One Article Review
| Source |  NoticeBored |
|---|---|
| Identifiant | 513793 |
| Date de publication | 2018-03-15 07:43:59 (vue: 2018-03-15 07:43:59) |
| Titre | NBlog March 15 - scheduling audits |
| Texte |  One type of assurance is audit, hence auditing and IT auditing in particular is very much in-scope for our next security awareness module.By coincidence, yesterday on the ISO27k Forum, the topic of 'security audit schedules' came up.An audit schedule is a schedule of audits, in simple terms a diary sheet listing the audits you are planning to do. The usual way to prepare an audit schedule is risk-based and resource-constrained. Here's an outline (!) of the planning process to set you thinking, with a sprinkling of Hinson tips:Figure out all the things that might be worth auditing within your scope (the 'audit universe') and list them out. Brainstorm (individually and if you can with a small group of brainstormers), look at the ISMS scope, look for problem areas and concerns, look at incident records and findings from previous audits, reviews and other things. Mind map if that helps ... then write them all down into a linear list.Assess the associated information risks, at a high level, to rank the rough list of potential audits by risk - riskiest areas at the top (roughly at first -'high/medium/low' risk categories would probably do - not least because until the audit work commences, it's hard to know what the risks really are). Guess how much time and effort each audit would take (roughly at first -'big/medium/small categories would probably do - again, this will change in practice but you have to start your journey of discovery with a first step).In conjunction with other colleagues, meddle around with the wording and purposes of the potential audits, taking account of the business value (e.g. particular audits on the list that would be fantastic 'must-do' audits vs audits that would be extraordinarily difficult or pointless with little prospect of achieving real change). If it helps, split up audits that are too big to handle, and combine or blend-in tiddlers that are hardly worth running separately. Make notes on any fixed constraints (e.g. parts of the business cycle when audits would be needed, or would be problematic; and dependencies such as pre/prep-work audits to be followed by in-depth audits to explore problem areas found earlier, plus audits that are linked to IT system/service implementations, mergers, compliance deadlines etc.). |
| Envoyé | Oui |
| Condensat | except hinson isolating all already always anything assurance audits awareness better boxes briefing careful checklist color contrasting desk diagram diary doing dry easier easy erasable finding fridge: gets guidance how impossible know layout/formatting like make map march markers men module more much nblog notes other out over page pencil planner point practice pro procedure process readable really scheduling side similar simpler some sort starting succinct such summary testing text that then things think tip: tips too top turn types use view wall way when will wipe work working year your |
| Tags | Guideline |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.