Expert Advice Community

Guest

Merging internal audit and information security officer function

  Quote
Guest
Guest user Created:   Jan 12, 2016 Last commented:   Jan 12, 2016

Merging internal audit and information security officer function

Can I appoint the head of my internal control department as ISO and he would also monitor the internal audit team?
0 0

Assign topic to the user

ISO 27001 INTERNAL AUDITOR COURSE

Everything you need to perform the internal audit for the first time.

ISO 27001 INTERNAL AUDITOR COURSE

Everything you need to perform the internal audit for the first time.

Guest
DejanK Jan 12, 2016

As a part of ISMF, I have thought of following representatives :-
1. IT - infrastructure, application and operations
2. Business
3. HR
4. Compliance
5. Admin
6. Internal Control or Audit

Answer: If by "internal control" you mean the department that is performing the internal audit, then the answer is no - internal auditor is in a conflict of interest with the security manager, so you cannot merge those two functions. See also this article: Chief Information Security Officer (CISO) - where does he belong in an org chart? https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/

I assume that by "ISMF" you mean a coordination body for your information security - in this case, yes - I think you have chosen a good balance of people; only I think Internal audit should not be a part of it - again because of conflict of interest.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 12, 2016

Jan 12, 2016

Suggested Topics

Ash Created:   Jan 21, 2024 ISO 27001 & 22301
Replies: 1
0 0

ISO 27001 Internal Audits

ISO Created:   Dec 26, 2023 ISO 27001 & 22301
Replies: 1
0 0

Information Security Goals