It looks like this user community is not very large. I've just started organizing our KCM instance and I'm curious how others are organizing their Audit activities within KCM.
My current plan is go create scopes relevant to particular Audits (i.e. SSAE SOC1, SSAE SOC 2, PCI DSS) as well as a scope for our internal audit program. From there I'll be creating Requirements that fit with a high level requirement of the Audit. So in example for the SSAE SOC 1 Scope - we would have "Control Objective 1: Controls provide reasonable assurance that security policies and procedures are in place and effectively ensure communication of information security practices."
Since the various Audits might have overlap and share similar controls/evidence; my plan is to create a single control in those cases that is not specific to the particular sub-objective within the SSAE SOC 1/SOC2, etc but then tag those controls with the relevant control within the particular audits. (see below). My hope is this will reduce the amount of duplicated work that needs to be done across the Various Scopes within KCM and provide a greater visibility as to what maps across different scopes.
I'm curious to see what others are doing to reduce duplicated efforts and streamline the effectiveness of KCM?
Please sign in to leave a comment.