Control Matrix 2805
-
Facing problems in maintaining Control Matrix.
How exactly it should look like and what are the key fields which need to be part of the Control matrix?
Any help is appreciated
Thanks
-
There is no standard or mandated format for the matrix.
I would suggest that it include the following information -
Identified risk
Control that covers the risk
FS assertion related to the risk
Risk level (low, medium, high)
Who performs the control
Frequency with which the control is performed
Whether the control type is prevent or detect
Whether the control is manual or automated or a combination
Accounts covered by the control (BS and IS)
There are probably other attributes that can be added to this list. This is what we have in our control matrices.