Information Security Program Audit

The California Information Security Office (CISO) plays a critical role in ensuring the State’s Information Technology (IT) infrastructure is capable of delivering vital services in a secure, reliable, and trustworthy manner.


The mission of the Information Security Program Audit team is to provide expertise to evaluate compliance and risk with state security and privacy policies, by validating security systems, procedures and practices are in place and working as intended.

State security and privacy policies, and –corresponding standards and procedures are accessible online in the State Administrative Manual (SAM), Chapter 5300 and NIST 800-53 (PDF).

Information security program audits are authorized pursuant to Government Code Section, 11549.3 (d).



  • Engagement with a trusted team of professional information security auditors.
  • Confidential examinations, interviews and testing based on federal and state security standards.


  • Provide independent assurance that critical assets and citizen data are protected.
  • Audit reports contain compliance information that is customized to the agency audit scope.
Information Security Audit Program Overview

The audit program is organized into twelve domains that have been compiled using adopted industry and state standards (NIST Special Publication 800-53 (PDF) and SAM 5300 ).   These standards align with current state policy requirements.

Prior to an audit beginning, documentation is sent to prepare the entity for the audit. This includes a Preliminary Articles Request-PAR  (PDF)  and an Audit Control Guide (DOC). The PAR documents are required to be sent to the auditor prior to beginning audit interviews. The Audit Control Guide gives the entity a preview of the twelve domains and allows the entity to prepare for the audit.

The audit is kicked off with an engagement meeting. The engagement meeting allows the entity to meet the lead auditors, who present an overview of the program. After the engagement meeting, interviews are scheduled and conducted with appropriate subject matter experts by the audit team. Additionally, testing and validation is completed and work papers are written. With these work papers, findings are documented and sent to the entity in a weekly status report for review.

Upon completion of the interviews and testing, a draft report is written, encompassing all information gathered and documented in during the audit. This report is sent to the entity for review and gives the entity an opportunity to address any issues that may have arisen and provide evidence to the contrary. Once all issues are settled, a final report is sent to the entity.

Need more information?  Please contact the California Information Security Office at (916) 445-5239 to learn about Information Security Program Audit services.

This service is classified as a Current Service.

Subscriptions to this service are available and can be referenced in the CDT Rate Schedule.

Service CodeService DescriptionUnit of MeasurementRateGroupComment(s)
G2xx-ISPAConsulting for Level 1 (DPM IV)Hour$150.00Information Security Program AuditThis is a general consulting rate
G3xx-ISPAConsulting for Level 2 (DPM III, DPM II, SSS III, SSS II and Sr. ISA)Hour$130.00Information Security Program AuditThis is a general consulting rate
G648Travel and MaterialsVariablePass-throughInformation Security Program Audit
H101Small Organization Audit (Audit Maximum)Per Audit$60,000.00 Information Security Program Audit
H102Medium Organization Audit (Audit Maximum)Per Audit$100,000.00 Information Security Program Audit
H103Large Organization Audit (Audit Maximum)Per Audit$200,000.00 Information Security Program Audit

Services are billed directly through the customer’s monthly invoice and payment for these services is processed via direct transfer.

To request an Information Security Program Audit, please submit a Professional Services Remedy Service Request.  Order Service Now

What can an audit do for our organization?

An information security program audit (ISPA) is a type of compliance audit that identifies potential cyber security gaps. It also provides guidance on implementing the State Administrative Manual (SAM) Chapter 5300 including referenced Statewide Information Management Manual (SIMM) procedures and NIST Special Publication 800-53 security and privacy controls. Often times, third party guidance is helpful in highlighting known issues through findings and observations. Audit results may provide needed pathways to resource acquisition or additional funding.

What is a compliance audit?

‘A compliance audit is a comprehensive review of an organization’s adherence to regulatory guidelines. Independent accounting, security or IT consultants evaluate the strength and thoroughness of compliance preparations. Auditors review security polices, user access controls and risk management procedures over the course of a compliance audit.’ (Source: Search Compliance website)

What does the Information Security Program Audit Team do?

The ISPA audit team performs audits to ensure entities are in compliance with NIST and SAM Chapter 5300. After an entity is selected to receive an audit, the auditor assigned to lead the audit oversees the engagement which includes the following milestones and processes:

• Notification to the entity an audit will be performed

• Receipt of engagement package by entity

• Dates for audit to be conducted are confirmed

• Preliminary articles are gathered and reviewed

• Engagement (entrance) conference is held

• Technical kickoff is held (if needed)

• Field work (discovery, interviews, testing)

• Draft Audit Report is compiled by lead auditor

• Exit conference is conducted

• Final Report issued

How often can I expect an ISPA audit?

Auditees are selected based on criteria established by the California Information Security Office (CISO), Information Security Program Audit (ISPA) Team:

• AB 670 Security Assessment (performed by Dept. of the Military) has not been scheduled for this year

• An ISPA has not been performed by CISO in the last 2 years

• A department is not selected if they do not have any “mission critical” applications

Selections are subject to approval by the Government Operations Agency.

Can we get a copy of the audit criteria in advance?

Yes, please request a copy of the audit criteria when you have been contacted about your audit?

How often can I expect a security assessment?

Security assessments performed by the Department of the Military are conducted every two – three years. This process is currently under review.