IS Audit Basics: Auditing Cybersecurity

There are several rites of passage one goes through on the way to becoming an experienced IT auditor. After completing college, one gets a job, although not necessarily in audit. After a while, audit attracts and so one moves into the area and sits and passes the Certified Information Systems Auditor (CISA) exam. One then works as part of an audit team before finally progressing to performing solo IT audits. As a practitioner becomes more experienced, he or she will (hopefully) lead a team and become an IT audit director.

However, in recent years, something additional has been added to the rite of passage. Increasingly, IT auditors are being asked to audit cybersecurity. I say increasingly because when I moved into IT audit in 2005 the term was not commonly used. We just audited plain old IT security. Now, it is probably one of the first items in an enterprise’s audit universe.

So, what is cybersecurity and how do we audit it? We will, once again, turn to the ISACA white paper on creating audit programs.

Learn More