Information Security Program Audit

The California Office of Information Security (OIS) plays a critical role in ensuring the State’s information technology infrastructure is capable of delivering vital services in a secure, reliable, and trustworthy manner.


The mission of the Information Security Program Audit Team (ISPA) is to provide expertise to evaluate compliance with state security and privacy policies, by validating security systems, procedures, and practices are in place and working as intended.

State security and privacy policies, and corresponding standards and procedures are accessible online in the State Administrative Manual (SAM), Chapter 5300, and NIST 800-53

Information security audits are authorized pursuant to Government Code Section, 11549.3 (d).



  • Engagement with a trusted team of professional information security auditors.
  • Confidential examinations, interviews, and testing based on federal and state security standards.
  • Provide independent assurance that critical assets and citizen data are protected.
  • Audit reports contain compliance information that is customized to the agency’s audit scope.

Information Security Audit Overview

The audits are organized into domains that have been compiled using adopted industry and state standards (NIST Special Publication 800-53and SAM 5300). These standards align with current state policy requirements.

Prior to an audit, documentation is sent to prepare the entity for the audit. This includes an Articles Request (AR). The completed AR documents are to be sent to the auditor prior to the audit interviews. The Audit Control Guide gives the entity preview of the domains and allows the entity to prepare for the audit.

The audit is kicked off with an engagement meeting. The meeting allows the entity to meet the lead auditors, who present an overview of the audit process. After the meeting, interviews with subject matter experts are scheduled by the audit team. Testing and validation are completed and work papers are written. With these work papers, findings are documented and sent to the entity in a weekly status report for review.

Upon completion of the interviews and testing, a draft report is written, encompassing all information gathered during the audit. This report is sent to the entity for review. The entity has an opportunity to address any issue identified during the audit and provide evidence to the contrary. Once all issues are settled, a final report is sent to the entity.

Need more information?  Please contact the California Office of Information Security at (916) 445-5239 to learn about Information Security Program Audit services.

This service is classified as a Current Service.

What can an audit do for our organization?

An information security audit is a type of compliance audit that identifies potential cyber security gaps. It also provides guidance on implementing the State Administrative Manual (SAM) Chapter 5300 including referenced Statewide Information Management Manual (SIMM) procedures and NIST Special Publication 800-53 security and privacy controls. Often times, third party guidance is helpful in highlighting known issues through findings and observations. Audit results may provide needed pathways to resource acquisition or additional funding.

What is a compliance audit?

‘A compliance audit is a comprehensive review of an organization’s adherence to regulatory guidelines. Independent accounting, security or IT consultants evaluate the strength and thoroughness of compliance preparations. Auditors review security polices, user access controls and risk management procedures over the course of a compliance audit.’ (Source: Search Compliance website)

What does the ISPA Team do?

The ISPA team performs audits to ensure entities are in compliance with NIST and SAM Chapter 5300. After an entity is selected to receive an audit, the auditor assigned to lead the audit oversees the engagement which includes the following milestones and processes: • Notification to the entity an audit will be performed • Receipt of engagement package by entity • Dates for audit to be conducted are confirmed • Preliminary articles are gathered and reviewed • Engagement (entrance) conference is held • Technical kickoff is held • Field work (discovery, interviews, testing) • Draft Audit Report is compiled by lead auditor • Exit conference call is conducted • Final Report issued

How often can I expect an ISA audit?

Auditees are selected based on criteria established by the California Office Information Security, Information Security Audit (ISA) Team: • An AB 670 Security Assessment (performed by Dept. of the Military) has not been scheduled for the current year • An ISPA has not been performed by CISO in the last 2 years • A department is not selected if they do not have any “mission critical” applications Selections are subject to approval by the Government Operations Agency.

Can we get a copy of the audit criteria in advance?

Available upon request.



Effective with the Enacted 2021-22 State Budget, the cost of the Information Security Program Audit is now covered by the General Fund. It is no longer necessary to submit a Service Request.

To request an Information Security Program Audit (ISPA), please email the Office of Information Security at or call (916) 445-5239.