Security Audit

Security audits have a critical role to play in safeguarding information assets. The fluid environment of evolving economic and regulatory conditions, increased globalisation and outsourcing, and new and emerging risks makes it tough for organisations to identify and manage the complex risks they face.

A QinetiQ security audit reassures our customers that they are complying with industry best practice, and provides the insight and tools that will help them achieve compliance. Whether they need to align with National Technical Authority policy, an international ISO standard or industry specific standards, our team can complete an objective audit and provide impartial guidance on how to improve compliance.

The audit plays a valuable role in achieving optimal operational effectiveness with minimal exposure to risks, fostering continual improvement, and proactively detecting weaknesses before they become a costly or irreparable problem.

We can either help a customer allocate and train the right in-house team – equipping them with the right tools, procedures and empowerment, or provide independent lead auditors to assess an organisation's information security posture.

Our consultants can:

  • Help set the audit programme and strategy, or take complete ownership of conducting the audit
  • Quickly identify and diagnose security vulnerabilities and areas for improvement
  • Provide actionable, cost-effective recommendations for measures based on objective findings and a thorough understanding of the business context and culture

The audit process

Scoping the audit: To minimise cost and disruption, we work with our customers to identify areas of top priority and concern.

Planning and preparation: We produce a detailed audit work plan and/or checklists, based on a relevant standard.

Field work: Audit evidence is gathered through, for example, interviewing staff, managers and other stakeholders, reviewing information security documents and records, observing security processes or checking system security configurations and logs.

Analysis and reporting: All evidence is validated and analysed, and any deficiencies are communicated. A final audit report is produced and presented to stakeholders, before formulating all ensuing decisions into a corrective action plan.

The audit and assessment frameworks and standards we work with include:

  • ISO/IEC 27001 – Information Security Management System
  • ISO/IEC 20000 – IT Service Management
  • HMG SPF and supporting standards and guidelines
  • HMG IAMM – Information Assurance Maturity Model
  • MOD JSP440 – The Defence Manual of Security
  • Privacy Impact Assessments (PIA)
  • ISO 10008:2008 – Specification for evidential weight and legal admissibility of electronic information
  • ISO/IEC 24762:2008 – Security techniques for ICT disaster recovery services
  • ISO/IEC 38500:2008 – Corporate governance of information technology
  • ISO/IEC 12207:2008 – Systems and software engineering lifecycle processes
  • ISO/IEC 21827:2008 – Systems Security Engineering – Capability Maturity Model (SSE-CMM)


Data illustration