04-624   Information System Audit and Standards

Location: Africa

Units: 12

Semester Offered: Spring

Course description

The goal of this course is to introduce students to concepts, tactics, and best practices in IT governance, auditing, and control. Based on recognized IS audit standards, frameworks, and guidelines, students will gain the knowledge and abilities to evaluate IS governance and develop and implement audit strategies and controls. Students will also learn about the underlying legal, ethical, and security challenges.

Learning objectives

  • Demonstrate a thorough awareness of the tasks and expertise that a world-class information systems auditor is expected to possess
  • Understand how to plan, execute, report, and follow up on an audit of an information security management system
  • Understand the review requirements of Information Security controls and countermeasures
  • Understand the roles and responsibilities of the Information System Auditor


Students will gain knowledge, abilities, and competencies in the following areas by the end of the course:

  • IT industry security standards and frameworks
  • Information security policy development
  • Security compliance and auditing
  • Access control and information abstraction for level of demanded security

Content details

  • Procedures and security policies
  • Risk assessment methodologies
  • Risk management
  • Data Recovery Plans (DRP)/Business Continuity Plan (BCP)
  • Business impact analysis
  • Asset classification
  • Process level strategy
  • Information classification organization
  • Crisis management plan
  • Resource recovery strategy
  • Frameworks
  • Audit benchmarks
  • Compliance
  • Communications
  • Data security for system designers
  • Criteria for evaluation and security testing
  • International security guidelines
  • Logging and analysis
  • Policy development for security
  • Security models
  • Security standards
  • ISO 17799/ISO 27001 Security Certifications
  • Security Management Engineering Capacity Maturity Model
  • Cybersecurity Laws and Legal Framework
  • Recovery and risk analysis
  • Operating systems and application-specific auditing


  • Basic knowledge of cybersecurity
  • Basic knowledge of information technology assets and operations


Jema David Ndibwile