CIR Program Management
Audit
Developing a CIR plan is insufficient for the organisation to effectively manage cyber security attacks. Its collaboration with the BCM plan requires an independent review. The plan needs to be audited so that documented procedures can effectively mitigate or respond to cybersecurity incidents.
The auditing process (City of Vancouver, 2016) compares documented procedures with recommended practices in International or National Standards.
Standards chosen for comparison is dependent on the auditor. By performing audits, the organisation can assess its current ability to manage cyber security incidents and ensure that its information assets are secured and that CBFs can continue operations in the event of a cyber security attack.
1. Rationale
Due to rapid technological advancement and increased dependency on information assets, organisations are becoming more susceptible to cyber security attacks. The pervasive nature of cyber security threats makes them difficult for organisations to develop a comprehensive strategy to tackle these constantly evolving cyber security threats.
Through auditing, organisations can constantly evaluate their stance against cyber security threats and how their documented procedures fare against them. Adjustments and improvements can be implemented, allowing the CIR plan to continue to improve in conjunction with the evolving cybersecurity threats.
2. Internal Versus External Audit
Internal auditors (CIIA, 2017) are employees within the organisation that report to the audit committee and directors. They assist in developing specific CIR policies and evaluating the effectiveness of the operation of the implemented policies. Their duties are performed continuously and depend on the CIR plan's nature.
Typically, their audit scope covers the management (V. Mack & Bloom, 2017) of the various cyber security threats, information flow within the organisation and how the management process of cyber security incidents is governed.
External auditors (CIIA, 2017) are separate organisations and have no relation to the organisation requesting for audit. They report to the organisation’s shareholders.
The external auditors provide insightful and experienced opinions to evaluate the effectiveness of the CIR plan. Since they are independent of the organisation, their duties only cover the pre-identified scope of the audit, which is mainly financial-based and is appointed when the organisation requests them.
The choice of internal or external auditors depends on the availability of resources and how it is aligned with the key controls and business functions expected of the organisation. The deployment of independent professionals to review the CIR and BCM plans.
2.1 Availability of Resources
Developing an internal audit team strains the organisation's resources, such as time, budget and talent. Although conducting audits is necessary, establishing an internal audit team is difficult because the team needs members within the organisation with the appropriate knowledge and skills. Finding and retaining these members is a challenge for the organisation. A budget can be allocated for the training and development of these members.
On the flip side, engaging an external auditor is also not an easy process. The organisation must pick the appropriate external auditors that fit their criteria and have the skills and knowledge to audit according to the pre-defined scope. The challenge is that some organisation does not have the internal expertise to perform this audit activity effectively.
2.2 Alignment with Other Components of the Organisation
As the internal audit team comprises employees, they can understand how the organisation functions and identify platforms to exploit and draw relationships between cyber security and business processes. Control is management's commitment to doing things right. Therefore, the auditing process can improve the CIR plan to cover all aspects of the organisation.
However, an external audit team, although experienced in performing cyber security audits for the industry, may face difficulty tailoring their opinions for specific organisations due to their uniqueness.
They also may face opposition when requesting access to organisational information. Hence, after the audit, the CIR plan may not be aligned with other business processes, which might cause inefficiency in managing cyber security incidents.
3. Combination Approach
The value provided by both internal and external auditors is crucial in effectively managing cybersecurity incidents. They may have different roles (CareersinAudit.com, 2013). However, their duties can be incorporated to streamline the auditing process.
The external audit team can use work done by the internal audit team to avoid duplication and develop a better understanding of the organisation. Collaboration between both teams allows the external team to be aware of significant organisational changes that may affect their audit process.
The internal audit team should lead the auditing process; in most cases, the internal audit team members are fully qualified, whereas the external audit team members can often be student accountants. Additionally, the assurance that the audit committee and directors receive will not be reduced.
Related Topic for CIR Program Management
Back To: Rationale for Lack of Cyber Security Prioritisation | Plan Maintenance | Training and Awareness |
Advanced Testing and Exercising | Audit | Cyber Security Mindset and Culture |
Do You Want to Continue BCM Training onsite or online?
Goh, M. H. (2017). A Manager's Guide to Business Continuity Management for Cyber Security Incidents, 2nd Edition. GMH Pte Ltd.
Reference: Chapter 10 Program Management 10.6 Audit
Note: This version was the draft 2nd Edition being updated in 2023. The numeric in the square bracket [X-X] cross-refers to the actual chapter and section in the 1st Edition.