mailing list archives
Re: Defining a long-term audit plan
From: Jim Nelson <jnelson () nmsu edu>
Date: Sat, 18 Aug 2007 12:43:21 -0600
Audit focus and frequency should be based on risk assessment.
Quoting Joe <bitshield () gmail com>:
In order to review my employer's information security I would like to
set up a long-term audit plan. This plan should define the audits for
the following 3-5 years, so that ideally every information security
area is covered at least once within this time frame.
What do you think is the best approach to do that?
Would it for example make sense to make an initial enterprise-wide
audit in order to identify areas that should receive the highest
priority so that the following years can be planned according the
Or would it make sense to define 3-5 information security areas so
that each of these are will be tested once within the predefined time
frame? If such a solution makes sense, then what should be the general
areas? My current idea is to audit the following areas:
- Operational security
- Organizational security
- Business continuity
- Physical security
- Personnel security
Do these areas provide a good coverage of the information security area?
There are various audit standards and methodology but I didn't find
anything useful for long-term audit plans. What are your experiences?
Are there good sources available?
Thanks for participating in this discussion
James Nelson, Ph.D.
College of Business
New Mexico State University
Las Cruces, NM 88003