Cyber Security Audit and Assurance
Role overview
A Cyber Security Audit and Assurance uses their knowledge and experience to understand business scenarios, communicate the issues and recommend next steps. They support and guide other Cyber Security Audit & Assurance.
Verify that the specified cyber security controls have been implemented in accordance with the risk management plan, with assessments of threats and vulnerabilities. Attention to detail helps to spot potential inconsistencies in processes and policies. Formal methods should be followed, but there also needs to be an imaginative side in identifying points of failure and the most effective areas to investigate.
Auditing and Assurance is important work, since even the most sophisticated cyber security controls will be ineffective if they are improperly installed or maintained. Errors are bound to be made; audit and assurance, when carried out professionally, is the last line of defence against such errors. Interviewing staff members to learn of risks or issues present within the organisation is common, therefore, managing relationships carefully is important.
There needs to be an understanding of the legal and regulatory standards on data protection and privacy, which is considered when assessing the compliance of a system. Projects may include complex issues such as advanced data analytics and IT governance, as well as playing a role in delivering an organisation’s education and awareness programmes to target areas of non-compliance and embed security in business practices.
When an audit is carried out, the results are presented clearly so that both technical staff and general management understand the key points. In some cases, these may include recommendations on system upgrades or decommissions, providing the organisation with the cost/benefit analysis of these recommendations.
Role level
Role expectations
Support finding deficiencies in the testing, monitoring and management of security controls, so that an organisation’s data and information systems are secured.
In this specialism, you may:
- contribute to assessing the correctness of cyber security risk assessments and risk management plans, taking account of the organisation’s business goals
- produce plans for cyber security audits
- use specific auditing tools to conduct efficient audits
- audit the implementation, operation and maintenance of security controls
- contribute to the review of compliance with legal and regulatory requirements
- provide advice on audit, assurance and risk management
- support the implementation of Cyber Security Policy, Standards and Cyber Security Assurance Framework
- contribute to formal reports
- present findings to colleagues and managers, in both cyber security and general roles
Role expectations
Focus on finding deficiencies in the testing, monitoring and management of security controls, so that an organisation’s data and information systems are secured.
In this specialism, you may:
- assess the correctness of cyber security risk assessments and risk management plans, taking account of the organisation’s business goals
- produce detailed plans for cyber security audits
- use specific auditing tools to conduct efficient audits
- audit the implementation, operation and maintenance of security controls
- review compliance with legal and regulatory requirements
- provide expert advice on audit, assurance and risk management
- implement the Cyber Security Policy, Standards and Cyber Security Assurance Framework
- write formal reports, and sometimes deliver oral briefings, on the findings of audits and compliance reviews
- present findings to colleagues and managers, in both cyber security and general roles
- convince stakeholders of the importance of audit, assurance and security
Skills
| Skill | Lead | Principal | |
|---|---|---|---|
| Compliance monitoring and controls testing | Working | Practitioner | |
| Incident management, incident investigation and response | Working | Practitioner | |
| Legal and regulatory environment and compliance | Working | Working | |
| Risk understanding and mitigation | Practitioner | Practitioner | |
| Secure supply chain management | Working | Practitioner |
Core learning
Lead level
CompTIA Advanced Security
MGT512: Security Leadership Essentials for Managers
Cyber Incident Planning and Response
Introduction to Risk Management
Principal Level
SEC566: Implementing and Auditing the Critical Security Controls – In-Depth
SEC503: Intrusion Detection In-Depth
ICS515: ICS Active Defence and Incident Response
Risk in the Boardroom
Certified ISO27001 Practitioner
Accreditation