More about a career in Cyber Security Audit & Assurance
Only large organisations have Cyber Security Audit & Assurance specialists; most companies will bring in an external company to deliver the audit. If you work in a small organisation, you may audit the cyber security controls as part of a broader role - perhaps in Internal Audit, or within a finance team. But, wherever in the organisation you work, the requirements of auditing cyber security controls are the same.
It's important work, since even the most sophisticated cyber security controls will be ineffective if they're improperly installed or maintained. Errors are bound to be made; audit and assurance, when carried out professionally, is the last line of defence against such errors. You plan your own work in detail and are rigorous in following the plan.
Your core work focuses on verifying that the specified cyber security controls have been implemented in accordance with the risk management plan, the assessment of threats and vulnerabilities, and the value of the information and systems to be protected. Your attention to detail helps you spot potential inconsistencies in processes and policies. You follow formal methods to do this, but you're also imaginative in identifying likely points of failure and the most effective areas to investigate as exemplars of the controls. You work with other cyber security specialists to understand what controls they've designed and plan to implement, so that you know what you are going to audit.
It's very common for you to interview staff members, to learn of risks or issues present within the company. You manage relationships carefully; you need to be both trusted and respected for your expertise and detached so that you maintain an independent view. When you've carried out an audit, you present the results clearly so that both technical staff and general management understand the key points.
You understand legal and regulatory standards on data protection and privacy; in some organisations, there are other formal rules to follow, such as national security requirements or financial regulations. You understand these standards and rules, taking them into account when assessing the compliance of a system. You may work on projects involving complex issues such as advanced data analytics and IT governance. You may also play a role in delivering an organisation’s education and awareness programmes to target areas of non-compliance and embed security in business practices.
In some cases, you recommend system upgrades or decommissions, and provide the company with the cost/benefit analysis of your recommendation.
Depending on the size and services provided by the organisation for which you work, you may focus solely on the organisation’s own internal audit and assurance programme, or you may provide subject matter expert advice and guidance both internally and for external clients.
In a senior practitioner role, you provide leadership, direction and guidance on all cyber security and assurance issues, with the aim of improving the organisation’s control environments, reducing risk and optimising operational efficiency.
Work in this specialism focuses on finding deficiencies in the testing, monitoring and management of security controls, so that an organisation’s data and information systems are secured.
In detail, you may:
- assess the correctness of cyber security risk assessments and risk management plans, taking account of the organisation’s business goals
- produce detailed plans for cyber security audits
- use specific auditing tools to conduct efficient audits
- audit the implementation, operation and maintenance of security controls
- review compliance with legal and regulatory requirements
- provide expert advice on audit, assurance and risk management
- implement the Cyber Security Policy, Standards and Cyber Security Assurance Framework
- write formal reports, and sometimes deliver oral briefings, on the findings of audits and compliance reviews
- present findings to colleagues and managers, in both cyber security and general roles
- convince stakeholders of the importance of audit, assurance and security
Many organisations include Cyber Security Audit & Assurance as part of the Business Audit & Assurance management team. Where there is a separate cyber audit and assurance function, there may be two levels of responsibility.
- plans and execute audits and compliance reviews; this will take place under supervision on large projects if the practitioner is new to the role
- reports on findings and briefs colleagues, but may do this in support of a senior practitioner on large projects
A senior practitioner:
- works directly on audits and reviews, but usually only for large or high-risk projects
- may supervise other auditors
- may have the additional responsibility of managing relationships with senior business managers, external auditors and regulators and driving forward compliance-related projects
- will be expected to draw broad conclusions for the organisation when writing reports on audit and review findings
- may be responsible for strategic-level reviews
- attention to detail
- a methodical approach
- communication, collaboration and external engagement
- leading and influencing, both externally and internally
- writing formal documents and presenting information effectively
- being willing to develop oneself and others
- reasoned judgement and analytical skills to make effective decisions
- evaluating the probable social, commercial, cultural, ethical and environmental consequences of an action
- planning an audit or compliance review
- risk assessment and management
- familiarity with nation-specific and sector-specific audit requirements
- using formal methods for analysing large volumes of data
- applying a formal method or standard, such as COBIT 5 or ISO 27001
- using data analytics
- Red Team-ing - the ability to adopt the adversarial approach to challenge and rigorously test policies and systems as part of an intelligence-led security assessment
CIISec Skills Groups* (additional Skills Groups may also be relevant to particular jobs)
A1 – Governance
- directs, oversees, designs, implements or operates within the set of multi-disciplinary structures, policies, procedures, processes and controls implemented to manage Cyber and Information Security at an enterprise level, supporting an organisation’s immediate and future regulatory, legal, risk, environmental and operational requirements and ensuring compliance with those requirements
A6 – Legal and Regulatory Environment and Compliance
- understands the legal and regulatory environment within which the business operates
- ensures that Information Security Governance arrangements are appropriate
- ensures that the organisation complies with legal and regulatory requirements
A7 – Third Party Management
- identifies and advises on the technical, physical, personnel and procedural risks associated with third party relationships, including systems development and maintenance, contracts, end of service, outsourced service providers and business partners and sub-contracting
- assesses the level of confidence that third party Cyber and Information Security capabilities/services operate as defined
D1 – Internal and Statutory Audit
- verifies that information systems and processes meet the security criteria (requirements or policy, standards and procedures)
- assesses the business benefits of security controls
D2 – Compliance Monitoring and Controls Testing
- defines and implements processes to verify on-going conformance to security and/or legal and regulatory requirements
- carries out security compliance checks in accordance with an appropriate methodology
- this Skill group covers compliance checks and tests against technical, physical, procedural and personnel controls
*Non-Commercial - No Derivatives (BY-NC-ND) license. 2021 Copyright © The Chartered Institute of Information Security. All rights reserved. Chartered Institute of Information Security®, CIISec. Chartered Institute of Information Security®, CIISec®, AfCIIS®, ACIIS®, MCIIS®, FCIIS® and the CIISec graphic logo are trademarks owned by The Chartered Institute of Information Security and may be used only with express permission of CIISec.
