Scenario: You are the CISO and have just completed your first risk assessment for your organization. You find many risks with no security controls, and some risks with inadequate controls. You assign work to your staff to create or adjust existing security controls to ensure they are adequate for risk mitigation needs.
When adjusting the controls to mitigate the risks, how often should the CISO perform an audit to verify the controls?
Performing an audit annually is a standard practice in many organizations. It provides a regular and systematic review of security controls to ensure they are still effective in mitigating risks. Annual audits balance thoroughness with practicality, ensuring that controls are regularly reviewed without being overly burdensome on resources.
Answer is C. Annually.
Is this related to the fact that either internal audit or external audit should be doing so, not the CISO? Because to me, it seems like a good idea to audit the controls.
Even the next question, #332 is somewhat in line with what I am saying on previous comment. When you implement the control, you check its effectiveness, which could be qualified as an audit.
Unsure, everything should be done at least annually, but is this question about independance. For example the CISO and the team could test and measure a control, should they audit there own implementation or should that come from the audit team that is typically under the CFO. So in that case the CISO should not audit it's own work....
controls should be monitored, in that case can be via audit. suggest annually
Annually: Performing an audit annually is a standard practice in many organizations. It provides a regular, systematic review of security controls to ensure they are still effective in mitigating risks. This frequency balances thoroughness with practicality, ensuring that controls are regularly reviewed without being overly burdensome on resources.