Document Search

International Journal

ISSAI Executive Summaries

Executive Summary:

ISSAI 5310 – Information System Security Review Methodology


The document is a guide for reviewing information system security (ISS) in government organisations. This overview aims to explain how methodology is organised and in what circumstances to use it.

ISSAI Category:

Level 4: Specific Auditing Guidelines - Guidelines on IT-audit

Target Group:

Heads and Audit Directors of SAIs, External Governmental Auditors, Internal Auditors


The main objective of this guide is to assist SAIs that have such a mandate to review information system security programmes put in place by various government organisations. It can also be used by SAIs to set up comprehensive and cost effective security programmes covering key information systems in their own office.

This guide is not a detailed security audit guide: it is a description of a structured approach to assessing and managing risk in information systems.

Scope - Content:

The ISS Review Methodolgy Guide is written in 3 volumes:

  • Volume I offers SAIs a method to do a simple manual information system review especially when resources are limited or reporting needs do not require a more sophisticated method.
  • Volume 2 is a more sophisticated method based on the monetary value of information security exposures. It takes a top-down perspective of what information is of value to the organisation, what are the risks and the security exposures and what recommendations should be made.
  • Volume 3 shows detailed information security system methodologies. They attempt to measure the net monetary impact of security exposures and of the countermeasures put in place.

Author - Committee:

INTOSAI EDP Audit Committee


Issued by INTOSAI EDP Audit Committee, October 1995


Related Documents - Executive Summaries:

Related Documents - ISSAI Full Versions:

Related Documents - Others:

INTOSAI Working Group on IT-Audit: Audit Publications