Policy, Standards, Regulations & Compliance
Back to list
RE: combining multiple audits
Dec 04 2005 11:04PM
Smith, Michael J. (Michael J Smith unisys com)
For the US Feds, we say that any former audits are a control out of NIST
SP 800-53 and roll the findings up from that audit into the
certification and accreditation of that system.
I think the bottom line is that a finding is a finding and it's
applicable to all standards. The trick is to have a requirements
traceability matrix (and by extension, a test and evaluation plan) that
lists *all* the standards that you are aiming for.
Michael J Smith michael.j.smith (at) unisys (dot) com [email concealed]
Information Security Architect
"Those who do not understand Unix are condemned to reinvent it, poorly."
> -----Original Message-----
> From: Vic N [mailto:vic778 (at) hotmail (dot) com [email concealed]]
> Sent: Sunday, December 04, 2005 4:50 PM
> To: psrc (at) securityfocus (dot) com [email concealed]
> Subject: combining multiple audits
> Is anyone having the discussion about combining multiple audits into
> single audit? For example, I'd like to combine the IT portion of the
> audit and the PCI audit into one audit to spare my IT teams multiple
> "visits" from auditors.
> At first blush, it seems an IT component that is evaluated within the
> standard as acceptable *should* (big should) probably also be
> However, it does not seem like it's a straight apples-to-apples
> but it may be still be possible to combine multiple audits into one
> (less invasive) evaluation.
> Anyone else thinking about this?
[ reply ]
Copyright 2010, SecurityFocus