Audit a monitoring

Kompletní šablona

Potřebujete kompletní šablonu této směrnice přizpůsobenou vaší organizaci? Zjistit více →

Verze: 1.0 | Efektivní od: 1. ledna 2026

---

1. Účel

Tato směrnice definuje požadavky na audit, monitoring a kontinuální zlepšování compliance programu.

---

2. Audit Program

2.1 Typy auditů

Typ	Frekvence	Scope	Provádí
Internal audit	Čtvrtletně	Rotující oblasti	Compliance Officer
External audit	Ročně	Full ISMS	External auditor
Compliance check	Pololetně	Regulatorní požadavky	DPO + CISO
Penetration test	Ročně	Full scope	External vendor
Vulnerability scan	Měsíčně	All systems	IT Security

2.2 Internal Audit Program

2.3 Audit Process

---

3. Continuous Monitoring

3.1 Security Monitoring

Oblast	Monitoring	Nástroj	Alert threshold
Authentication	Failed logins	SIEM	>5 failures / 10min
Access	Privileged access	PAM	Any admin access
Network	Traffic anomalies	IDS/IPS	Signature match
Endpoint	Malware detection	EDR	Any detection
Application	Error rates	APM	>1% error rate
Data	Sensitive data access	DLP	Any PII export

3.2 Compliance Monitoring

Regulace	Metrika	Target	Měření
AI Act	AI inventory completeness	100%	Čtvrtletně
AI Act	High-risk AI documentation	100%	Měsíčně
NIS2	Patch compliance	>95%	Měsíčně
NIS2	Incident response time	<4h (critical)	Při incidentu
GDPR	DSAR response time	<30 days	Každý DSAR
GDPR	Breach notification	<72h	Při breach

3.3 Monitoring Dashboard

COMPLIANCE DASHBOARD

OVERALL COMPLIANCE SCORE: 78%

Regulace	Score
AI Act	65%
NIS2	72%
GDPR	85%

OPEN FINDINGS: Critical: 2 | High: 5 | Medium: 12

RECENT ACTIVITY:

• [Today] Security scan completed - 3 new vulnerabilities
• [Yesterday] DSAR-2026-045 closed
• [2 days ago] AI-003 risk assessment updated

---

4. Key Performance Indicators

4.1 Security KPIs

KPI	Target	Current	Trend
Patch compliance (critical)	>99%
Patch compliance (high)	>95%
MFA adoption	100%
Phishing click rate	<5%
Mean time to detect (MTTD)	<1h
Mean time to respond (MTTR)	<4h

4.2 Privacy KPIs

KPI	Target	Current	Trend
DSAR response time	<30 days
DSAR compliance rate	100%
Data mapping accuracy	>95%
DPA coverage	100%
Privacy training completion	100%

4.3 AI Governance KPIs

KPI	Target	Current	Trend
AI inventory completeness	100%
Risk classification coverage	100%
High-risk AI documentation	100%
Bias testing frequency	Monthly
AI incident rate	<1/quarter

---

5. Risk Register

5.1 Risk Register Template

Risk ID	Popis	Kategorie	Likelihood	Impact	Score	Status	Mitigace
RISK-001		AI/NIS2/GDPR	1-5	1-5	L×I	Open/Mitigated

5.2 Risk Review Process

Frekvence	Aktivita
Weekly	New risks identification
Monthly	Risk register review (CISO + DPO)
Quarterly	Risk treatment plan update (C-level)
Annually	Full risk assessment refresh

5.3 Risk Acceptance

Kritéria pro akceptaci rizika:

Risk Score	Akceptace	Approval
1-5 (Low)	Automaticky	Risk owner
6-12 (Medium)	S mitigací	CISO/DPO
13-20 (High)	Výjimečně	CTO + CEO
21-25 (Critical)	Nikdy	N/A

---

6. Reporting

6.1 Report Schedule

Report	Audience	Frekvence
Security metrics	IT Management	Týdně
Compliance status	C-level	Měsíčně
Risk register	Board	Čtvrtletně
External audit	Board + Regulators	Ročně

6.2 Monthly Compliance Report Template

MONTHLY COMPLIANCE REPORT — MĚSÍC YYYY

1. EXECUTIVE SUMMARY - Overall compliance: XX% | Key highlights: […] | Key concerns: […]
2. REGULATORY COMPLIANCE - AI Act: XX% | NIS2: XX% | GDPR: XX%
3. SECURITY METRICS - Incidents: X | Vulnerabilities: X | Patch compliance: XX%
4. PRIVACY METRICS - DSARs: X | Avg response: X days | Breaches: X
5. OPEN FINDINGS - [List of critical/high findings]
6. UPCOMING - [Key deadlines and activities]
7. RECOMMENDATIONS - [Actions for management]

---

7. Continuous Improvement

7.1 PDCA Cycle

7.2 Lessons Learned

Po každém incidentu nebo auditu:

1. Document - Co se stalo
2. Analyze - Root cause
3. Identify - Co zlepšit
4. Implement - Změny
5. Verify - Efektivita

7.3 Improvement Register

ID	Zdroj	Popis	Status	Deadline
IMP-001	Incident
IMP-002	Audit

---

8. Documentation Requirements

8.1 Retention Schedule

Dokument	Retention	Poznámka
Audit reports	5 let	Po ukončení audit cycle
Compliance evidence	5 let	Pro regulatory inspections
Risk assessments	5 let	Po ukončení platnosti
Training records	3 roky	Po odchodu zaměstnance
Meeting minutes	3 roky
Metrics data	2 roky	Pro trend analysis

---

9. Tools & Systems

9.1 Recommended Tools

Kategorie	Nástroj	Účel
GRC	OneTrust, ServiceNow	Compliance management
SIEM	Splunk, Elastic, Sentinel	Security monitoring
Vulnerability	Qualys, Nessus, Tenable	Scanning
DLP	Microsoft Purview, Symantec	Data protection
PAM	CyberArk, BeyondTrust	Privileged access
Training	KnowBe4, Proofpoint	Security awareness

---

10. Policy Review

• Měsíčně: Security metrics review
• Čtvrtletně: Audit findings review, risk register update
• Pololetně: Policy effectiveness assessment
• Ročně: Full policy review + external audit

Příští revize: Q2 2026