Cyberattacks are among the most debilitating events that companies and other organizations can experience, and internal auditors and risk managers consistently rank them among the biggest risks to the business. They know that how companies respond and react to such attacks can be the difference between a small blip and a major problem, so they routinely target them for internal audits.
Auditing the cyber incident response and recover system is no easy task, however. In hopes of making it easier, the Institute of Internal Auditors has released a new guide, “Auditing Cyber Incident Response and Recovery.” The guide, which is part of the IIA’s Global Technology Audit Guide or GTAG series. The guide covers risks and controls that correspond to the NIST CSF “Respond” and “Recover” functions.
The GTAG gives an overview of the relevant risks and controls in this area to help an internal audit activity with planning and scoping audit engagements. References to external control frameworks are offered, which, if used effectively, can help with the development of insightful audit approaches.
This guide will help internal auditors:
- Define cyber incident response and recovery and develop a working knowledge of relevant processes, including related governance and risk management controls.
- Understand risks and opportunities associated with cyber incident response and recovery, for the purposes of enterprisewide or engagement-specific assessments.
- Identify components of cyber incident response and recovery, including contributions from governance, risk management, and planning processes, as well as controls to test and execute response and recovery plans.
- Consider relevant control guidance in widely used IT-IS frameworks to increase the value of assurance and advisory services provided by the internal audit activity.
- Understand the basics of auditing cyber incident response and recovery, including specific controls to be evaluated.
The guide is available to IIA members for download. 