Find Resources and Connect with members on topics that interest you.

AI - Acquire and Implement

PO - Plan and Organize

DS - Deliver and Support

Please sign in to see your topics.

Subscribe to this discussion

Controls Inventory

When was the last time we took our controls inventory? Do we know what controls are in place, when those were designed and if still working as intended?

Share with us what steps your organization have taken to maintain an updated controls documentation.
You must sign in to rate content.
(1 ratings)

Comments

RE: Controls Inventory

The first step I found was literally finding the controls - reviewing documented ways of working to find the mandates.  In some cases procedures / work instructions had "implied" mandates; in other cases it wasn't clear from wording if something was mandatory or not.

Having found the mandates, we then reworded into clear control statements with a numbering system based on COBIT practice areas, in doing so building a complete inventory of controls and linking them to control objectives.

A risk based approach was used to confirm the requirement and applicability of controls.

Reviewing controls was required initially on a quarterly basis as control effectiveness was assessed on an ongoing basis and moving towards six monthly (in some cases annual) review.
Phil Green at 1/1/2016 1:38:06 PM Quote
You must sign in to rate content.
(Unrated)

RE: Controls Inventory

We are validated for PCI-DSS every year. So in this process, we look at the controls mandated by PCI-DSS and do a calibration if something is not working. Additionally, I have seen this work for an organisation certified for ISO standards.
Shruti Kulkarni at 6/1/2016 11:06:21 AM Quote
You must sign in to rate content.
(Unrated)

RE: Controls Inventory

We are validated for PCI-DSS every year. So in this process, we look at the controls mandated by PCI-DSS and do a calibration if something is not working. Additionally, I have seen this work for an organisation certified for ISO standards.
Shruti Kulkarni at 6/1/2016 11:06:21 AM Quote
You must sign in to rate content.
(Unrated)

RE: Controls Inventory

The first step I found was literally finding the controls - reviewing documented ways of working to find the mandates.  In some cases procedures / work instructions had "implied" mandates; in other cases it wasn't clear from wording if something was mandatory or not.

Having found the mandates, we then reworded into clear control statements with a numbering system based on COBIT practice areas, in doing so building a complete inventory of controls and linking them to control objectives.

A risk based approach was used to confirm the requirement and applicability of controls.

Reviewing controls was required initially on a quarterly basis as control effectiveness was assessed on an ongoing basis and moving towards six monthly (in some cases annual) review.
Phil Green at 1/1/2016 1:38:06 PM Quote
You must sign in to rate content.
(Unrated)

RE: Controls Inventory

The first step I found was literally finding the controls - reviewing documented ways of working to find the mandates.  In some cases procedures / work instructions had "implied" mandates; in other cases it wasn't clear from wording if something was mandatory or not.

Having found the mandates, we then reworded into clear control statements with a numbering system based on COBIT practice areas, in doing so building a complete inventory of controls and linking them to control objectives.

A risk based approach was used to confirm the requirement and applicability of controls.

Reviewing controls was required initially on a quarterly basis as control effectiveness was assessed on an ongoing basis and moving towards six monthly (in some cases annual) review.
Phil Green at 1/1/2016 1:38:06 PM Quote
You must sign in to rate content.
(Unrated)

RE: Controls Inventory

We are validated for PCI-DSS every year. So in this process, we look at the controls mandated by PCI-DSS and do a calibration if something is not working. Additionally, I have seen this work for an organisation certified for ISO standards.
Shruti Kulkarni at 6/1/2016 11:06:21 AM Quote
You must sign in to rate content.
(Unrated)

Leave a Comment

* required

You must login to leave a comment.