Security Basics mailing list archives
Defining a long-term audit plan
From: Joe <bitshield () gmail com>
Date: Fri, 17 Aug 2007 23:04:31 +0200
Hello In order to review my employer's information security I would like to set up a long-term audit plan. This plan should define the audits for the following 3-5 years, so that ideally every information security area is covered at least once within this time frame. What do you think is the best approach to do that? Would it for example make sense to make an initial enterprise-wide audit in order to identify areas that should receive the highest priority so that the following years can be planned according the identified deficits? Or would it make sense to define 3-5 information security areas so that each of these are will be tested once within the predefined time frame? If such a solution makes sense, then what should be the general areas? My current idea is to audit the following areas: - Operational security - Organizational security - Business continuity - Physical security - Personnel security Do these areas provide a good coverage of the information security area? There are various audit standards and methodology but I didn't find anything useful for long-term audit plans. What are your experiences? Are there good sources available? Thanks for participating in this discussion Joe
Current thread:
- Defining a long-term audit plan Joe (Aug 17)
- Re: Defining a long-term audit plan Jim Nelson (Aug 20)