Skip to main content

What do you think of this service? Your feedback will help us to improve it.

Cyber Security Audit and Assurance

Role overview

A Cyber Security Audit and Assurance uses their knowledge and experience to understand business scenarios, communicate the issues and recommend next steps. They support and guide other Cyber Security Audit & Assurance.

Verify that the specified cyber security controls have been implemented in accordance with the risk management plan, with assessments of threats and vulnerabilities. Attention to detail helps to spot potential inconsistencies in processes and policies. Formal methods should be followed, but there also needs to be an imaginative side in identifying points of failure and the most effective areas to investigate.

Auditing and Assurance is important work, since even the most sophisticated cyber security controls will be ineffective if they are improperly installed or maintained. Errors are bound to be made; audit and assurance, when carried out professionally, is the last line of defence against such errors. Interviewing staff members to learn of risks or issues present within the organisation is common, therefore, managing relationships carefully is important.

There needs to be an understanding of the legal and regulatory standards on data protection and privacy, which is considered when assessing the compliance of a system. Projects may include complex issues such as advanced data analytics and IT governance, as well as playing a role in delivering an organisation’s education and awareness programmes to target areas of non-compliance and embed security in business practices.

When an audit is carried out, the results are presented clearly so that both technical staff and general management understand the key points. In some cases, these may include recommendations on system upgrades or decommissions, providing the organisation with the cost/benefit analysis of these recommendations.

Role level

Skills

Skill Lead Principal
Compliance monitoring and controls testing Working Practitioner
Incident management, incident investigation and response Working Practitioner
Legal and regulatory environment and compliance Working Working
Risk understanding and mitigation Practitioner Practitioner
Secure supply chain management Working Practitioner

Core learning

Lead level

CompTIA Advanced Security

MGT512: Security Leadership Essentials for Managers

Cyber Incident Planning and Response

Introduction to Risk Management

Principal Level

SEC566: Implementing and Auditing the Critical Security Controls – In-Depth

SEC503: Intrusion Detection In-Depth

ICS515: ICS Active Defence and Incident Response

Risk in the Boardroom

Certified ISO27001 Practitioner

Accreditation

UK Cyber Security Council: Standard of Professional Competence and Commitment: Cyber Security Audit and Assurance

 

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now