In one of the forums I subscribe to the question came up “How often should one carry out an internal audit?” There were variations on this to do with external audits as well. Lets suppose you aren’t one of the relicrant types that take the attitude that audits aren’t necessary or that an audit – or a risk analysis for that mater – needs to be done just the once.
How often? Yearly? Ever Six Months? Every Month?
Maybe. maybe not.
If you are one of a certain set of classes of organizations there are rules that mandate when you get audited. For example, if you process credit cards then the PCI:DSS rules apply to you.
And so forth.
Merely asserting a period without a regulation means its arbitrary; asserting a period with reference to a ISO standard means that its a decision that management has chose to abide by … or not … or some
other. Like the saying goes, there are so many standards to choose from.
Please: There is nothing wrong with management arbitrarily setting an audit period, but that doesn’t mean that it is somehow applicable in all situations. As I’ve said before, a “Good Practice” is just that, and is entirely dependent on context.
Look to your own context: look to your own risk profile.
What is your “rate of change”? How often do you install or revise applications equipment, deploy new sites, have a changeover in personnel, operating procedures an so forth?
Related articles by Zemanta
- Iso 9000 Presentation (slideshare.net)
- Tenzing Joins Elite Rank of ISO 27001 Certified Service Providers (newswire.ca)
- TJX Hacker Was Awash in Cash; His Penniless Coder Faces Prison (wired.com)
- Managing Risks and NIST 800-53 (deurainfosec.com)