Cyber security: internal audit’s critical role

12 April 2017

The Chartered Institute of Internal Auditors has published a Board Briefing on cyber security to address the gap between the scale of cyber risk and mitigation efforts being made by UK organisations.


In the wake of recent high-profile breaches (as at Yahoo and TalkTalk), and focusing on the significant new regulation covering this area, the Board Briefing aims to inform board members and senior managers of internal audit’s critical role in providing advice and assurance around cyber security.


Dr Ian Peters MBE, Chief Executive of the Chartered Institute of Internal Auditors, says:


“Cyber security starts with the board. But without internal audit board members cannot have a true picture of the efficacy of their organisation’s cyber security measures.


“With our organisations utterly, but still increasingly, dependent upon information technology, there is simply too much at stake for us to continue getting this wrong.


“The scale of the risk is understood, but there is a lack of understanding of the response that is required. Our primary consideration these days must be cultural, not technological. And internal audit are the means to assuring that risk controls, policies and procedures are fit for purpose and being implemented effectively at all levels.”


The Network and Information Security (NIS) Directive and General Data Protection Regulation (GDPR) represent a new era of regulation in this area. These regulations place significant obligations on many organisations in the public and private sectors, and threaten potentially huge fines for contraventions.


Neither will Brexit free UK organisations from these regulatory burdens, as both will be transposed into UK law.


Ends

Notes
1. Download the Cyber Security Board Briefing
2. Read the accompanying technical guidance for internal auditors
3. The UK Government’s Cyber Security Breaches Survey 2016 found that whilst 69% of businesses say their senior management consider cyber security to be a very or fairly high priority for their organisation, only half of businesses have actually taken recommended actions to identify cyber risks.