The InfoSec Blog

Audit Frequency

Posted by Anton Aylward

In one of the forums I subscribe to the question came up "How often should one carry out an internal audit?"  There were variations on this to do with external  audits as well.   Lets suppose you aren't one of the relicrant types that take the attitude that audits aren't necessary or that an audit - or a risk analysis for that mater - needs to be done just the once.

How often?  Yearly?  Ever Six Months?  Every Month?

Maybe. maybe not.
If you are one of a certain set of classes of organizations there are rules that mandate when you get audited. For example, if you process credit cards then the PCI:DSS rules apply to you.

If you are a bank, you should check for Basel II and FFIEC regulations.

And so forth.