2.3. Evaluating IS Policies, Standards, and Procedures

There are three levels of documentation that you will need to evaluate in order to determine how well the overall pervasive control of the documented guidance and direction is being managed in the IS organization. Each level is distinct and needs to be examined for different attributes. The top level of this documentation is policy. Policy is a mandate and directive from the top of the organization. Its purpose is to influence behavior. From it, management provides the overarching principles under which the business operates. It should not vary in its message or enforcement model. Policies should withstand the test of time and are often ideals requiring interpretation.

The next level of documentation is the standard used to guide the daily operations and management decisions. Standards are not mandates but common ground where uniform actions will lead to predictable results. Without standards, costs get out of control and management of information systems is rarely efficient and effective. In fact, getting control of what is going on, from a process and functions standpoint, is largely why standards are necessary and desirable. Standards tend to be more dynamic than policy and often are more technologically specific.

The third level of documentation you will assess as an IS auditor are procedures. Guidelines and direction of how to get things done are included in this category of documentation. Procedures are process specific ...

Get The CISA® Prep Guide: Mastering the Certified Information Systems Auditor Exam now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.