First, go to a partition, where you want to store a standard list of security measures (System description section in audit report). If you do not already have a partition dedicated to for security measure templates, it is recommended that you create a new partition for this purpose.
What is Description of Security measures/ IT controls?
The description of security measures is the Client’s own formally description of the Security measures (or general IT Controls) defined in the organisation to ensure adequate control of the IT systems supporting the business.
In the final audit report, you may have a dedicated section for System description, that sets the scope for the IT audit and becomes the basis for what is tested and assessed during the audit.
What is the purpose of creating standard security measures in a dummy partition?
On the long term it is effective for the customer to have their general description of security measures documented in their own partition, since this information can be re-used in future assessment, where they can review the existing content. Also, the client has the opportunity to bring each security measure in context of specific activities, systems or contracts if they choose the purchase their own License to the platform and maintain their processing activities, systems, contracts in the Complyon platform. they can then re-use security measures used in the IT audit when they assess risks and implement actual controls through the Complyon platform.
For the auditor, it can be effective to maintain a master list of security measure descriptions on one partition, and copy these to relevant customers/partitions. This is gives the auditor an opportunity to send out the standard descriptions in the documentation collection task, so that less mature customers that wishes examples of these descriptions to read through and edit into their own words. If the customer is not interested in any description examples, this step can be skipped entirely.
Create standard descriptions of security measures
Go to the Measure section under Settings, or use the shortcut here.
click on the green “create new measure” button in the upper right corner.
Write the name of the Security measure in the name field, and Choose a relevant Category – or create a new Category by clicking on the “+”-button..
When you create a security measure category for the purpose of including them in the audit assessment, it is important to choose the scope “Assessment”. Then the Category and the underlying security measures will be available in assessment projects. It is also possible to include other scopes such as, Activity, System and Contracts. This will make the measures available on specific assets (e.g. a system). Note that creating a Category named Introduction could be relevant for use in Assessments for reporting purposes. It is not mandatory to create any underlying Security measures to a Category.
Note, that in the end-report, the Category will appear as a Headline and the underlying description of the Category as main paragraph. The Security measure will appear as a “sub-headline” and the description of the Headline will be “Sub-paragraphs”.
The objective of this description is to provide information to XXX A/S customers and their auditors concerning the requirements laid down in the international auditing standard for assurance reports on the controls at a service organization (Category description)
Access management (Category)
The way the granting of access is handled is described in a policy document. The policy is part of our IT security policy. (Category description)
- Periodical re-certification of access rights (Security measure)
- Periodically, i.e. once a year, we review the internal systems of the company including user profiles and access levels to ensure that the procedure related to the termination of employment is followed and that the customers’ data cannot be accessed by former employees of XX A/S. (Security Measure Description)
- Role based access to customer data (Security measure)
- Access to customer data is managed through user profiles. Our customers may create and revoke access to user pro- files as they see fit, including to XX’s staff members and other external parties. XX retains a super user that may be used to provide professional service e.g. creating new clients, adding new modules to an existing client, extracting data based on customer requests, counting licenses, etc. (Security Measure Description)
When your standard Security Measure description is done, you can start copying them to other partitions. See here how to.