This Control directly supports the implied Control(s):
Audit in scope audit items and compliance documents., CC ID: 06730
This Control has the following implementation support Control(s):
Audit cybersecurity risk management within the policies, standards, and procedures of the organization., CC ID: 13011
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
Where in any law for the time being in force, there is a provision for audit of documents, records or information, that provision shall also be applicable for audit of documents, records or information processed and maintained in electronic form (ITAA 2008, Standing Committee Recommendation) (§ III.7A ¶ 1, India Information Technology Act 2008, 2008)
A financial institution's governance, systems and processes for its ICT and security risks should be audited on a periodic basis by auditors with sufficient knowledge, skills and expertise in ICT and security risks and in payments (for PSPs) to provide independent assurance of their effectiveness to… (3.3.6 25, Final Report EBA Guidelines on ICT and security risk management)
The management body of an institution or payment institution 44 that has outsourcing arrangements in place or plans on entering into such arrangements should approve, regularly review and update a written outsourcing policy and ensure its implementation, as applicable, on an individual, sub-consolid… (4.7 41, Final Report on EBA Guidelines on outsourcing arrangements)
the adequacy, quality and effectiveness of the assessment of the criticality or importance of functions; (4.10 51(b), Final Report on EBA Guidelines on outsourcing arrangements)
The ICT risk management framework of financial entities, other than microenterprises, shall be subject to internal audit by auditors on a regular basis in line with the financial entities' audit plan. Those auditors shall possess sufficient knowledge, skills and expertise in ICT risk, as well as app… (Art. 6.6., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
As part of the ICT risk management framework referred to in Article 6(1), financial entities shall implement associated ICT response and recovery plans which, in the case of financial entities other than microenterprises, shall be subject to independent internal audit reviews. (Art. 11.3., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
The management level must regularly check the performance and assess the security process (management assessment). If required (e.g. if a number of security incidents occur or there are significant changes to the framework conditions), corresponding audits and assessments must be performed between t… (§ 4.3 ¶ 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
The entity tests the effectiveness of the key administrative, technical and physical safeguards protecting personal data, periodically and as required by entity policy, or by relevant, applicable laws or regulations. (S7.5, Privacy Management Framework, Updated March 1, 2020)
Obtain independent assurance (internal or external) about the conformance of IT with relevant laws and regulations; the organisation's policies, standards and procedures; generally accepted practices; and the effective and efficient performance of IT. (ME4.7 Independent Assurance, CobiT, Version 4.1)
Implement, communicate, manage, enforce, and audit policies, related procedures and standards to ensure that they operate as intended and continue to be relevant. (OCEG GRC Capability Model, v. 3.0, P2.4 Implement and Manage Policies, OCEG GRC Capability Model, v 3.0)
the requirements of this International Standard; (§ 9.2.1 ¶ 1 a) 2), ISO 14001:2015 - Environmental management systems â Requirements with guidance for use, Third Edition)
the organization's own requirements for its environmental management system; (§ 9.2.1 ¶ 1 a) 1), ISO 14001:2015 - Environmental management systems â Requirements with guidance for use, Third Edition)
is effectively implemented and maintained. (§ 9.2 ¶ 1 b), ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
is effectively implemented and maintained. (9.2.1 ¶1(b), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
is effectively implemented and maintained. (§ 9.2.1 ¶ 1 b), ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection â Information security management systems â Requirements)
An independent audit function tests security controls and information security policies. (GV.AU-1.3, CRI Profile, v1.2)
An independent audit function reviews cybersecurity practices and identifies weaknesses and gaps. (GV.AU-3.1, CRI Profile, v1.2)
An independent audit function tests security controls and information security policies. (GV.AU-1.3, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
An independent audit function reviews cybersecurity practices and identifies weaknesses and gaps. (GV.AU-3.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
Each year each agency shall have performed an independent evaluation of the information security program and practices of that agency to determine the effectiveness of such program and practices. (§ 3555(a)(1), Federal Information Security Modernization Act of 2014)
An investigation under this section may include a review of the pertinent policies, procedures, or practices of the covered entity or business associate and of the circumstances regarding any alleged violation. (§ 160.306(c)(3), 45 CFR Part 160 - General Administrative Requirements)
Formal audits are conducted to ensure compliance with applicable statutes, regulations and policies. (§ 5.11 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
Independent audit or review evaluates policies, procedures, and controls across the institution for significant risks and control issues associated with the institution's operations, including risks in new products, emerging technologies, and information systems. (Domain 1: Assessment Factor: Risk Management, AUDIT Baseline 3 ¶ 1, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
Determine whether the board and senior management engage qualified audit or use other independent review functions to assess the AIO design, implementation, and operational effectiveness, including the adequacy of policies and procedures and the effectiveness of controls. Evaluate the appropriatenes… (App A Objective 2:11, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
The application of independent quality assurance or internal audit reviews to customer relationships in general and to customer monitoring activities in particular; (App A Tier 2 Objectives and Procedures M.4 Bullet 1 Sub-Bullet 5, Sub-Sub Bullet 4, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
Assess the sufficiency of policies, procedures, member information systems, and other arrangements in place to control risks. (§ 748 Appendix A. III.B.3., 12 CFR Part 748, NCUA Guidelines for Safeguarding Member Information, July 1, 2001)
Review, conduct, or participate in audits of cyber programs and projects. (T0533, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Review, conduct, or participate in audits of cyber programs and projects. (T0533, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
Conduct a periodic assessment of: (1) the nature, sensitivity and location of information that the firm collects, processes and/or stores, and the technology systems it uses; (2) internal and external cybersecurity threats to and vulnerabilities of the firmâs information and technology systems; (3… (CYBERSECURITY GUIDANCE ¶ 3 Bullet 1, IM Guidance Update: Cybersecurity Guidance, No. 2015-02)
