ISACA has released an audit program or checklist to guide IT audits or reviews of the processes and systems supporting the management of information security incidents. It is free to ISACA members. It offers a well structured suite of issues to review and questions to ask. I like the fact that it identifies relevant requirements from COBIT and COSO, and covers the forensic aspects of incident investigation.
However, despite being 43 pages long, it almost completely ignores the final stages of a good practice incident management process where the organization applies the learning from incidents (including near misses) in order to improve its controls. This significant weakness in the audit program presumably stems from a corresponding weakness in COBIT and COSO, or at least the failure of the checklist's author to identify and address those requirements. Naturally our own incident management Internal Controls Questionnaire (supplied as part of this month's NoticeBored security awareness module) covers the entire process, and would suggest a number of additional checks and questions to add to the ISACA checklist for a more comprehensive review.