What does the Cyber Security Topical Requirement mean for Heads of Internal Audit?
What does the Cyber Security Topical Requirement mean for Heads of Internal Audit?
Cyber security has been a key risk for most organisations for some time now. This has been exacerbated in recent years by the increasing complexity of supply chain dependencies, escalating geopolitical tensions with state-sponsored actors operating in cyberspace, and AI technologies, which provide opportunities for cybercriminals to exploit new vulnerabilities and to operate at scale.
In this context, Heads of Internal Audit are faced with the challenge of providing assurance in a shifting and complex cyber threat landscape.
Cyber Security Topical Requirement
The IIA has published its first Topical Requirement document on cyber security, which comes into force in February 2026. Conforming with the Topical Requirement is mandatory for specific cyber security reviews within your internal audit plan, any reviews in your plan with a cyber security component and additional reviews that are not in the original plan.
The Topical Requirement for cyber security is structured around three key areas:
|
Governance |
Cyber security strategy and objectives, policies and procedures, roles, responsibilities, skills, stakeholder engagement, performance assessment and reporting |
|
Risk management |
Processes to identify, analyse, mitigate and monitor cyber security threats across the organisation, accountability for cyber security risk, reporting and escalation, awareness and training, incident response and recovery processes. |
|
Control processes |
Internal and vendor based controls to protect the confidentiality, integrity and availability of systems and data, talent management and training, monitoring and reporting emerging cyber threats and vulnerabilities, lifecycle management of all IT assets, configuration end-user device administration, encryption, patching, user access management, network controls, firewalls intrusion protection/ detection systems, endpoint security over emails, browsers, file sharing services. |
Alongside the cyber security Topical Requirement a user guide has been published, including “considerations” for each of the three areas which are not mandatory but for illustration and internal auditors are required to rely on their own judgement to determine what to include in their assessments. The user guide has references to the NIST CSF, NIST 800- 53 and CobIT standards.
Key sources of cyber security guidance
There are several key sources of advice and guidance for Heads of Internal Audit that are widely used by cyber security practitioners and are available to internal auditors.
CobIT Framework
The most established framework is “CobIT” (Control Objectives for Information and Related Technologies). The first version was created in 1996 by the Information Security Audit and Control Association (ISACA) for managing and governing enterprise IT. The framework is broad, covering areas beyond cyber security and provides a comprehensive set of guidelines, practices, and tools to ensure your IT systems are effective, efficient, and aligned with your business goals.
It covers areas like risk management, resource optimisation, and performance measurement, helping you balance IT investments with your business objectives.
However, CobIT was developed before the use of cloud technologies, which means it focuses mainly on information security, as opposed to cyber security. It also does not cater for the lines of defence models and the updated role and responsibility of the Chief Information Security Officer (CISO).
The latest version - CobIT 2019 - includes 40 objectives organised into five domains, each linked to a process. It introduces focus areas and design factors so you can tailor the framework to your specific needs, such as cybersecurity and digital transformation.
ISO 27001
ISO 27001 is an information security standard specifying the requirements for establishing, maintaining and improving an information security management system (ISMS). It was first published in 2005, and the most recent update was issued in 2022. Your business can have your ISMS accredited – enabling independent assurance to be provided to their stakeholders.
Cyber Essentials Government guidance
Cyber Essentials is published by the UK Government and sets out the basic cyber security measures that organisations should implement to protect against common cyber threats.
It focuses on five technical control areas: firewall configuration, secure settings, access control, malware protection and patching. This is primarily aimed at smaller- to medium-sized organisations that are looking for a straightforward way to improve their cyber security. The National Cyber Security (NCSC) have also published a Cyber Assessment Framework (CAF), which is aimed at organisations that are critical to day-to-day life in the UK. The CAF can be used as a maturity assessment, referencing other control frameworks, and can be used as an audit framework. Independent accreditation can also be obtained for Cyber Essentials.
NIST Cybersecurity Framework
The National Institute of Standards and Technology (NIST) Cybersecurity framework (CSF) provides a structured approach to managing cyber security risks across an organisation. The NIST CSF is created for organisations managing critical national infrastructure in the US, but it is a generally excepted standard for international organisations. The latest version was published in February 2024. The framework comprises six core functions with associated desired outcomes:
|
1. Govern |
Cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored |
|
2. Identify |
Current cybersecurity risks are understood |
|
3. Protect |
Safeguards to manage cybersecurity risks are used |
|
4. Detect |
Possible cybersecurity attacks and compromises are found and analysed |
|
5. Respond |
Actions regarding a detected cybersecurity incident are taken |
|
6. Recover |
Assets and operations affected by a cybersecurity incident are restored |
The framework is flexible. It does not prescribe any outcomes, nor does it prescribe how they may be achieved. Prescriptive controls related to the NIST CSF can be found in the NIST 800 series of standards, with NIST 800-53 setting the core standards required. This is left to your organisation to determine, because approaches to managing cyber security risk and implementing the framework will vary.
The Centre for Internet Security (CIS) Critical Security Controls (CSC) framework
This provides a set of specific controls and best practices for securing IT systems and data, focusing on technical and operational security measures. The CIS Framework is prescriptive, with a list of specific controls known as the CIS Controls. These are prioritised and designed to be actionable, helping organisations implement effective security measures. CIS Controls are implemented through technical and operational security practices. The framework is therefore primarily aimed at IT professionals and security teams, providing a set of controls to secure IT systems and data and to manage and mitigate cyber risks.
IIA guidance
The Institute of Internal Auditors (IIA) has also published its own guidance in the form of a series of Global Technology Audit Guides. These are designed to provide internal auditors with the knowledge to perform assurance and advisory services related to information technology and information security risks and controls by addressing specific issues such as cyber security. The most relevant guides include:
- IT Essentials for Internal Auditors (June 2020)
- Assessing Cyber Security Risk – The Three Lines Model (September 2020)
- Auditing Insider Threat Programs (August 2018)
- Auditing Cyber Incident Response and Recovery (Oct 2024)
- Auditing Cyber Security Operations: Prevention and Detection (February 2025).
There is therefore considerable guidance already available for Heads of Internal Audit to support them as they seek to provide assurance on cyber security risks and controls.
What does all of this mean for Heads of Internal Audit?
The key to cyber security internal audit is to understand what the most important IT and data assets of your organisation are, the threats to these assets and the protections you have in place – including both those within your control and those managed by third parties on your behalf.
For Heads of Internal Audit with experience of any of cyber/IT control frameworks such as CobIT, NIST and CIS, the Topical Requirement provides little new information or guidance. Its purpose is to provide a minimum baseline and provide relevant criteria for internal auditors to perform assurance services on cyber security.
Many Heads of Internal Audit may have gone beyond this baseline – and have potentially commissioned external cyber specialists - to provide the assurance that their organisations require. They will have adopted one of the best-known frameworks as the basis for their approach with framework selection being based on the required granularity – a technical framework such CIS or NIST would be most appropriate for organisations with complex IT infrastructure.
Even experienced Heads of Internal Audit who already have a good understanding of cyber security controls will benefit from the Topical Requirement. It provides a mandatory template for recording the consideration of cyber security in audit planning, scoping and delivery to ensure that all the key areas are covered, whichever framework is adopted. It also requires cyber security to be given greater prominence in the annual internal audit plan, scoping documents and reporting to management and the Audit Committee, increasing the transparency of audit approach and assurance on this important risk area.
If you would like to discuss further or want more information, please contact Jon Dee.