????️ Audit Ke 3 Aham Marahil (Phases)
Audit sirf aik din ka kaam nahi hota, balki ye teen stages mein divide hota hai:
1. Pre-Assessment (Phase 1)
Is mein aap aik "Self-Assessment" karte hain ya "Readiness Review" karwate hain. Aap apna SSP (System Security Plan) aur POAM (Plan of Action and Milestones) tyyar karte hain.
2. The Official Audit (Phase 2)
C3PAO ke assessors aapki site par aate hain ya remote audit karte hain. Wo 3 tareeqon se saboot (evidence) jama karte hain:
- Examine: Aapki policies aur configuration files ko parhna.
- Interview: IT staff aur employees se sawal jawab karna.
- Test: Systems ko check karna ke kya firewalls aur encryption sahi kaam kar rahe hain.
3. Reporting & Certification (Phase 3)
Assessors apni report Cyber AB ko bhejte hain. Agar aap pass ho jate hain, toh aapko 3 saal ke liye certification mil jati hai.
???? Audit Readiness Checklist
| Document/Control | Status | Importance |
|---|---|---|
| System Security Plan (SSP) | Mandatory | Extreme (Audit ki bunyad) |
| NIST 800-171 Compliance | 110 Controls | High (Level 2 ke liye) |
| Employee Training Logs | Required | Medium (Operational evidence) |
| Incident Response Plan | Tested | High (Critical for security) |
???? Kamyabi Ke Liye VIP Tips
Aksar companies audit mein fail ho jati hain kyunke unke paas Evidence nahi hota. Yaad rakhein:
- Artifacts Jama Karein: Sirf ye kehna kafi nahi ke "hum backup lete hain", aapko purane logs dikhane parenge.
- No POAMs: Final audit ke waqt Level 2 ke liye koi open POAM nahi hona chahiye (tamam kamzoriyan pehle theek honi chahiyen).
- Practice Interviews: Apne staff ko tayyar karein taake wo assessors ke sawalon se ghabrayen nahi.
Kya aapka SSP tyyar hai?
Main aapko bata sakta hoon ke cmmc audit audit ke doran kin 5 controls par assessors sab se zyada focus karte hain. Kya aap wo janna chahte hain?