Last year, The IIA released Assessing Cybersecurity risk: The three lines model (Download at https://na.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/GTAG-Assessing-Cybersecurity-The-Three-Lines-Model.aspx). It is considered Supplemental Guidance (one of their Global Technology Audit Guides, GTAG) rather than mandatory
The GTAG has some good ideas and is useful reading for those charged with an audit of cybersecurity.
However, it is not without its flaws.
I will provide some excerpts here with my comments.
- Internal auditors need an updated approach for providing assurance over cybersecurity risks. Although IT general control evaluations are useful, they are insufficient for providing cybersecurity assurance because they are neither timely nor complete.
Comment 1: While providing assurance over cybersecurity risks is an interesting concept, it is far better to provide assurance on the management of business risks and opportunities. You cannot understand and assess cybersecurity risks without first understanding how a failure to provide effective cybersecurity would affect the business. Managing cyber in a silo is not good management of the business.
Comment 2: IT general controls include information security and cyber is simply (IMHO) a new buzzword for infosec.
Comment 3: One of…
