health and success.

The objectives of this training program are to develop comprehensive skills for planning and conducting IT audits, including knowledge of various information security frameworks like ISO, DORA, NIST, ENISA and CISA. Participants will learn to assess and audit information security controls, risk management in IT, and compliance with regulations, as well as to develop remediation strategies and practical recommendations to enhance security postures. The methodology involves a blended learning approach, combining interactive lectures, case studies, group activities, practical exercises, and continuous learning support, aimed at providing an interactive and effective educational experience aligned with leading standards.

IT Audit and Information Security

• IT audit: objectives, scope, and importance

• Overview of information security frameworks, such as ISO, DORA, NIST, ENISA and CISA

• Understanding IT controls and their role in achieving information security

• Techniques for risk assessment and risk management in IT audits

• ENISA threats landscape

Case studies: Analysis of IT audit scenarios based on ISO, DORA, NIST, ENISA and CISA frameworks.

Auditing IT Network Infrastructure

• Conducting in-depth analyses of audit findings to identify specific risks and vulnerabilities within IT network environments

• Developing and implementing targeted remediation strategies that adhere to best practices and standards from NIST, CISA, and other relevant frameworks, focusing on the specific challenges and requirements of network infrastructure

• Performing compliance audits on network operations to ensure they meet essential regulatory and industry-specific standards, with continuous monitoring and improvement of security and operational practices

Information Security Audit Techniques and data management

• Planning and scoping IT audits: objectives, scope, and criteria (example with COBIT)

• Techniques for evaluating information security controls based on ISO, DORA, NIST, ENISA and CISA frameworks

• Vulnerability assessment and penetration testing methodologies

• Auditing cloud computing environments and mobile applications

• Conducting thorough analyses of audit findings to identify specific risks and vulnerabilities in data management practices

Case studies: Participants will practice assessing information security controls using DORA, NIST, ENISA and CISA frameworks in simulated audit scenarios.

Auditing Machine Learning and AI Systems

• Analysing audit findings to identify specific risks and vulnerabilities within machine learning and AI systems

• Developing and implementing effective remediation strategies that adhere to best practices and standards from NIST, CISA, and other relevant frameworks, focusing on the particular needs of AI and machine learning

• Conducting compliance audits for AI and machine learning systems to ensure they meet regulatory and industry-specific standards, with ongoing monitoring and enhancements of their security and operational protocols

Each day : LABS

Some examples of practical labs that can be included in the IT audit training programme:

• Risk Assessment and Control Evaluation Lab:

Participants will assess the IT risk landscape of a simulated organisation and evaluate the effectiveness of control measures. They will identify potential risks, prioritise them based on their impact and likelihood, and recommend control enhancements to mitigate the identified risks.

• Vulnerability Assessment and Penetration Testing Lab:

Participants will perform a hands-on vulnerability assessment and penetration testing exercise on a mock network or application. They will utilise various tools and techniques to identify vulnerabilities, exploit them, and provide recommendations for remediation.

• Network Lab:

Participants will create several networks, simulate networks, identify the vulnerabilities, perform a risk assessment and propose mitigation plan  practically during the lab and conclude of the quality of their recommendations

• AI labs:

We will create python programs on specific audit controls and testing (continuous auditing)

• Audit of Access Controls Lab:

Participants will analyse user access controls within a simulated environment. They will review user permissions, segregation of duties, and user provisioning processes. They will identify any access control gaps, recommend improvements, and assess the overall effectiveness of access controls.

• Audit of Data Protection Lab:

Participants will assess the effectiveness of data protection measures within an organisation. They will review data classification, encryption practices, backup and recovery procedures, and data retention policies. They will identify any gaps in data protection and provide recommendations for strengthening data security.

• Cloud Security Audit Lab:

Participants will conduct an audit of a cloud computing environment. They will review cloud service agreements, security configurations, and access controls. They will evaluate the organisation's adherence to cloud security best practices and regulatory requirements, and provide recommendations for improving cloud security posture.

Note: This training program can be further customised to include additional topics, specific industry case studies, and hands-on exercises based on the specific needs and requirements of the participants and their organisations.

This training programme will adopt a blended learning approach to ensure an interactive and engaging experience for participants. The programme will include a combination of:

• Interactive lectures

• Case studies

• Group discussions and activities

• Practical exercises

• Q&A sessions

• Continuous learning support

This programme is aligned with DORA, ENISA, NIST, COBIT, CISA.

We welcome all Internal Auditors (Senior Auditors, Heads of Audit, Governance & Internal Control Specialists).

The programme requires good internet connection in order to participate to IT Labs. If your IT security rules are strict, we recommend using your private laptop.

In English or in French.