Cyber Security Audit and Assurance focuses on verifying that the specified cyber security controls have been implemented in accordance with the risk management plan, with assessments of threats and vulnerabilities. Attention to detail helps to spot potential inconsistencies in processes and policies. Formal methods should be followed, but there also needs to be an imaginative side in identifying points of failure and the most effective areas to investigate. 

Auditing and Assurance is important work, since even the most sophisticated cyber security controls will be ineffective if they are improperly installed or maintained. Errors are bound to be made; audit and assurance, when carried out professionally, is the last line of defence against such errors. Interviewing staff members to learn of risks or issues present within the organisation is common, therefore, managing relationships carefully is important. 

There needs to be an understanding of the legal and regulatory standards on data protection and privacy, which is considered when assessing the compliance of a system. Projects may include complex issues such as advanced data analytics and IT governance, as well as playing a role in delivering an organisation’s education and awareness programmes to target areas of non-compliance and embed security in business practices. 

When an audit is carried out, the results are presented clearly so that both technical staff and general management understand the key points. In some cases, these may include recommendations on system upgrades or decommissions, providing the organisation with the cost/benefit analysis of these recommendations. 

Cyber Security Audit and Assurance focuses on finding deficiencies in the testing, monitoring and management of security controls, so that an organisation’s data and information systems are secured. 

In this specialism, you may: 

• assess the correctness of cyber security risk assessments and risk management plans, taking account of the organisation’s business goals 
• produce detailed plans for cyber security audits 
• use specific auditing tools to conduct efficient audits 

• audit the implementation, operation and maintenance of security controls 
• review compliance with legal and regulatory requirements 
• provide expert advice on audit, assurance and risk management 
• implement the Cyber Security Policy, Standards and Cyber Security Assurance Framework 
• write formal reports, and sometimes deliver oral briefings, on the findings of audits and compliance reviews 

• present findings to colleagues and managers, in both cyber security and general roles 
• convince stakeholders of the importance of audit, assurance and security 

Job Titles 

Job titles in Cyber Security Audit and Assurance are not always specific. Some jobs which sound very general are actually largely focused on audit and assurance. 

Titles include: 

• Technology Risk Assurance Trainee 
• Cyber Assurance Manager 
• Security Assurance Coordinator 
• Business Assurance Manager  
• Information Cyber Security & Assurance Manager  

• Technology Resilience Assurance Specialist 
• Insurance Security Supplier Assurance Analyst  
• Supplier Security Assurance Manager  
• Information Security Consultant 
• Information Security Auditor 

• Cyber Security Audit and Compliance Lead 
• Head of Security, Governance Risk & Compliance 
• Head of Cyber Security and Information Assurance 

Salaries 

A Cyber Security Audit and Assurance professional might earn between £40,000 and £80,000. The median salary in February 2021 was £57,500. The median salary for those with more experience in February 2021 was £60,000. 

Salary ranges are based on job vacancy advertisements published online in February 2021. Figures are dominated by the salaries for jobs in the large cities in the UK and salaries elsewhere may be lower. Only a small proportion of job vacancy advertisements for these roles included salary information, so the sample size is small and may not be representative. Median salary figures are taken from calculations performed by www.itjobswatch.co.uk. 

Each of the 15 specialisms are based on knowledge areas within CyBOK.  

More information on CyBOK knowledge areas can be found here. 

Here are the knowledge areas associated with Audit and Assurance.

Core knowledge – you will need a very good understanding of these areas 

Risk Management and Governance 

Security management systems and organisational security controls, including standards, best practices, and approaches to risk assessment and mitigation. 

Law and Regulations 

The legal and regulatory topics that merit consideration when conducting various activities in the field of cybersecurity. 

Related knowledge – you will need a solid understanding of these areas 

Human Factors 

Usable security, social and behavioural factors impacting security, security culture and awareness as well as the impact of security controls on user behaviours.  

Security Operations & Incident Management 

The configuration, operation and maintenance of secure systems including the detection of and response to security incidents and the collection and use of threat intelligence. 

Wider knowledge – these areas will help to provide context for your work 

Adversarial Behaviours 

The motivations, behaviours and methods used by attackers, including malware supply chains, attack vectors, and money transfers. 

