The security audit is a systematic, independent and documented process for obtaining evidence and its objective evaluation, in order to determine the degree of compliance with the security policy of the audited information system and the needs for improvement and correction of it.
This audit shall be carried out using generally recognised working and behavioural criteria and methods, as well as national and international recommendations and standards applicable to this type of information systems audit. In particular, the technical instruction to follow the Information Systems Security Audit establishes the conditions for the performance of the mandatory audit to which the information systems within the scope of application of the ENS must be subject, as regulated in article 34 and Annex III of its regulatory standard.
Findings derived from security audits shall be classified according to the following grades:
- Inspection of compliance (Level 1 and 2).
- Minor Non-Conformity
- Major Non-conformity
- Technical inspection (Level 3, 4 and 5). The following possible results of criticality are established.
The final opinion of an audit shall be one of the following three:
- Favorable with NO conformities (Corrective Action Plan)