The new GTAG, “Auditing Cybersecurity Operations: Prevention and Detection,” was created to help practitioners gain a better understanding of high-level control objectives of cybersecurity, allowing them to maximize the value they add during their audit engagements and advisory services.
In addition to offering guidance in these areas, the new GTAG directs practitioners to multiple resources that can dive deeper into any given subject area covered in the guide.
This guide will help the reader:
- Define cybersecurity operations and develop a working knowledge of relevant processes, including related governance and risk management controls.
- Identify components of cybersecurity operations, including contributions to system planning and development, as well as controls to prevent or detect cyber incidents.
- Consider relevant control guidance in widely used IT-IS control frameworks to increase the value of assurance and advisory services provided by the internal audit activity.
- Understand approaches to auditing cybersecurity operations, including specific controls that should be present and evaluated.
IIA members are invited to download this guidance and all guidance as a benefit of membership.
ADDITIONAL CYBERSECURITY RESOURCES
Register for Exploring the New GTAG “Auditing Cybersecurity Operations”, June 29, 2:00-3:00 p.m., where we’ll discuss commonly referenced external IT-IS control frameworks, explore ways to apply the content in the GTAG within an audit engagement, share personal experiences in auditing cybersecurity operations, and discover ways to address board-related inquiries regarding cybersecurity operations and related risks.
Examining Cybersecurity Concepts, in-person and online, this course explores common cyber-related frameworks, standards, and guidelines, and explains how to audit common cybersecurity solutions.
Internal Auditor Magazine: Building a Better Auditor: Four Skills Internal Auditors Should Develop Now, Jim Pelletier, CIA, March 22, 2022
Download this Guidance: GTAG: Assessing Cybersecurity Risk