In addressing cyber risks, internal audit departments need to leverage industry frameworks to perform audits in line with current practices. However, the constant release of new cybersecurity frameworks and guidance makes it difficult for auditors to keep up with developments and ensure they are auditing against the latest frameworks.
Although cybersecurity has become a top risk for boards of directors and audit committees, organizations worldwide do not follow a common comprehensive framework. Instead, guidance organizations such as the Committee on Payments and Market Infrastructures (CPMI), International Organization for Standardization, U.S. Federal Financial Institutions Examination Council (FFIEC), and U.S. National Institute of Standards and Technology (NIST) have released separate cybersecurity frameworks.
These frameworks contain many of the same concepts. Some frameworks go beyond those basics to detail maturity levels that organizations can measure themselves against to see whether they are meeting the framework's target cybersecurity objectives. By evaluating each framework and selecting the one that best fits the organization's strategic vision, culture, and security posture, internal audit departments can assess the right risks and provide effective assurance on their organization's state of cybersecurity.
One of the first steps during a cybersecurity audit is determining which framework to use and the level of granularity internal audit is willing to go to within the framework. For example, each framework has high-level domains that consist of several lower-level components, requirements, or assessment factors. The level of granularity internal audit chooses should depend on factors such as the organization's risk tolerance and regulatory expectations.
Read more on https://iaonline.theiia.org