One of the outcomes of the banking crisis was awareness that the regulator had been a watch dog that didn't bark, let alone bite. There was an all-to-cosy relationship between the regulated and the regulator.
The old watchdog was put down and the new watchdog was very keen to show it had teeth and that they worked. I don't know if the situation has slumped back into the old status quo. What I do know is that security is a topic where you have to be continually ratcheting up your capability. A toothless auditor is no help. Yes, an audit can be a painful process, but if it was easy I'd be worried.
My thoughts are that an organisation shouldn't wait until the end of the year and sit quaking in fear at the sound of the auditors tread. Some form of continuous improvement process needs to be in place which includes a RAID log.
- Risks - Threats, real and potential
- Actions- Things done proactively to address risks and things done reactively to mitigate risks. These should also reference the decisions.
- Issues - This should include where risks have become an issue as well as the issues that snuck in under the radar
- Decisions - Who, what, when and the target for implementation