PT. Bank Rakyat Indonesia (persero) Tbk. Unit Sukomoro have applied information technology. When applied information technology occured several problem. There are no specific external audit of information security until now. This research is devoted to information security that include asset security procedurs, physical and environmental security procedures, information technology operational security procedure, and incident handling procedures in information security. This research uses Bank Indonesia regulation that is Surat Edaran Bank Indonesia nomor 9/30/DPNP on 12 December 2007 about Penerapan Manajemen Risiko Dalam Penggunaan Teknologi Informasi oleh Bank Umum. This result from research is recommendation based audit about information security. Recommendation from the research is useful to improve banking services to satisfy bank costumers.