A&A-05: Audit Management Process

Control Family:

Audit & Assurance

CSF v1.1 References:

Info icon.

Control is new to this version of the control set and incorporates the following control from the previous version: AAC-01: Audit Planning.

Control Statement

Define and implement an Audit Management process to support audit planning, risk analysis, security control assessment, conclusion, remediation schedules, report generation, and review of past reports and supporting evidence.

Implementation Guidance

Audit management process security should include:

  1. Secure role-based access and authorization and secure communication and storage.
  2. Controls to protect audit data confidentiality, integrity, and availability.
  3. Periodic reporting, including issues and remediation plans per organizational requirements.

Auditing Guidance

  1. Examine policy related to the establishment and conduct of audits.
  2. Determine if audit programs are established and aligned to the requirements of the organization, including the audit charter.
  3. Determine if the organization upholds the independence of the audit program.
  4. Determine if the conduct of audits is defined, approved at the appropriate level, and reviewed for effectiveness.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.