Smaller scope audits are grouped together into a general annual infosec audit. The annual infosec audit contains the following audits:

  1. Log retention - per policy logs must be retained for a minimum of 1 year.

Larger scope audits are broken out into specific deliverables:

  1. Annual InfoSec Audit - IT shall verify various policies (that require a an annual audit) are being followed as specified. Digital signature as artifact.
  2. Annual Information Security Policy Review - All policies and procedures shall be reviewed per the guidelines set forth in the Management Oversight Policy and Procedure.
  3. Annual Information Systems Review - All existing systems must be reviewed every 3 years. The 'information systems inventory' shall be the basis for this review (Reference System Acquisition). When the annual audit is performed, any system at the 3 year mark shall be reviewed.