A data centre audit can consist of many different audits, from the security procedures to the energy efficiency. Typically, auditors will focus on one single aspect every year if audits are annual. Since so many different aspects of a data centre audit exist, no single standard covers them all. However, several standards do cover individual aspects.
The Information Technology Infrastructure Library, or ITIL, provides a set of checklists for various aspects of service development and management, which apply to data centres. In particular, the Service Delivery and Information Technology and Communications Infrastructure sections of ITIL apply do data centres. ITIL is an industry standard, and common for management and planning of Information Technology, or IT, projects in Europe.
Security Audit using ISO 27000
Verifying the security of any organisation can be problematic, and data centres are no exception. International Organization of Standardization/International Electrotechnical Commission, or ISO/IEC, 27000 series are a set of standard, which specifies how to use information security systems. In particular, one of the intended uses is to provide relevant information about information security policies, directives, standards and procedures to external organisations.
Outsourcing Services Audit using ISO 27001
The ISO 27001 contains checklists for data centre outsourcing services audits. The points for verification include the installation and operations of hardware and software; the continuous monitoring of performance, capacity, and operational status; and software management practices, including backup and upgrade. Recovery procedures in the event of failure and the capabilities to support outsourced services are also part of the checklist.
SAS 70 audit of Service Organizations
The American Institute of Certified Public Accountants, or AICPA, developed the Statement on Auditing Standards, or SAS, No. 70, Service Organizations. It is a means of verifying the control objectives and control activities of a service organisation. In case of IT-related services, this implies a data centre audit.
Despite the common use of the SAS 70, the Statement on Standards for Attestation Engagements number 16 and the audit standard Audit Considerations Relating to an Entity Using a Service Organization replaced it. While neither the SAS 70 or the new standards replacing it contains checklists as such, they aim to provide a set of requirements that you can check.