Information risk planning involves a number of progressive steps: identifying potential risks to information, weighing those risks, creating strategic plans to mitigate the risks, and developing those plans into specific policies. Then it moves to developing metrics to measure compliance levels and identifying those who are accountable for executing the new risk mitigating processes. These processes must be audited and tested periodically not only to ensure compliance, but also to fine tune and improve the processes.
Q1. The metrics you have developed to measure risk mitigation effectiveness must also be used for audit purposes. What are the process you will put in place to audit your compliance effort to see if your efforts are working? Is there a need to audit or examine the audit process and how often?