Security Basics mailing list archives
Re: Defining a long-term audit plan
From: Jim Nelson <jnelson () nmsu edu>
Date: Sat, 18 Aug 2007 12:43:21 -0600
Audit focus and frequency should be based on risk assessment. Jim Quoting Joe <bitshield () gmail com>:
Hello In order to review my employer's information security I would like to set up a long-term audit plan. This plan should define the audits for the following 3-5 years, so that ideally every information security area is covered at least once within this time frame. What do you think is the best approach to do that? Would it for example make sense to make an initial enterprise-wide audit in order to identify areas that should receive the highest priority so that the following years can be planned according the identified deficits? Or would it make sense to define 3-5 information security areas so that each of these are will be tested once within the predefined time frame? If such a solution makes sense, then what should be the general areas? My current idea is to audit the following areas: - Operational security - Organizational security - Business continuity - Physical security - Personnel security Do these areas provide a good coverage of the information security area? There are various audit standards and methodology but I didn't find anything useful for long-term audit plans. What are your experiences? Are there good sources available? Thanks for participating in this discussion Joe
James Nelson, Ph.D. Information Systems College of Business New Mexico State University Las Cruces, NM 88003 505.646.5678
Current thread:
- Defining a long-term audit plan Joe (Aug 17)
- Re: Defining a long-term audit plan Jim Nelson (Aug 20)