Purpose of work is to analyze the existing practices of performing security analysis and IT-security audit (NIST, OWASP, Cobit, OSSTMM, PTES and GOST R ISO/IEC), used to obtain objective and reliable data for operational security assessments of the CII objects and development of an IT-security audit model for CII objects. Research method: methods of analysis and structural decomposition from the theory of system analysis, identifying signs essential for optimizing the process of IT-security audit for CII objects. Research result: include the detailed analysis and comparison of the existing best practices for performing security analysis and IT-security audit (NIST, OWASP, Cobit, OSSTMM, PTES and GOST R ISO/IEC) for CII objects. A model of IT-security audit for CII objects has been developed. Scientific novelty: an IT-security audit model for CII facilities, characterized by the possibility of a “dual” mode for a full cycle of ensuring the safety of CII facilities – a full national conditional mode and a combined conditional mode, which allows, if necessary, to include additional functional blocks