Processes and controls are different. Both controls and processes can be audited testing them. For example a control like "No information or information systems should be removed from the premises without authorization" can be audited by trying to remove an information system from the premises without authorization
Processes results are defined (Work Products), so it is very clear what to do to implement the process and the process can be improved using the process metrics. On the other hand, controls don't have a defined result, which makes them less management friendly, as a malfunctioning control doesn’t produce information (result) necessary to learn what went wrong and take a management decision to fix it.
ISM3www.ism3.com
No comments:
Post a Comment