The management of small and medium-sized companies often does not realise the importance of information security and is not aware of the threats and risks that their current use of IT pose to their business. As an auditor you can be a sparring partner to the management by analysing the current level of information security and making suggestions for improvements. In my capacity as auditor for the company M-Medical A/S, I have used RS 315 in my advice to the company in order to learn about the company and its surroundings. During my audit, I became aware of matters concerning information security in general, which do not seem appropriate. In order to be able to advise the company about the different aspects of information security, I have used DS 484 as the basis for a guideline I have prepared. This has provided me with a practical tool, which is highly suitable for advising companies on how to improve information security. In connection with my analysis of information security at M-Medical A/S, I talked to the management and relevant key members of staff. During my analysis, I found that the management of M-Medical A/S has only limited knowledge of the level and importance of information security and is therefore unaware of the threats and risks facing the company. My advice has helped the management of M-Medical A/S to understand the threats posed by the current level of security. My advice has also provided the management with a tool to assess information security. When making future improvements in information security, the management should remember that my suggestions for improvements, which are presented in the action plan, are not exhaustive. The management therefore needs to keep itself up-to-date on new threats and potential risks.
|Educations||MSc in Auditing, (Graduate Programme) Final Thesis|
|Number of pages||84|