List the assessment methods to be used and the context and resources required for assessment. Copy and paste the relevant sections from the evidence guide below and then re-write these in plain English.
ELEMENTS | PERFORMANCE CRITERIA |
Elements describe the essential outcomes | Performance criteria describe the performance needed to demonstrate achievement of the element. Where bold italicised text is used, further information is detailed in the range of conditions section. |
1. Plan security audit | 1.1 Identify the scope and objectives of the audit and prepare an audit plan to meet the objectives. 1.2 Identify the organisation’s information systems to be included in the audit plan. 1.3 Advise appropriate personnel of the audit plan and its requirements. 1.4 Identify and prioritise possible sources of security risk and prepare an audit checklist. |
2. Conduct security audit | 2.1 Identify and analyse systems, procedures, records and documents. 2.2 Conduct audit in accordance with the audit plan. 2.3 Record audit activities. 2.4 Identify situations requiring specialist input or referral to other areas and act on referral. |
3. Report on security findings | 3.1 Maintain audit records and prepare audit reports. 3.2 Produce report including background, scope, outcomes and recommendations. 3.3 Use language and style to suit the audience and in line with organisational requirements for accuracy and timeliness. 3.4 Support recommendations with evidence and highlight actions identifying person/s responsible for implementation. |
Evidence required to demonstrate competence must satisfy all of the requirements of the elements and performance criteria. If not otherwise specified the candidate must demonstrate evidence of performance of the following on at least two occasions.
applying legislation, regulations and policies relating to information technology security audits and government security management
gathering, analysing and recording data
using computer applications to undertake security audits
managing risk in the context of government security management
engaging in discussion involving exchanges of complex information
responding to diversity
Evidence required to demonstrate competence must satisfy all of the requirements of the elements and performance criteria. If not otherwise specified the depth of knowledge demonstrated must be appropriate to the job context of the candidate.
legislation, regulations, policies, procedures and guidelines relating to information technology security audits
operational knowledge of policies and procedures in regard to use of information technology systems
organisation’s security plan
information technology systems and architecture
use and maintenance of hardware and software systems
Australian Audit Standards
aspects of criminal law and administrative law relating to the outcomes of compliance audits
protocols for reporting fraud, corruption, maladministration and security breaches
fundamental ethical principles in the handling of documents and information, natural justice, procedural fairness, respect for persons and responsible care
Assessment of this unit requires a workplace environment or one that closely resembles normal work practice and replicates the range of conditions likely to be encountered when undertaking IT security audits.
Assessors must satisfy the NVR/AQTF mandatory competency requirements for assessors.