Guidance in audit of security of information systems


Working title: Guidelines on Information Systems’ Security Audit, including Cyber Security (Earlier ISSAI 5310)

The project aims at creating a relevant GUID for use by field Audit practitioners, with the objectives of executing the following processes

  1. Aligning the guidance with ISSAI 100 and the revised GUID 5300
  2. Identification of universe of information systems assets in use by audited entity
  3. Identification of potential threats and counter measures for mitigation and avoidance of risk exposure to assets
  4. Evaluation of internal controls already adopted by audited entity
  5. Risk Analysis, quantified in terms of risk exposure determined by combination of criticality of information asset(s) and business impact of failure
  6. Issue of recommendations, based on computed risk exposure

IFPP Category

INTOSAI Guidance


  • Project Proposal
  • Preparing Exposure Draft
  • Open for comments
  • Analysing Comments
  • Preparing Endorsement Version
  • Endorsement Version

Project proposal

Project proposal Download

Exposure Draft

Document Comments Received Action
Exposure draft 0 Comments are closed

Endorsement Version



Follow for updates