M5.5.1 - INFORMATION SYSTEMS AUDIT CONTROLS Implementation Guidance
The entity shall ensure that audit requirements and activities involving checks on operational systems are carefully planned and agreed to minimize the risk of disruptions to business processes.
Back to M5.5.1 - P4 - INFORMATION SYSTEMS AUDIT CONTROLS
Critical entities shall also take into account any other NESA’s relevant issuances, guidance, and activities in this regard.
The following guidelines should be observed:
- A. Audit requirements should be agreed with appropriate management
- B. The scope of the checks should be agreed and controlled
- C. The checks should be limited to read-only access to software and data
- D. Access other than read-only should only be allowed for isolated copies of system files, which should be erased when the audit is completed, or given appropriate protection if there is an obligation to keep such files under audit documentation requirements
- E. Resources for performing the checks should be explicitly identified and made available
- F. Requirements for special or additional processing should be identified and agreed
- G. All access should be monitored and logged to produce a reference trail; the use of time-stamped reference trails should be considered for critical data or systems
- H. All procedures, requirements, and responsibilities should be documented
- I. The person(s) carrying out the audit should be independent of the activities audited
