A&A-06: Remediation

Control Family:

Audit & Assurance

CSF v1.1 References:

PF v1.0 References:

Info icon.

Control is new to this version of the control set and incorporates the following controls from the previous version: GRM-10: Risk Assessments, GRM-11: Risk Management Framework.

Control Statement

Establish, document, approve, communicate, apply, evaluate and maintain a risk-based corrective action plan to remediate audit findings, review and report remediation status to relevant stakeholders.

Implementation Guidance

The organization should document a well-defined remediation plan that includes:

  1. Remediation tasks and their risk levels.
  2. Proactive, continuous monitoring (where applicable) to identify anomalies using a risk-based approach.
  3. Specific task owners.
  4. Milestones with due dates.
  5. Deliverables and current status.

The organization should document, communicate, and enforce change management best practices to address audit findings based on a risk-based approach.

Auditing Guidance

  1. Examine if the outputs of audits are defined by the policy.
  2. Determine if the audit findings are reviewed and if appropriate reports are made available to users and senior management.
  3. Determine if the identification of risks from audit findings, or changes to them, are made available to users.
  4. Determine if corrective actions proposed are planned to align with the organization's risk profile.
  5. Determine if a process exists to track changes in risk rating and is used to update risk registers, particularly with regard to residual risk.
  6. Examine a sample of proposed corrective actions and determine if they were followed-up in a manner consistent with the organization's policy.
  7. Examine audit programs to determine if they are subject to continuous improvement through feedback, review and revisions.
  8. Examine if a process exists to review the audit program in light of current and past audits.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.