Welcome » IT Booklets » Information Security » IV Information Security Program Effectiveness » IV.A Assurance and Testing » IV.A.4 Assurance Reporting
Reporting of self-assessments, penetration tests, vulnerability
assessments, and audits supports management decision making. Those
decisions may support a range of ITRM activities, including the
prioritization and funding of resource allocations and improvement
to existing information security policies and procedures.
Management should provide reports that are timely, complete,
transparent, and relevant to management decisions. The reports
should prioritize risk and findings in the order of importance,
suggest options for remediation, and highlight repeat issues.
Additionally, reports should address root causes. The reporting
should be to individuals with authority and responsibility to act
on the reports and to those accountable for the outcomes, as well
as those responsible for advising or influencing risk decisions.
Reporting should trigger appropriate, timely, and reliable
escalation and response procedures. Summary reports should be made
available to the board as appropriate.