IT:AD:Information Security Controls Validation Plan (CVP)

Supports the IT:AD:Controls Validation Audit (CVA) Report.

The CVP defines the approach that will be taken to validat if the Security Controls for a system have been implemented and operate effectively.


  • Identified required controls from the IT:AD:Risk Assessment (RA) Report.
  • Mapped the identified controls to the appropriate Risks
  • Mapped the controls to the relevant NZISM controls (version x.x)
  • Provide the methodology that will be used to verify each control.
  • Format:
    • Control ID, Description, NZISM Area, Key Risks, Priority, Test Approach and Methodology, Control Category (Enterprise/Project)

class CVA
class CVP