+COM-03 Internal Audits of the Information Security Management System
---+COM-03.01B
---+COM-03.02B
---+COM-03.03B
---+COM-03.01AC
---+COM-03.02AC
---+COM-03.03AC
|
1. Übersicht
COM-03 Internal Audits of the Information Security Management System
-
| Bezeichnung |
Standard |
|
COM-03.01B
|
Subject matter experts check the compliance of the information security management system at regular intervals, at least annually, with the relevant and applicable legal, regulatory, self-imposed or contractual requirements (cf. COM-01) through internal audits. This includes checks regarding:
1. Compliance with the policies and procedures (cf. SP-01) within their scope of responsibility (cf. OIS-01); and
2. Effectiveness of organisational and operational measures to manage the risks posed to the security of network and information systems (cf. OIS-07).
Subject matter experts operate, e.g., in the cloud service provider's internal revision department or expert third parties commissioned by the cloud service provider, such as auditing companies, and may hold relevant certifications such as 'Certified Internal Auditor (CIA)'.
With regard to ISMS compliance, cf. section 9.2 of ISO/IEC 27001, which outlines the requirements for conducting internal audits of an Information Security Management System (ISMS) and for establishing an internal audit programme. When establishing the internal audit programme(s), the cloud service provider should define the scope and criteria by considering the importance of the processes concerned and the results of previous audits. This approach allows cloud service providers to define the audit scope based on the criticality of complying with relevant legal, regulatory, or contractual requirements (cf. COM-01) and internal policies and procedures (cf. SP-01), without requiring a comprehensive review of all requirements during each audit cycle.
|
|
COM-03.02B
|
Subject matter experts conducting internal audits are not in the line of authority of the personnel of the area under review. If the size of the cloud service provider does not allow such separation of line of authority, alternative measures to guarantee the impartiality of compliance checks are put in place.
|
|
COM-03.03B
|
Identified vulnerabilities and deviations as well as non-conformities from the applicable legal, regulatory, self-imposed and contractual requirements relevant to the information security of the cloud service, are subjected to a risk assessment in accordance with the risk management procedure (cf. OIS-07). Follow-up measures are defined and tracked (cf. OPS-18).
|
|
COM-03.01AC
|
Based on a risk assessment (cf. OIS-07) and technical feasibility, the cloud service provider decides to which extent internal audits are supplemented by procedures to automatically monitor applicable requirements of policies and procedures with regard to the following aspects:
1. Configuration of system components to provide the cloud service within the cloud service provider's area of responsibility;
2. Performance and availability of these system components;
3. Response time to incidents and security incidents; and
4. Recovery time (time to completion of error handling).
|
|
COM-03.02AC
|
Identified vulnerabilities and deviations are automatically reported to the appropriate cloud service provider's subject matter experts for immediate assessment and action.
|
|
COM-03.03AC
|
The cloud service provider provides interfaces to cloud service customers so that they can check compliance with selected contractual agreements in real time.
|
1.1 Referenzen
1.2 Identifizierte Anforderungen
1.2 Related Regulation
2. Identifizierte Anforderungen
Anforderungen
| Source |
Anforderung |
3. Related Regulations
Regulations
| Source |
Regulierung |
|