Separation of Duties: InfoSec, IT and Audit
A colleague who had the opportunity to restructure the role of his InfoSec department asked for advice about defining the roles and duties and how to make his department more effective. Being very...
View ArticleAudit Frequency
In one of the forums I subscribe to the question came up "How often should one carry out an internal audit?" There were variations on this to do with external audits as well. Lets suppose you...
View ArticleAll Threats? All Vulnerabilities? All Assets?
One list I subscribe I saw this outrageous statement: ISO 27001 requires that you take account of all the relevant threats (and vulnerabilities) to every asset - that means that you have to consider...
View ArticleIT AUDIT VS Risk Assessment – 2
We were discussing which should be done first and someone said: The first has to be risk assessment as it is foundation of information security. You first need to know where is the risk before putting...
View Article
