Audit Policy

1. Purpose#

The purpose of this policy is to inform all DefectDojo employees and external parties with access to DefectDojo equipment, systems, or networks (DefectDojo Staff) of their obligations regarding the auditing of all systems, networks, and IT assets for which they are assigned ownership and maintenance.

2. Scope#

Audit management as applied to information security and the confidentiality, integrity, and availability of company-owned, processed, stored, and transmitted information.

3. Compliance#

3.1 Compliance Measurement#

The Information Security Management team will verify compliance to this document through various methods, including but not limited to business tool reports, internal and external audits, and feedback to the document owner.

3.2 Exceptions#

Any exception to the policy must be reviewed and approved in advance by the Management Review Team.

3.3 Non-Compliance#

Any DefectDojo Staff found to have violated this document may be subject to disciplinary action, up to and including termination of employment.

3.4 Continual Improvement#

This document is updated and reviewed as part of the continual improvement and process.

4. Requirements#

4.1 DefectDojo Staff Supporting Audits#

• All DefectDojo Staff will actively support audit evidence and interview requests for internal and external auditors when requested.
• DefectDojo Staff will provide true and detailed answers and evidence when requested.
• Staff will support audits while ensuring operational systems and tasks remain in place and auditing does not interrupt company performance.
• If a staff member is concerned that an audit will interrupt business, they must immediately escalate to Senior Management or the individual in charge of the audit.

4.2 Security Operations Team#

The Security Operations Team will adhere to the following principles for performing audits:

4.2.1 Impact Minimization#

• Conduct audits in a secure manner with minimal operational impact and minimal security risk to DefectDojo, its customers, and partners.
• Whenever possible, gather audit evidence automatically via automated tools rather than manual labor.

4.2.2 Audit Scheduling#

• Internal and external audits will follow required frameworks at scheduled regular intervals to prevent disruption to business operations.
• Utilize automated evidence collection to ensure ongoing monitoring alongside scheduled point-in-time assessments.

4.2.3 Audit Screening and Vetting#

• Selected auditors will pass relevant screening and background checks and possess applicable auditing experience and certifications.

4.2.4 Audit Scope#

• Audit requirements and scope must be approved by the Director of Risk and Compliance before execution.
• The audit plan should cover all elements of aligned framework(s) wherever feasible.

4.2.5 Auditor Access#

• Access to systems and data for auditing purposes is limited according to the principle of least privilege.
• Auditor access to internal information systems will be monitored and auditable.

4.2.6 Confidential Information and Retention#

• Implement appropriate controls for external auditors, including contractual non-disclosure agreements.
• Establish and agree upon retention periods for data supplied to external auditors.

4.2.7 Auditor Objectivity#

• Auditors are selected to ensure objectivity and impartiality throughout the audit process.

4.2.8 Audit Documentation and Reporting#

• Audits will be properly documented, with necessary information reported to management.
• Audit findings will be tracked until closure or added to the Risk Register if no closure is planned.

5. Relevant Documents#

• Audit Procedure