Audit of Significant Critical Infrastructure Facilities in the Metallurgical Industry

The article considers key aspects of conducting an information security (IS) audit at industrial enterprises, with special attention to the metallurgical complex, where a high degree of automation is combined with the use of vulnerable industrial technologies. The main attention is paid to the methodology for assessing the compliance of information security systems with current regulatory requirements, including both national and international security standards. A classification of the main types of information security audit is presented. Particular emphasis is placed on the analysis of regulatory requirements for ensuring the information security of industrial facilities, including the provisions of specialized supervisory authorities, such as the Federal Service for Technical and Export Control (FSTEC) of Russia. The importance of the results of a comprehensive information security audit for increasing the overall level of enterprise security is considered, taking into account not only formal compliance requirements, but also the practical effectiveness of the implemented security measures. The characteristic difficulties associated with the use of traditional audit methods in industrial networks are noted, and adapted solutions are proposed. A number of practical tips are offered to optimize the audit procedure and reduce potential risks. The results of the study are valuable for information security specialists at industrial enterprises, auditors, and representatives of regulatory authorities.