This document discusses how maintaining cybersecurity documentation and controls evidence can help organizations prepare for audits and risk assessments more efficiently. It provides two lists of the key documentation and evidence that regulatory agencies expect organizations to have: List A includes policy, procedures and general documentation, while List B focuses on cybersecurity controls evidence. The document recommends investing in a Governance, Risk and Compliance (GRC) application to help organizations effectively gather and maintain this documentation and evidence.

1. Restricting
Authenticating
Tracking
User Access?
12100 Sunrise Valley Dr. Suite 290-1 Reston, VA 20191
This paper is your guide to more efficient and effective audits and risk assess-
ments. Consistency in managing your cyber security controls not only reduces
the time required to prepare for audits and risks assessments, it also makes any
organization more secure—especially in the event of security breaches.
Any regulatory agency that governs an organization provides it with guidance
and a checklist of expectations for audits and risk management. HIPAA, for
example, has the Audit Protocol ; GLBA uses the FFIEC IT Examination
Hand Book ; PCI provides the Report on Compliance template ; and many of
the regulations and standards use the NIST Cyber Security Framework . All of
these are very similar in terms of what they expect you to have in place to
demonstrate that your practices match what you have documented.
VIMRO helps clients prepare for these audits, and also conducts audits/as-
sessments for HIPAA, GLBA, and PCI (VIMRO is a PCI-QSA ), etc. Based
on the commonly requested items for these regulations, we include below two
lists describing what we request for cybersecurity documentation and controls
evidence.
One of the biggest challenges for our clients is gathering and maintaining
both cybersecurity documentation and controls evidence. This is why a Gov-
ernance, Risk, and Compliance (GRC) application is a must-have control in
which successful organizations invest, and why the GRC is item #1 on List B.
“A guide to
efficient and
effective audits
and risk
assessments.”
Cyber Security Audits and Risk Management
Two interdependent lists everyone should have!

2. COPYRIGHT © 2015 VIMRO, LLC. ALL RIGHTS RESERVED. ALL REFERENCED COMPANY NAMES AND LOGOS ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS
The table below explains how a GRC solution addresses some of the challenges.
(800) 272 0019
Ashburn, VA | Baltimore, MD | Boston, MA | Glendale, CA | Las Vegas, NV | Reston, VA | San Diego, CA | Tampa, FL
Cyber Security Audits and Risk Management
Two interdependent lists everyone should have!
Authored by VIMRO’s Cybersecurity Leaders

3. COPYRIGHT © 2015 VIMRO, LLC. ALL RIGHTS RESERVED. ALL REFERENCED COMPANY NAMES AND LOGOS ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS
VIMRO is vendor-agnostic, meaning that we do not sell any products,
nor are we paid by any vendor to promote their products. We do however,
help and guide our customers in choosing the most effective products,
such as GRC solutions, based on client requirements.
Whether you are just considering a GRC solution, or are in the middle of
a GRC implementation project, ensure that you have the documents and
evidence we list in this paper’s Lists A and B. Many of our clients conduct
the GRC project in parallel with documentation/evidence collection
projects. By referring to the lists, there is a lot of work required from
both a security-technology mechanisms and a documentation perspective.
Your goal is to have a GRC solution in place, along with the cybersecurity
documentation and controls evidence required to demonstrate compli-
ance and secure practices. With this goal met, your audit and risk manage-
ment process is optimized, and your focus can shift to proactively main-
taining an optimized process rather than reacting to audit requests.
Contact VIMRO to discuss how we can help you implement your policy
and procedures, evidence controls, and GRC initiatives.
(800) 272 0019
Ashburn, VA | Baltimore, MD | Boston, MA | Glendale, CA | Las Vegas, NV | Reston, VA | San Diego, CA | Tampa, FL
Success depends on
the documents and
evidence identified in
the two interdependent
Lists A and B
Cyber Security Audits and Risk Management
Two interdependent lists everyone should have!

4. COPYRIGHT © 2015 VIMRO, LLC. ALL RIGHTS RESERVED. ALL REFERENCED COMPANY NAMES AND LOGOS ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS
(800) 272 0019
Ashburn, VA | Baltimore, MD | Boston, MA | Glendale, CA | Las Vegas, NV | Reston, VA | San Diego, CA | Tampa, FL
LIST A
Policy, Procedures
and
General Documentation
Request List

5. COPYRIGHT © 2015 VIMRO, LLC. ALL RIGHTS RESERVED. ALL REFERENCED COMPANY NAMES AND LOGOS ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS
(800) 272 0019
Ashburn, VA | Baltimore, MD | Boston, MA | Glendale, CA | Las Vegas, NV | Reston, VA | San Diego, CA | Tampa, FL
Authored by VIMRO’s Cybersecurity Leaders
Cyber Security Audits and Risk Management
Two interdependent lists everyone should have!
List B
Cybersecurity
Controls Evidence
Request List
Authored by VIMRO’s Cybersecurity Leaders