Back

Include provisions for legislative plurality and legislative domain in the audit program.


CONTROL ID
06959
CONTROL TYPE
Audits and Risk Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an audit program., CC ID: 00684

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • A process should be established for ensuring compliance with relevant legal and regulatory requirements affecting Information Security across the organization, which covers general legislation which has security implications (e.g., data privacy, investigatory powers, intellectual property, and human… (SR.02.01.02b, The Standard of Good Practice for Information Security)
  • A process should be established for ensuring compliance with relevant legal and regulatory requirements affecting Information Security across the organization, which covers general legislation which has security implications (e.g., data privacy, investigatory powers, intellectual property, and human… (SR.02.01.02b, The Standard of Good Practice for Information Security, 2013)
  • Physical controls and attestation mechanisms shall be designed to address the requirements of legislative plurality and their results shared with tenants. (FS-04, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • The audit programme, including any schedule, shall be based on the results of risk assessments of the organization’s activities, and the results of previous audits. The audit procedures shall cover the scope, frequency, methodologies and competencies, as well as the responsibilities and requiremen… (§ 9.2 ¶ 3, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • When considering the relevance of the service auditor's specialist's field of expertise to the engagement, the service auditor should consider (a) whether the specialist's field includes areas of specialty relevant to the engagement, (b) whether professional or other standards and regulatory or lega… (¶ 2.164, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Appropriate engagement documentation being maintained to provide evidence of achievement of the practitioner's objectives and that the engagement was performed in accordance with the attestation standards and relevant legal and regulatory requirements (AT-C Section 105.33 d., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • Proper planning and supervision contribute to the effectiveness of attest procedures. (AT 101.43, Public Company Accounting Oversight Board Attestation Standards, Section 101)