How to write an IT Security Audit Plan

While lending enormous benefits to society, advancements in information technology have put the security of sensitive information at risk, especially for government agencies. The threat from hackers, virus, fraud, sabotage and natural disasters can have devastating consequences if the computer systems, information, critical operations and infrastructures they support are not secured properly. IT security audits are essential means for ensuring confidentiality, integrity and availability of IT assets. These audits support assessment of the efficiency and effectiveness of security and the control of IT systems.

Entities should have an IT Security Audit Plan for ensuring regular and autonomous IT security audits for all critical information systems and applications. An IT Security Audit Plan ensures effective scheduling of the IT security audits to help track the potential security threats. Entities should consider creating an IT Security Audit Plan before commencing with the audit of the system.

The audit plan highlights the scope and objective of the IT security audit. This article explains how you can write an effective and efficient IT Security Audit Plan. The audit plan should contain the following:

Scope of Audit: The plan should define the intended scope or boundaries of the audit. For example the scope of an audit might be assessment of effectiveness of access controls to various networks like internet, intranet etc. If the scope of audit is not defined clearly the audit result will potentially contain huge amount of data. It would be difficult to skim through this data and extract the useful information.

Objective of Audit: In addition to defining the scope of the audit, the IT Security Audit Plan should also define the objectives of the audit. The specific audit objective is to evaluate security, the broader objective will be to determine the type of information that is to be audited within the scope of the audit. For example, the objective of an audit might be to evaluate whether access controls are working as anticipated and are effectively documented.

Audit Schedule: In addition to having a clear scope and objective, the plan should also establish long term strategic goals and focus on a three to five years planning horizon. The plan should schedule the audits for the next three to five years. Scheduling of the IT security audits should be done relative to both threats and the business cycle of the entity. This will help the audit to proceed in a logical sequence and minimize the impacts of the possible disruptions in the functioning of the entity.

Frequency of Audits: Frequency of the audit should be decided relative to the threat and sensitivity of the concerned IT asset. The general norm is to conduct the audit once every three years for the IT systems that contain sensitive data. This will ensure privacy, integrity and availability of the data.

Resources: The plan should also mention the resources required for the audit. For example whether the audit will be done by the entity’s Internal Auditors or any third party (private firm). When a private sector third party is being considered for the audit of sensitive systems, a contractual term should be included. The resources required for collecting and storing audit logs (disk space, memory and processor usage) should also be mentioned in the plan.

Additional Requirements: The areas that require special attention for the audit or any additional audit requirements should also be mentioned in the IT Security Audit Plan. For example security issues for usage of personal laptops at homes by the employees.


The IT Security Audit Plan helps the entity and the auditor to schedule the necessary IT security audits of the entity’s sensitive IT assets. The past audits act as benchmarks to determine priorities for current and future audits. Regular assessments are necessary to measure the progress towards the goals and objectives of the IT security audit.

IT Security Audit Plan Templates and IT Security Audit Plan Samples are often used to promote consistency and professionalism within an organization.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.