Re: Defining a long-term audit plan

[Jim Nelson <jnelson () nmsu edu>]

Audit focus and frequency should be based on risk assessment.

Jim

Quoting Joe <bitshield () gmail com>:

> Hello
>
> In order to review my employer's information security I would like to
> set up a long-term audit plan. This plan should define the audits for
> the following 3-5 years, so that ideally every information security
> area is covered at least once within this time frame.
>
> What do you think is the best approach to do that?
>
> Would it for example make sense to make an initial enterprise-wide
> audit in order to identify areas that should receive the highest
> priority so that the following years can be planned according the
> identified deficits?
>
> Or would it make sense to define 3-5 information security areas so
> that each of these are will be tested once within the predefined time
> frame? If such a solution makes sense, then what should be the general
> areas? My current idea is to audit the following areas:
> -     Operational security
> -     Organizational security
> -     Business continuity
> -     Physical security
> -     Personnel security
>
> Do these areas provide a good coverage of the information security area?
>
> There are various audit standards and methodology but I didn't find
> anything useful for long-term audit plans. What are your experiences?
> Are there good sources available?
>
> Thanks for participating in this discussion
> Joe


James Nelson, Ph.D.
Information Systems
College of Business
New Mexico State University
Las Cruces, NM 88003

505.646.5678