Merging internal audit and information security officer function
Assign topic to the user
As a part of ISMF, I have thought of following representatives :-
1. IT - infrastructure, application and operations
2. Business
3. HR
4. Compliance
5. Admin
6. Internal Control or Audit
Answer: If by "internal control" you mean the department that is performing the internal audit, then the answer is no - internal auditor is in a conflict of interest with the security manager, so you cannot merge those two functions. See also this article: Chief Information Security Officer (CISO) - where does he belong in an org chart? https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/
I assume that by "ISMF" you mean a coordination body for your information security - in this case, yes - I think you have chosen a good balance of people; only I think Internal audit should not be a part of it - again because of conflict of interest.
Comment as guest or Sign in
Jan 12, 2016