IT Audit: Making the transition from IT to IT Audit

On several occasions I’ve been asked “How does someone make the transition from IT to IT Audit?”
If you’re new to Information Security then you should take an introductory course in information security. SANS has an excellent one in SEC301 Intro to Information Security. Then follow that course with a bootcamp style security essentials course, something similar to SEC401 SANS Security Essentials Bootcamp Style. And while you’re in the mood for bootcamps, follow the security essentials up with an IT Audit essentials bootcamp. Look at AUD429 IT Security Audit Essentials Bootcamp from SANS.

Now you’ve got the essentials down, security and IT Audit, or should I say you’ve got the skeleton course work finished. Now let’s put some substance to the body of knowledge that you’re building. There are three more things that you need to do; two courses and one certification exam. You will need to take a course in IT auditing that covers things like networks; routers, switches and the like; operating systems (UNIX and Windows); and maybe even some web application auditing. Look at AUD507 Auditing Networks, Perimeters, and Systems from SANS and make sure it’s being taught by David Hoelzer. Also look at AUD 423 Training for the ISACA ® CISA ® Cert Exam. Then the last thing you want to do is to register for and take the CISA certification exam from ISACA.

As your taking the courses from SANS, most of them will have optional GIAC certifications and I encourage you to take those as you complete each SANS course. The certification for SEC301 course is GISF; for SEC401 it’s GSEC and for AUD507 it’s GSNA.

Now with some work experience you’ve made the transition from IT to IT Audit and you’re well on your way, congratulations.