: Compliance Audit – isec

Compliance audit

Service Overview

Current efforts for digitization of services and the need for alignment to European regulations are triggers for local legislation in information security area. National control authorities, such as National Bank of Romania or Communications Minister, have adopted specific laws to regulate important security concerns for critical services and systems.

Compliance audits or conformity checks should be conducted by all organizations offering e-services to customers. Organizations must obtain external independent verification of IT systems and operational processes; conformity status should be reported to regulators as a direct and independent statement of compliance or non-compliance with the audit criteria.

As many organizations outsource their critical services or rely on different third-parties to provide services to their customers, they also need to pay more attention to their partners’ compliance in order to avoid service unavailability and keep their customers’ data secured. Organizations should obtain objective evaluation of all IT systems and operational processes, including the ones that are out of their direct control.

We offer compliance audit services that can help your organization to ensure its conformity with standards, regulations, and local legislation related to information security.

Our experts are ready to perform compliance audits against:

  • Banking regulations issued by national control authorities;
  • Digital platform regulations for alternative transport providers issued by national control authorities;
  • Standards such as ISO 27001, ISO 27002, ISO 27005, ISO 22301, ISO 27552, ISO 31000 and more;
  • Other specific regulations such as GDPR, eIDAS, PSD2, NIS, and more.

Our audit methodology thoroughly follows the next phases:

Planning phase – setup the audit team and establish the project’s calendar and necessary resources, define the audit’s objectives, and agree upon the Audit Plan;

Execution phase – carry out visits and interviews on-site, collect and review relevant data, identify implemented controls, and assess their effectiveness;

Reporting phase – analyze relevant data, issues, and present the Audit Report.

Audit Plan – includes a clear definition of the audit’s scope and constraints, audit’s objectives and risk criteria (based on the regulatory requirements and guidelines), as well as an outline of the necessary activities to be carried out according to the established calendar.

Audit Report – describes the audit results and provides conclusions, as well as recommendations for remediation or further improvement. The report includes a summary of findings, it points out areas of compliance and non-compliant aspects, as well as evidence records on the basis of which the auditor’s opinion was issued.

Note: The Audit Report covers the audit process and its findings, while any accreditation or certification aimed by the organization remains out the audit’s scope, as a separate process.

  • Identify weaknesses related to regulatory compliance;
  • Ready-to-address findings and recommendations;
  • Create opportunities for improvement;
  • Reduce risks and avoid potential fines or penalties;
  • Non-intrusive on-site or remote evaluation services.