Are any of you on this group in organizations that are subject to multiple sets of internal or external audits that overlap? If so, how do you handle the duplication of work?
In my organization, we have external PCI audits, external ISO27001 audits, external SAS70 audits, external Sarbanes Oxley audits, plus we are required to do internal audits for ISO 27001 and Sarbanes Oxley – most of which concentrate on the same things: general computing controls, the protection of sensitive data, and the integrity of our applications.
What is particularly frustrating to control owners/operators is having to answer the same questions and produce the same evidence time after time for these different audits. One thing that is helping is automation of many of these audited tasks (or automating the recordkeeping), which makes evidence collection easier.
Are any of you experiencing this? Please share.
I thought the whole point of ISO 27001 is that it “plugs into” all the other frameworks and you can just do that and satisfy all the others.
It would be nice if it worked that way, but it doesn’t seem to. There are several specific PCI controls, for instance, that are not addressed in ISO 27001 – not in detail anyhow.
And the problem with SOX and SAS70 controls is that every organization will have its own controls based upon their unique environment.
We use a system (software) that help us to manage ISO 27001. This software have all ISO 27002, PCI and COBIT controls…
With this software you can indicate the ISO 27002, PCI and etc best practices to your internal controls. It’s very easy and organized.
I think their website is http://www.axur.net