Professional Documents
Culture Documents
Auditing2e ppt15 l04
Auditing2e ppt15 l04
Compliance
Lesson 4
Auditing Standards and Frameworks
Control Objectives
• High level, remain almost constant
• Describe organizational goals
Control Activities
• More specific
• Describe how to achieve goals
Descriptive
• High level
• Align IT with business goals
Prescriptive
• More specific
• Standardize IT operations and tasks
Industry
acceptance
Prioritization
Reasoning
Flexibility
Depth and
breadth
Policies Standards
Policy
Framework
Guidelines Procedures
Controls
ISO 27001, NIST 800-53
▪ NIST 800-53
• Provides a comprehensive catalog of
security controls
• Targeted to federal government but widely
used in corporations
• Controls include management, technical,
and operational
• Catalog of controls is grouped into 18
families of controls
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
Auditing IT Infrastructures for Compliance www.jblearning.com Page 19
All rights reserved.
NIST Cybersecurity Framework
Core Profile
Implementation
Tiers