Any role or career in which you've demonstrated an ability to carry out formal inspections and understand the importance of this activity could equip you for a role in this specialism. Examples of such roles are:
- business risk assessment & management
- business operations
- health and safety inspection
- environmental protection inspection
- information systems audit
- financial audit
- commercial insurance risk assessment
Working in a cyber security role requires specialist knowledge, and some roles require a lot. Such knowledge can be acquired in several ways and, although the requirements for any given role are described here in terms of Knowledge Areas (KAs) from the Cyber Security Body of Knowledge (CyBOK), this doesn't mean that a cyber security specialist must read the relevant sections of CyBOK.
Increasingly, however, cyber security qualifications, training and skills definitions are being mapped to CyBOK - so the KAs are a good way of describing the knowledge associated with a specialism.
As an experienced practitioner in a Cyber Security Audit & Assurance role, you'll typically use the knowledge in the KAs listed below, although not always to the same level of detail. You're most likely to need a very good understanding of the Core Knowledge, which is essential to performing the role. You may still need a good understanding of the Related Knowledge but not to quite the same degree. You may need a much less detailed understanding of the elements of Wider Knowledge, which provides context for your work.
Coming into such a role, you will not be expected to have all his knowledge initially.
Security management systems and organisational security controls, including standards, best practices, and approaches to risk assessment and mitigation.
The legal and regulatory topics that merit consideration when conducting various activities in the field of cybersecurity.
Usable security, social and behavioural factors impacting security, security culture and awareness as well as the impact of security controls on user behaviours.
The configuration, operation and maintenance of secure systems including the detection of and response to security incidents and the collection and use of threat intelligence.
The motivations, behaviours and methods used by attackers, including malware supply chains, attack vectors, and money transfers.
Data confidentiality, control and protection of personal and valuable information to ensure privacy is maintained and recognised as a fundamental human right.
You might join this specialism as an apprentice.
Or, as a graduate, you might have a degree in:
- accountancy or finance
- business studies
- cyber security or information security
Alternatively, you might have a professional qualification in accountancy or financial audit.
You may move into a role in this specialism from a position in:
- IT system planning
- project management
- business planning or management
- business risk assessment
- cyber vulnerability analysis
- financial audit
- financial compliance
From a role as a Cyber Audit & Assurance specialist you might, with appropriate technical training, move into one of these other cyber security specialisms:
Alternatively, you might progress into a more senior role in audit and assurance or, in a small organisation, become head of cyber security.
Job titles in this specialism are not always specific. Some jobs which sound very general are actually largely focused on audit and assurance.
- Technology Risk Assurance Trainee
- Cyber Assurance Manager
- Security Assurance Coordinator
- Business Assurance Manager
- Information Cyber Security & Assurance Manager
- Technology Resilience Assurance Specialist
- Insurance Security Supplier Assurance Analyst
- Supplier Security Assurance Manager
- Information Security Consultant
- Information Security Auditor
- Cyber Security Audit and Compliance Lead
- Head of Security, Governance Risk & Compliance
- Head of Cyber Security and Information Assurance
A Cyber Security Audit & Assurance practitioner might earn between £40,000 and £80,000. The median salary for a practitioner in February 2021 was £57,500. The median salary for a senior practitioner in February 2021 was £60,000.
Salary ranges are based on job vacancy advertisements published online in February 2021. Figures are dominated by the salaries for jobs in the large cities in the UK and salaries elsewhere may be lower. Only a small proportion of job vacancy advertisements for these roles included salary information, so the sample size is small and may not be representative. Median salary figures are taken from calculations performed by www.itjobswatch.co.uk.