Discussing with various personnel it is quite amazing to see each one come up with their own way of interpreting controls and to what depth each control need to be implemented. I would like to illustrate a discussion that I had recently. The standard too does not talk about this and it is left to the person who implements and to the auditor on how they want to look at the implementation effectiveness.

Up until now some of the aspects that we look into while implementing a control is as mentioned below; 

  1. Is the control implementation cost less than or equal to loss of the damage a threat could cause to an organization?
  2. Does the control implementation enable process improvements?
  3. Is the control implementation required as a part of legal, regulator or contractual requirements?

Read the rest of this entry »

Tags: , , ,