Organizations rely on a vast storehouse of controls -- from antimalware to documentation -- to protect their networks and applications from outside attacks.
But how effective are these controls? To ensure cybersecurity tools work as designed, organizations should conduct cybersecurity audits to measure and document their value. The audit process typically examines the controls in place, how well they are performing and the accuracy of documentation that dictates policies and procedures. Other items, such as cyber attack event reports, are also part of the audit process. The rigor and complexity of an audit is dictated by the organization's size and cybersecurity program.
Audits also serve as a key way for companies to document their compliance with cybersecurity regulations, standards and frameworks. Organizations can use the guidelines within these standards to craft the areas they want to cover in their audits.
Cybersecurity audits demonstrate to customers and stakeholders that the organization takes cybersecurity management seriously. Audit reports highlight where an organization's cybersecurity controls are working effectively, as well as pinpoint where remediation might be necessary. As a result, audit reports can reflect positively on the organization, especially if the reports demonstrate a firm commitment to cybersecurity and compliance.
Types of cybersecurity audits
Cybersecurity audits are conducted the following three ways:
- A first-party audit is where the IT department performs its own audit, using principles as defined by ISACA or a similar organization. Because this audit is self-administered, the degree to which the IT department can probe itself independently may be an important factor for management to consider.
- A second-party audit is performed by the organization's internal audit department. This audit is more independent, even though it is conducted within the same organization. The challenge is to ensure the internal audit staff has expertise in IT and cybersecurity auditing.
- A third-party audit is where an independent audit firm, completely outside the organization, performs the audit. When using an outside auditor, it's important to vet the firm's credentials and expertise in IT auditing -- especially as they apply to cybersecurity.
A third-party audit is the most independent, and independence is an essential aspect of any audit. If using an outside firm isn't possible, the internal audit department is a good alternative.
Cybersecurity audit standards and regulations
When preparing for a cybersecurity audit, take advantage of existing standards, regulations and frameworks to define the scope of the audit. These measures detail how cybersecurity controls should be established and performed. Cybersecurity frameworks also define the policies and procedures needed to establish and manage a cybersecurity initiative. The key is to find a framework that supports the specific requirements defined in the standard or regulation. The following is a brief listing of cybersecurity standards, regulations and frameworks:
- ISO 27000 series. Developed by ISO, the 27000 series addresses virtually all aspects of information security. Certain standards in the series address cybersecurity specifically, among them:
- ISO/IEC 27007:2020 Information security, cybersecurity and privacy protection -- Guidelines for information security management systems auditing.
- ISO/IEC 27014:2020 Information security, cybersecurity and privacy protection -- Governance of information security.
- ISO/IEC 27032:2012 Information technology -- Security techniques -- Guidelines for cybersecurity.
- NIST Special Publication (SP) 800-53 Revision 5 Security and Privacy Controls for Information Systems and Organizations. Developed by NIST, SP 800-53 is one of the most widely used information security standards. It provides extensive background on security controls used in audits.
- NIST Cybersecurity Framework (CSF). Released in 2014, the CSF is a risk-based framework using controls based on established phases of risk management: identify, protect, detect, respond and recovery.
- COBIT. Developed by ISACA, COBIT is a widely used risk-based framework that can be used as part of a cybersecurity audit.
- Federal Financial Institutions Examination Council (FFIEC) Information Security booklet. FFIEC provides a detailed set of information security criteria that can be used as audit questions.
- Federal Information Security Management Act (FISMA). FISMA specifies a framework for information and cybersecurity management. It can be used by public and private sector organizations.
- HIPAA. This is an important set of information security guidelines for healthcare data.
10 steps to prepare for a cybersecurity audit
Take the following steps before beginning a cybersecurity audit:
- Secure approval from senior management.
- Secure funding, if needed.
- Identify the IT department team member(s) who will participate.
- Define the audit scope and objectives, for example, issues and controls to be audited.
- Determine if the audit will be conducted internally or externally.
- Establish an audit plan, and have it approved by senior IT management.
- Reserve an area equipped with video conferencing -- for example, a conference room -- for at least one month where auditors can perform their work.
- Gather and provide evidence -- including cybersecurity reports, previous audits and event reports -- for auditors to use. This may vary based on controls to be audited.
- Ensure employees are available to back up people on the audit team.
- When audit dates are confirmed, ensure audit team members are available for interviews.
The key to a successful cybersecurity audit is effective preparation. Adhering to standards and regulations is one thing, but what is more important is evidence -- electronic and hard copy -- that demonstrates the organization is managing its cybersecurity controls effectively.