A&A-03: Risk Based Planning Assessment

Control Family:

Audit & Assurance

CSF v1.1 References:

PF v1.0 References:

Info icon.

Control is new to this version of the control set and incorporates the following items from the previous version: AAC-01: Audit Planning, AAC-02: Independent Audits.

Control Statement

Perform independent audit and assurance assessments according to risk-based plans and policies.

Implementation Guidance

Independent audit and assurance assessments should be based on risk-based plans that define audit objectives, scope, resources, timeline and deliverables, documentation and reporting requirements, use of relevant technology and data analysis techniques, costs, communication, and escalation protocols. Both CSPs and CSCs may take guidance from industry standards like the Committee of Sponsoring Organizations (COSO) or the International Organization for Standardization (ISO) 31000 for risk management and risk-based planning.

Auditing Guidance

  1. Examine the process for determining the risks applicable to the organization's systems and environments.
  2. Determine if a list of such risks is maintained and reviewed.
  3. Determine if senior management exercises oversight over the applicable risks.
  4. Determine if the audit plan is risk-based, and is scheduled on an annual basis.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.