Control & Process Reviews
Note: audit findings are triggers but there is an important distinction to understand. Audits serve to validate that a process works and look for ways to improve but the audit is not part of the process. It is a better to have review triggers in place rather than waiting for audit to discover deficiencies.
One potential avenue is to take the triggers and define events in Event Management for proper handling. This newly defined process in ITIL v3 can help with the correct processing of these events when they happen.
To assist with the proper management of these combined documents, they should be managed as configuration items (CIs) in the configuration management system (CMS). The benefit of doing this is that they can be related to one another. The system can show what controls relate to what processes and what procedures roll up to what processes. In turn, these can be related to the IT services and business services. Thus, when there are changes in the environment it is easier to understand what needs to be reviewed.
In addition, by tracking controls, processes and procedures as CIs, key attributes can be tracked. This could include review date, relevant regulations, who own the document, who needs to sign off, date put into production, and so forth
In closing, organizations need to understand what controls and processes are needed to mitigate risks and achieve objectives. As time goes by, the environment the organization is in will evolve as will the organization itself. In response, the controls and processes will need to change as well. It is best to plan in advance to understand what triggers should initiate control and process reviews as well as a fixed time when they should be reviewed as well and see if they still reflect organizational needs.
George Spafford is a principal consultant with Pepperweed Consulting and a long-time IT professional. George's professional focus is on compliance, security, management and overall process improvement.