Conducting an Information Audit

Importance of the audit

Information - the words, numbers, pictures, moving images and sounds that an organisation uses day-to-day - is a vital and strategic business asset. Nearly everything we do involves using information in some way; it supports, informs and evidences our decisions, activities, business transactions, performance, rights and obligations. Information is fundamentally the glue that holds an organisation's structure and processes together. Therefore, it is fundamentally important that an organisation understands the information it utilises and maintains in order to both unlock value and mitigate business risks.

Scope of the audit

How far should the audit go? Certainly Woody thinks it should cover all forms of physical and digital records, including application data. Of course where supporting an ISO 27001 implementation this could also include IT equipment and facilities, outsourced services and even the tactic knowledge of relevant people.

What is an information asset?

In creating the inventory it is important to ensure the level at which assets are catalogued is meaningful yet not so detailed as to make it an impossible task. Fundamentally an information asset is a cognate collection of stuff that shares the same purpose and characteristics.
As defined by The (UK) National Archives:
"Assessing every individual file, database entry or piece of information isn’t realistic. You need to group your information into manageable portions".
"An information asset is a body of information, defined and managed as a single unit so it can be understood, shared, protected and exploited effectively".
"Information assets have recognisable and manageable value, risk, content and lifecycles".
Thus for example it could include a series of paper files, a collection of electronic files, a specific data set within an application.

Scope of questions

Woody consults with a range of stakeholders to determine the questions to be asked within the audit.
For example, lines of enquiry could support:

• Facilities Management - Space optimisation; office moves and changes

• IT Strategy - Storage planning; system rationalisation

• Information Security / ISO 27001 - Risk management relating to storage, access, transfer, disposal

• Business Continuity - Protection and availability of critical records

• Records Management - Establish governance for capture, filing, retention, disposal

• Compliance - GDPR / DPA18 obligation to record and publish information; Numerous laws (charity, companies, finance, fundraising, HR etc.) and regulations with an obligation to maintain proper documentation and records

Conducting the audit

Identify the participants - typically those who recognise themselves as asset owners or administer the information sets on a day-to-day basis.
Hold a series of business seminars - introduce the audit and run through the objectives and scope, the individual questions and selection options from drop-down lists
A supported self-audit exercise - only people will truly know the information held and why it is used, although support and mentoring can be provided.
Analysis of findings and clarification re-visits - looking for both obvious issues with data capture and any immediate risks.

Potentially if available (or affordable) file analysis tools could be used to identify both the detail of individual electronic files for a deeper level inventory and the "ROT" (i.e. Redundant, Trivial, Obsolete files).

Information Asset Register

Whilst staff are familiar with using spreadsheets to capture the audit data, it is recommended to put the final data into some form of Information Asset Register database system. This will ease analysis and maintenance, as well as keeping ongoing audit trails of business events relating to assets.