Cyber Security Audit & Assurance is the verification that systems and processes meet the specified security requirements and that processes to verify on-going compliance are in place.
Cyber Security Audit and Assurance focuses on verifying that the specified cyber security controls have been implemented in accordance with the risk management plan, with assessments of threats and vulnerabilities. Attention to detail helps to spot potential inconsistencies in processes and policies. Formal methods should be followed, but there also needs to be an imaginative side in identifying points of failure and the most effective areas to investigate.
Auditing and Assurance is important work, since even the most sophisticated cyber security controls will be ineffective if they are improperly installed or maintained. Errors are bound to be made; audit and assurance, when carried out professionally, is the last line of defence against such errors. Interviewing staff members to learn of risks or issues present within the organisation is common, therefore, managing relationships carefully is important.
There needs to be an understanding of the legal and regulatory standards on data protection and privacy, which is considered when assessing the compliance of a system. Projects may include complex issues such as advanced data analytics and IT governance, as well as playing a role in delivering an organisation’s education and awareness programmes to target areas of non-compliance and embed security in business practices.
When an audit is carried out, the results are presented clearly so that both technical staff and general management understand the key points. In some cases, these may include recommendations on system upgrades or decommissions, providing the organisation with the cost/benefit analysis of these recommendations.
Cyber Security Audit and Assurance focuses on finding deficiencies in the testing, monitoring and management of security controls, so that an organisation’s data and information systems are secured.
In this specialism, you may:
Job titles in Cyber Security Audit and Assurance are not always specific. Some jobs which sound very general are actually largely focused on audit and assurance.
A Cyber Security Audit and Assurance professional might earn between £40,000 and £80,000. The median salary in February 2021 was £57,500. The median salary for those with more experience in February 2021 was £60,000.
Salary ranges are based on job vacancy advertisements published online in February 2021. Figures are dominated by the salaries for jobs in the large cities in the UK and salaries elsewhere may be lower. Only a small proportion of job vacancy advertisements for these roles included salary information, so the sample size is small and may not be representative. Median salary figures are taken from calculations performed by www.itjobswatch.co.uk.
Each of the 16 specialisms are based on knowledge areas within CyBOK.
More information on CyBOK knowledge areas can be found here.
Here are the knowledge areas associated with Audit and Assurance
Core knowledge – you will need a very good understanding of these areas
Security management systems and organisational security controls, including standards, best practices, and approaches to risk assessment and mitigation.
The legal and regulatory topics that merit consideration when conducting various activities in the field of cybersecurity.
Related knowledge – you will need a solid understanding of these areas
Usable security, social and behavioural factors impacting security, security culture and awareness as well as the impact of security controls on user behaviours.
The configuration, operation and maintenance of secure systems including the detection of and response to security incidents and the collection and use of threat intelligence.
Wider knowledge – these areas will help to provide context for your work
The motivations, behaviours and methods used by attackers, including malware supply chains, attack vectors, and money transfers.
Data confidentiality, control and protection of personal and valuable information to ensure privacy is maintained and recognised as a fundamental human right.
CIISec Skills Groups* (additional Skills Groups may also be relevant to particular jobs)
A1 – Governance
A6 – Legal and Regulatory Environment and Compliance
A7 – Third Party Management
D1 – Internal and Statutory Audit
D2 – Compliance Monitoring and Controls Testing
*Non-Commercial - No Derivatives (BY-NC-ND) license. 2021 Copyright © The Chartered Institute of Information Security. All rights reserved. Chartered Institute of Information Security®, CIISec. Chartered Institute of Information Security®, CIISec®, AfCIIS®, ACIIS®, MCIIS®, FCIIS® and the CIISec graphic logo are trademarks owned by The Chartered Institute of Information Security and may be used only with express permission of CIISec.
A role or career in which there’s a demonstrated ability to carry out formal inspections and understand the importance of this activity would be beneficial for a role in this specialism. Examples of such roles are:
Linked Specialism (when clicking on route map)
From a role as a Cyber Audit & Assurance specialist you might, with appropriate technical training, move into one of these other cyber security specialisms:
Alternatively, you might progress into a more senior role in audit and assurance or, in a small organisation, become head of cyber security.
Our qualifications framework is currently under development. Sign up to our newsletter here to be notified when this is published.
Entry route information can be found here.
You can also visit the National Cyber Security Centre website at the links below:
If you are applying for a Professional Registration Title, the Standard of Professional Competence and Commitment for Cyber Security Audit & Assurance can be found here