NAO cyber guidance for audit committees
Technical blog by Liz Sandwith, chief professional practice advisor | 21 September 2017
Cyber security has grown to become a key business risk. EU legislation, such as the Network and Information Security (NIS) Directive and General Data Protection Regulation (GDPR), will place significant new obligations on UK organisations in this area.
The NAO has produced a Good Practice Guide for audit committees in the public sector on cyber security and information governance guidance for audit committees.
The Chartered IIA is keen to draw your attention to this document as it is likely that it will be of great use to your audit committee chairs and members, both in the public and private sector. This may prompt key stakeholders to challenge internal audit about the work they are doing to provide assurance in the cyber security and information governance arena.
This latest piece of guidance is based on the Government’s '10 Steps to Cyber Security'. The guidance is split into high level questions and more detailed areas to explore.
The high-level questions include –
- Has the organisation implemented a formal regime or structured approach to cyber security which guides its activities and expenditure?
- How has management decided what risk it will tolerate and how does it manage that risk?
- Has the organisation identified and deployed the capability it needs in this area?
The more detailed areas to explore include –
- Information risk management regime
- Secure configuration
- Network security
- Managing user privileges
- User education and awareness
- Incident management
- Malware protection
- Monitoring
- Removable media controls
- Home and mobile working
The guidance provides additional information as to the depth and breadth of the actions/responses required to assess the framework in place within your organisation to identify high level operational and reputational risks.
The guidance is relevant to internal auditors as it provides a framework against which the organisation’s cyber security risk can be assessed. The guidance also links to the 2016 National Cyber Security Strategy 2016-2021 which is another document worth reading.
Internal audit has a critical role to play in evaluating and assessing that cyber security risk controls, policies, and procedures are fit for purpose and being implemented effectively at all levels, and that organisations are compliant with the latest regulation.
We have produced a cyber security board briefing that can be shared with your audit committee and key stakeholders to create a strong cyber awareness culture within your organisation.