Privacy and Online Rights 

Data confidentiality, control and protection of personal and valuable information to ensure privacy is maintained and recognised as a fundamental human right. 

Skills 

Personal attributes 

• attention to detail 
• a methodical approach 
• communication, collaboration and external engagement 

• leading and influencing, both externally and internally 
• writing formal documents and presenting information effectively 
• willing to develop oneself and others 
• reasoned judgement and analytical skills to make effective decisions 
• evaluating the probable social, commercial, cultural, ethical and environmental consequences of an action 

Specialist skills 

• planning an audit or compliance review 
• risk assessment and management 
• familiarity with nation-specific and sector-specific audit requirements 
• using formal methods for analysing large volumes of data 

• applying a formal method or standard, such as COBIT 5 or ISO 27001 
• using data analytics 
• Red Team-ing - the ability to adopt the adversarial approach to challenge and rigorously test policies and systems as part of an intelligence-led security assessment 

CIISec Skills Groups* (additional Skills Groups may also be relevant to particular jobs) 

A1 – Governance 

Principles: 

• directs, oversees, designs, implements or operates within the set of multi-disciplinary structures, policies, procedures, processes and controls implemented to manage Cyber and Information Security at an enterprise level, supporting an organisation’s immediate and future regulatory, legal, risk, environmental and operational requirements and ensuring compliance with those requirements 

A6 – Legal and Regulatory Environment and Compliance 

Principles: 

• understands the legal and regulatory environment within which the business operates 

• ensures that Information Security Governance arrangements are appropriate 
• ensures that the organisation complies with legal and regulatory requirements 

A7 – Third Party Management 

Principles: 

• identifies and advises on the technical, physical, personnel and procedural risks associated with third party relationships, including systems development and maintenance, contracts, end of service, outsourced service providers and business partners and sub-contracting 

• assesses the level of confidence that third party Cyber and Information Security capabilities/services operate as defined 

D1 – Internal and Statutory Audit 

Principles: 

• verifies that information systems and processes meet the security criteria (requirements or policy, standards and procedures) 
• assesses the business benefits of security controls 

D2 – Compliance Monitoring and Controls Testing 

Principles: 

• defines and implements processes to verify on-going conformance to security and/or legal and regulatory requirements 
• carries out security compliance checks in accordance with an appropriate methodology 
• this Skill group covers compliance checks and tests against technical, physical, procedural and personnel controls 

*Non-Commercial - No Derivatives (BY-NC-ND) license. 2021 Copyright © The Chartered Institute of Information Security. All rights reserved. Chartered Institute of Information Security®, CIISec. Chartered Institute of Information Security®, CIISec®, AfCIIS®, ACIIS®, MCIIS®, FCIIS® and the CIISec graphic logo are trademarks owned by The Chartered Institute of Information Security and may be used only with express permission of CIISec. 

Experience 

A role or career in which there’s a demonstrated ability to carry out formal inspections and understand the importance of this activity would be beneficial for a role in this specialism. Examples of such roles are: 

• business risk assessment & management 
• business operations 
• health and safety inspection 
• environmental protection inspection 
• information systems audit 

• financial audit 
• commercial insurance risk assessment 

Linked Specialism (when clicking on route map) 

• Cyber Security Management 
• Cyber Security Governance and Risk Management 

Moving On 

From a role as a Cyber Audit & Assurance specialist you might, with appropriate technical training, move into one of these other cyber security specialisms: 

• Cyber Security Governance & Risk Management 
• Cyber Security Management 

• Security Testing 

Alternatively, you might progress into a more senior role in audit and assurance or, in a small organisation, become head of cyber security. 

Our certification framework can be accessed here. This framework allows you to see which certifications may be useful to you, within the different specialisms and at which point of your career.

Entry route information can be found here.

You can also visit the National Cyber Security Centre website at the links below:

NCSC Certified Degrees 

NCSC Certified Training 

Simon Whittaker is Head of Cyber at Instil and recently hosted a webinar with us where he told us more about what it's like actually working in the Audit & Assurance specialism.

If you are applying for a Professional Registration Title, the Standard of Professional Competence and Commitment for Cyber Security Audit & Assurance can be found here.