Search in ISMS Guides


Wednesday, July 25, 2007

It looks like if you just propose a new list of controls. Are a control and a process the same thing ?

Processes and controls are different. Both controls and processes can be audited testing them. For example a control like "No information or information systems should be removed from the premises without authorization" can be audited by trying to remove an information system from the premises without authorization

Processes results are defined (Work Products), so it is very clear what to do to implement the process and the process can be improved using the process metrics. On the other hand, controls don't have a defined result, which makes them less management friendly, as a malfunctioning control doesn’t produce information (result) necessary to learn what went wrong and take a management decision to fix it.


No comments: