How organizations can prepare for a data storage audit.
Reading Time-approximately: 3 minutesDuring data storage audit preparation, gather documentation on storage practices, test results and storage security plans. Evidence is crucial for a satisfactory report.
By Paul Kirvan
To ensure that data storage activities are consistent with good practice and relevant standards and regulations, perform periodic audits of the data storage process. Audits ensure that the organization regularly performs data storage activities, such as backups, and stores data in a secure and efficient way.
Organizations should have policies and procedures in place regarding data storage activities. Audits provide evidence to senior management, as well as external organizations — such as regulators, key customers and stakeholders — that the organization’s data storage programs perform properly and meet compliance standards, such as HIPAA, GDPR and ISO.
Address several important factors in preparation for a data storage audit. Some actions to take that can aid the audit process are the following:
- Identify the data storage controls and configurations that are likely to be audited.
- If using an external or internal auditor, be sure the audit team is familiar with auditing IT systems and data storage.
- Identify the IT department team that will support the audit.
- Establish a work area for the audit team.
- Secure and have ready as evidence a variety of documents, reports and other information for examination by the auditors.
Best practices for data storage audit preparation
Preparation and documentation are two key elements to have when preparing for, and going through, an audit. Have access to subject matter experts who can discuss data storage with auditors. Prior to the audit beginning, gather the necessary materials, such as the following:
- Current copies of all data storage, archiving and related documentation, including the following:
- storage and backup schedules and procedures;
- recent assessments, audit records and reports on storage performance, including tests;
- roles, responsibilities and workflow of data storage and backup teams;
- documents describing previous data storage and backup problems and how they were resolved;
- data protection, backup and storage training materials;
- evidence of previous management reviews and data audits; and
- evidence of continuous improvement activities.
- Evidence that the data storage and backup program is part of a comprehensive IT DR program
- Evidence that the organization has scheduled data storage, backup and recovery tests as part of the overall IT DR program for on-site, cloud and off-site sites
- Evidence of scheduled and conducted data storage and backup assessments and updates to storage/backup policies and procedures
- Evidence that demonstrates senior management support for the data storage program, including a senior management sponsor/champion, a budget and staff dedicated to data storage
- Evidence that data storage, backup and recovery activities are a strategic activity for the business.
To help prepare for a data storage audit, the table lists controls that may be audited. This way, internal IT teams can prepare for most audit requests, which will facilitate the timely completion and delivery of the audit report. Many of the controls also include data backup and recovery, which are important complementary elements of data storage.
| Data Storage Audit Checklist | ||
| ✓ | Data Storage Audit Controls | Examples of Audit Evidence |
| Data storage plan | Documented plan | |
| Data storage policy | Documented policy | |
| Data storage procedures and relevant documentation, forms, etc. | Documented procedures, forms, templates, checklists | |
| Data storage schedules | Paper copies or screenshots of backup and recovery schedules | |
| Data storage access elements | Screenshots of access controls (e.g., sign-in, permissions, data access, authentication methods) | |
| Data storage reliability metrics | Screenshots of data storage reliability metrics | |
| Data storage performance metrics for mainframes, servers, network devices, applications, data files, databases | Documented reports on data storage performance for all IT assets that need to be backed up | |
| Data storage, backup and recovery test plans and documented results | Copies of recent data storage, data backup and recovery test plans, performance data from the tests, and after-action reports | |
| Data storage frequency metrics | Screenshots of data storage schedules showing frequency metric for each kind of activity | |
| Data storage systems and software | Operational documentation and relevant screenshots for applications and hardware used for data storage activities | |
| Data storage resources — Local | Operational documentation and relevant screenshots for local storage systems and resources | |
| Backup data storage resources — Off-site | Operational documentation and relevant screenshots for off-site storage systems and resources | |
| Data storage security — Local | Operational documentation and relevant screenshots for local storage security measures | |
| Data storage security — Off-site | Operational documentation and relevant screenshots for remote data security measures | |
| Data storage network services | Operational documentation and relevant screenshots for network services used when transmitting data for storage, backups and recoveries | |
| Environmental requirements for data storage (e.g., secure physical site, power, security, HVAC) | Operational documentation and relevant screenshots for data storage site physical security, primary and backup power supplies, emergency lighting, emergency exits, and primary and backup HVAC systems. This is especially important when using cloud storage. | |
