Using the evidential reasoning approach in auditing of an information security management system

Audit information security management system (ISMS) is an important element of a well-functioning ISM. As part of an ISMS audit, it is also necessary to determine the audit risk. Various methods exist and are developed for risk assessment, both in practical and theoretical level. These methods can use quantitative methods, or may be based on a qualitative assessment of risks. Current standards (e.g. ISO 27001) for construction and operation of the ISMS remain on operators how to carry out risk identification, relevant analyses and evaluations. Various probabilistic methods or methods based on Bayesian statistics are widely used theoretical methods. However, currently there are no generally accepted methods for calculating risk. This is due to the difficulty of quantifying some events and often subjective nature of the analysis. In this paper, we introduce an evidential reasoning model (evidential reasoning approach under the Dempster-Shafer theory) for the information systems audit risk assessment. The advantage of this approach is the ability to work with indeterminations and subjective evaluations. The proposed model is applied to the assessment of audit risk in the chosen field of standard ISO 27001.