Abstract
Cyber security protects an organization's information assets from unauthorized users, disruption, alteration, or destruction and strengthens the overall control environment to reduce risk. Cyber attacks can lead to direct and indirect effects that are often significant, as computers, networks, programs, data, and sensitive information are critical components of most organizations. Because organizations rely heavily on information technology resources, a clearly defined cybersecurity plan, objectives, inherent risks, and effective controls should be a priority for management. The IIA Cybersecurity Topical Requirement provides a consistent, comprehensive approach to assessing the design and implementation of cybersecurity governance, risk management, and control processes. The IIA's activities on the Cybersecurity Topical Requirement development will certainly contribute to increasing the cyber security level in business organizations. Given that it is possible to map the requirements from the IIA Cybersecurity Topical Requirement with the requirements from the ISO/IEC 27001 standard, it would be more than useful to use the existing good practices and experience related to the use of ISO/IEC 27001 and related standards in terms of practical implementation and assessment of compliance with IIA requirements. In this paper, we present one of the possible ways how the good practices of the international standard ISO/IEC 27001 can be used to assess the level of compliance with the IIA Cybersecurity Topical Requirement.
Keywords
computers, information, corporate security, management of technology, auditing.
References
ISACA. (2021, Mar 31). Cybersecurity Fundamentals Study Guide, 3rd Edition. ISBN 978-1604207514. Isaca
ISACA. (2022, Feb 28). CISM Review Manual, 16th Edition. ISBN 978-1604209013. Isaca
IIA. (2024a). Risk in Focus 2024 Global Summary. Retrieved from The Institute of Internal Auditors, https://www.theiia.org/en/internal-audit-foundation/latest-research-and-products/risk-in-focus/
IIA. (2024b). Cybersecurity Topical Requirement. Retrieved from The Institute of Internal Auditors, https://www.theiia.org/globalassets/site/standards/editable-versions/cybersecurity-topical-requirement-english.pdf
ISO/IEC. (2022a). ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements. Retrieved from ISO, https://www.iso.org/standard/27001
ISO/IEC. (2022b). ISO/IEC 27002:2022, Information security, cybersecurity, and privacy protection — Information security controls. Retrieved from ISO, https://www.iso.org/standard/75652.html
ISO27k Forum. (2022). ISO/IEC 27001:2022 ISMS Status, Statement of Applicability (SoA), and Controls Status (gap analysis) workbook. Retrieved from ISO, https://www.iso27001security.com/ISO27k_ISMS_6.1_SoA_2022.xlsx
