Information Security

Information security is an apparently simple subject with clear rules. From the fact that there are almost daily incidents in the news, must be concluded that the subject is more complex than it looks. We use the premise that information security is a business issue in which ICT is a part.

The reliability of the information is an important quality aspect of organizations. Laws and regulations in the framework of Governance (VIR, Tobacco Blatt, SOX, etc.) also require attention to information security.

Information Security and Audit: The auditors will assess the adequacy of the information security policy and provide advice in the preparation of risk management. The outcome of an information security audit is the understanding of the effectiveness and progress of the information in an organization. Often such an audit is used to define the starting point for the improvement.

Security information and advice: Our consultants (information security specialists) help organizations to define and organize the security management process. We also provide on an ad interim base security officers, information officers, etc. to the government and profit organizations.

With our years of experience in this area we know very well the pitfalls that are apparently inherent to this subject.

Continuity Management

Through extensive experience we have developed a practical but above all pragmatic method to manage the continuity of your organization.

At this website you can download a free of charge Quickscan which you can easily use to determine the extent to which your organization depends on IT.

Duijnborgh Audit has developed a number of instruments that can be used to determine how organization is able to start again after a disaster. The methodology is built according to our developed model CEM (CEM stands for Continuity Efficiency Measurement).

The CEM-model defines the risks when a failure of ICT in enterprises occure, which are bottlenecks and, most importantly, what measures can (should) be to reduce the risks to hedge,

In the process a number of showstoppers are in place, to prevent more activity than is absolutely necessary to determine whether action is needed, if any. The methodology is very suitable for medium-sized enterprises.

The steps in a Continuity Efficiency Measurement

CEM Quickscan
CEM Self
CEM Audit
By sending us a e-mail , you can request for the Quickscan applications. We send you the Quickscan free of charge.
Download the Acrobat Reader Icon brochure, or contact us if you want more information.

Risk analyses

In some cases it is necessary to determine the dependency and vulnerability of the organization through a risk analysis. We both have extensive experience with analytical methods such as Cramm and ACIB, as well as methodologies to define in an effective and efficient way and also in a short time, the risks of your organization.


With our pre-audits we are the link between organizations and the certifying authority. We speak your language as both the certifying auditor.
Organizations that wish to certify at certain standard, eg BS 27001 (Information Security), BS 7510/11/12 (Information in care) or BS 20000 (Service Management), we can support this service.

How does a pre-audit work?

We have specialists with extensive experience in certification programs. We can provide the following:

– we process the full certification file for formal certification Party;
– we establish the necessary formal proceeding, manuals, etc.;
– we assist in the preparation of the (interim) reports for the certification body; What are the advantages of a pre-audit?

The certification path can be completed much faster because you do not have to event it al by yourself.
– You have prepared a full certification file;
– You realize a counterweight to the certifying authority;
– You have a fixed point with short lines of communication;
– You will save considerably on costs.

Social Audit

We use the term Social Audit instead of the usual term Social Engineering. The research is based on the ‘traditional’ audit method, which means that the customer is assured of an expert, independent and responsible way of research.

Social Audit can be used to ensure the quality of information to measure. Social audit can roughly two techniques are performed (both individually and in combination):

as a technique whereby a computer cracker attack on a computer trying to take over users of the systems;
as a form of influence on social behavior and attitudes.


Increasingly, (parts of) IT departments are outsourced to an external supplier which the supplier services that their IT department originally supplied.

Outsourcing has advantages as cost savings as well as disadvantages and even risks.

The most common risk is that the supplier does not comply with the agreements. There are even special terms defined to indicate how the supplier fails:

Shirking is when a supplier systematically under-performs when they are fully paid for it. For example, declaring more hours than actually worked.

Poaching is when the supplier abash it’s competitive position of trust sensitive information to or specially developed solutions for the customer to other customers to use.

Opportunistic repricing occurs when a customer over time more and more becomes dependent of the insourcing party. This allows the dominant party unilaterally insourcing the financial conditions of the contract to change, the customer is his dependent. By ensuring that the business contract is legaly closed, a lot of the misery can be prevented, but it’s ultimately important to build confidence between the outsourcing and insourcing parties. For the creation of mutual confidence it’s important to build and maintain a good relationship.

Recent research show that in 60% of the cases, the contractual relationships are disappointing and, the outsourcing relationship in as much as 58% of cases stops eventually.

To prevent this, we can assess the outsourcing relationship and we give independent advice implicitly how the relationship can be improved.

Third Party Announcement

Our independent IT-auditors can investigate the quality of IT-resources in your company. The results of the investigation will be written down in a Thrid Party Declaration. This declaration can be published at your companies website to show your customers that you are in control of your IT. (IT-governance).

Our Third Party Assurance services include:

  • providing an independent view in the context of SAS 70.
  • support and guidance in preparing for a SAS 70 audit.
  • support and guidance in the preparation of an ISO 27001 or ISO 27002 certification / audit.

IT audit

By performing an IT audit we are able to assess the automation in the organization and the organization of the automation.

During an IT audit the quality aspects of the information technology are assessed. The primary aspects to be evaluated are: effectivity, exclusivity, integrity, audit ability, continuity and manageability. An IT audit focuses on information and IT management, information systems, information strategy and the operational automation support.

The following six domains, derived from the NOREA publication ‘IT auditing aangeduid’ (IT auditing defined), are included in the term IT auditing.

  • Information strategy comprises the whole of objectives, premises and limiting conditions for dealing with information within an enterprise and for organizing the information services.
  • IM/IT management has to be in place in order to develop, manage and use automated systems, as well as the conditions to manage these processes. Management has to be able to ascertain whether the organization complies with the goals and limiting conditions formulated in the information strategy.
  • Information systems are the automated processes developed to process data. The whole of organization and resources, primairily meant for developing and using of information systems, belongs as well to the domain of information systems.
  • Technical systems, implemented in hardware and system programs for controlling purposes. These systems support the automated processes within the information and processystems by controlling the hardware.
  • Proces systems are developed to control electronic interfaces and, in doing so, control devices. They are no information systems because they are not primairily developed to process data. Included are all organizations primarily responsible for these systems, as well as the resources employed.
  • Operational automation support includes all activities of an organization aimed at controlling and keeping available the technical infrastructure and the managed IT systems (adhering to the agreed standards and service level agreements, as well as the administration thereof). The operational automation support includes installation, management and maintenance of the means of automation placed at the disposal of the end user (including application software).