Establish, document, approve, communicate, apply, evaluate and maintain a risk-based corrective action plan to remediate audit findings, review and report remediation status to relevant stakeholders.
The organization should document a well-defined remediation plan that includes:
- Remediation tasks and their risk levels.
- Proactive, continuous monitoring (where applicable) to identify anomalies using a risk-based approach.
- Specific task owners.
- Milestones with due dates.
- Deliverables and current status.
The organization should document, communicate, and enforce change management best practices to address audit findings based on a risk-based approach.
- Examine if the outputs of audits are defined by the policy.
- Determine if the audit findings are reviewed and if appropriate reports are made available to users and senior management.
- Determine if the identification of risks from audit findings, or changes to them, are made available to users.
- Determine if corrective actions proposed are planned to align with the organization's risk profile.
- Determine if a process exists to track changes in risk rating and is used to update risk registers, particularly with regard to residual risk.
- Examine a sample of proposed corrective actions and determine if they were followed-up in a manner consistent with the organization's policy.
- Examine audit programs to determine if they are subject to continuous improvement through feedback, review and revisions.
- Examine if a process exists to review the audit program in light of current and past audits.
[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]
Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.