How do I scope a cybersecurity internal audit engagement?
My audit committee asked for a "cybersecurity audit" and I am not sure where to start. The topic is too broad. How do I narrow it down?
Use the NIST Cybersecurity Framework as your scoping scaffold. The framework has five functions: Identify, Protect, Detect, Respond, Recover. Pick the ones most relevant to your organization's current risk and recent events.
In practice you rarely have time to deep-dive all five functions in one engagement. Pick one or two:
- If the organization recently moved to the cloud: Identify and Protect.
- If there was a recent incident or near-miss: Detect, Respond, and Recover.
- If the audit committee wants a baseline opinion: Identify and Protect first, with light coverage of the other three.
Once you pick the functions, define control objectives within each. For Protect, that might be "privileged access is granted on a least-privilege basis with documented approvals and quarterly reviews." Then map each objective to evidence sources. The audit plan now has structure and the report can conclude function by function rather than producing a generic checklist.
Master Part 2 with our CIA Course
45 lessons · 90+ hours· Expert instruction
Related Questions
What makes evidence reliable in a cybersecurity audit?
How do I audit incident response without a real incident?
Is a cloud provider's SOC 2 report enough evidence for our cybersecurity audit?
What should an auditor do if a supervisor weakens a supported finding?
How should auditors prepare for a technical exit meeting?
Related Articles
Join the Discussion
Ask questions and get expert answers.