Fundamentals of Internal IT Auditing
Course code: BTA-201 / BTA-202
Title: BTA-201 — Fundamentals of Internal IT Auditing in Accordance with General IT Controls Requirements, BTA-202 — Fundamentals of Internal IT Auditing in Accordance with ISO 27002 Requirements
Course length: BTA-201 — 8 (eight) academic hours / 6.50 CPE Hours, BTA-202 — 10 (ten) academic hours / 8 CPE Hours
Audience: Internal auditors and IT auditors, beginners in the field of IT auditing
Preliminary requirements: knowledge of the basics of industry legislation and international standards in the field of auditing, information technology, and information security; understanding of the principles of operation and construction of data transmission network topologies; understanding of the principles of information processing; skills in working in Windows, Linux, with network devices and industrial databases; knowledge of the types and classes of industrial devices for protecting, processing, storing, and transmitting information; knowledge of the basics of risk management; understanding of the principles of economic theory and cost formation; analytical and arithmetic skills.
- What is an IT audit, when is it needed, and what does it consist of?
- The objectives of an IT audit
- The principles of an IT audit
- The scope of an IT audit
- The criteria for an IT audit
- Overview of external requirements
- General IT Controls (ITGC)
- ISO/IEC 27001 standard
- NBKR-2021 requirements
- How to conduct an IT audit:
- BTA-201: Practical Guide to General IT Controls:
- Logical and physical access
- System administrators
- Employee access rights
- Remote access rights
- Password policy
- Firewall
- Antivirus
- Mobile devices
- Incident management
- Information systems operation
- Data backup
- Data recovery
- Long-term backups (tapes, disks)
- Access to the server room
- Control of the environment in the server room
- Backup data center
- Batch data processing
- Interfaces
- Infrastructure problem solving (Help/Service Desk)
- Change management in information systems
- Working environments (operation, development, testing)
- Access to operating environments
- Change transfer process
- Change procedures
- Critical change management
- Logical and physical access
- BTA-202: Practical guide to ISO 27002:
- Information security policies
- Information security organization
- Human resources security
- Asset management
- Access control
- Cryptography
- Physical and environmental security
- Operational security: procedures, malicious code, redundancy, logging, and monitoring
- Communication security
- System acquisition, development, and maintenance
- Supplier relationships
- Information security incident management
- Information security aspects of business continuity management
- Compliance with external requirements
- BTA-201: Practical Guide to General IT Controls:
- Calculation of information risks
- Types and methods of information risk management
- Matrix for expert calculation of risk level
- Examples of calculations of material (monetary) damage from the occurrence of risks associated with the loss of confidentiality, availability, or integrity of information assets
- Determining the cost of ownership of an information asset
- Total Cost of Ownership (TCO)
- Life cycle of information systems
- TCO structure, calculation procedure, and determination of the effect of owning (implementing) an information system
- IT audit results
- Working documents, non-compliance reports
- Processing of large volumes of structured and unstructured data (data analysis)
- Software and control and measurement tools used in the work
- Composition of the report
Service for verifying the authenticity of an issued certificate by its unique number