CHAPTER 10: PLANNING, RUNNING AND REVIEWING INFORMATION RISK MANAGEMENT ASSIGNMENTS
There are a variety of assignments that an information risk manager/auditor may be asked to undertake using their specialist knowledge and skills. This could be:
• A regular review or audit of a particular topic to provide ongoing compliance comfort (e.g. part of internal audit plan or regular management testing for Sarbanes-Oxley compliance).
• As part of a bigger team on a large assignment (e.g. the external financial audit of an entity, due diligence review of a potential acquisition target).
• A specific review of a particular issue – (e.g. response to a denial of service attack, health check review of an ERP implementation project).