- The audit covers processes such as digital asset management, cyber security awareness training, data security, resource planning, information security, recovery planning and communications.
Every individual and organisation is now at risk of being hacked, identity theft or any of the other ills that are born out of a high dependence on information and communication technologies.
In the light of this it is important for persons and organisations to understand and develop deeper insights into cyber security in order to develop strategies and systems to bridge cyber security vulnerabilities.
One method of ensuring greater protection is to undertake regular and programmed cyber security audits and assessments.
Although some persons use the words cyber security audit and cyber security assessments interchangeably, there are important differences between the two. An audit is a more formal process than an assessment.
Also an audit must be performed by a certified third party, independent organisation or consultant.
Cyber security audits usually involve an external assessment to ascertain the level of cyber risks an organisation (private and public) is exposed to.
The audit covers processes such as digital asset management, cyber security awareness training, data security, resource planning, information security, recovery planning and communications.
The best practice is for organisations to have a cyber security policy or strategy in place. A cyber security audit then serves as a tool to validate if policy implementation is taking place based on a checklist and crafts a plan to ensure compliance.
Cyber Security Policy
Cyber security policies are a key component of any cyber security audit since they provide the basis of conducting such audits.
A cyber security policy can be described as a formal set of rules which governs usage of an organisation’s technology, information and knowledge assets in order to secure them. It provides parameters users must abide by while clearly articulating their privileges and responsibilities.
By their design cyber security policies serve many purposes, including informing organisation users and third parties such as contractors and other authorised users of their obligations to protect the organisation’s digital assets. It describes what must be protected and outlines possible threats to these assets.
Cyber security policies also provide information on what is acceptable usage, for example, employees cannot use the organisation’s internet outside office hours or for private work.
Another element of a cyber security policy is classification of digital assets, whereby system files, data and equipment can be classified either as confidential or non-confidential.
A good cyber security policy recognises the fact that employees are the biggest security threat to an organisation and their willful action or inaction can cause damage.
Therefore, it will provide mitigations such as limited access to qualified persons only, logging the usage of its systems and making it mandatory for employees to change their passwords periodically.
When done properly, a cyber audit can help you understand what risks to information, system and software exist across your institution.
It can help you prioritise these risks, align the information protection to that of a central authority such as the Data Protection Commission, Communication Authority or even the Central Bank and to external security frameworks such as the National Standards and Technology Institute’s (NIST) cyber security framework (USA) and European Network and Security Agency’s (ENISA), as well as the ISO/IEC 27000 family on information security management systems.
Such frameworks provide policy guidance for organisations to assess and improve their ability not only to detect but prevent and proactively respond to cyber attacks when they do occur.
Once the audit is completed, the reviewer will provide a detailed report articulating gaps or vulnerabilities in your organizations security profile.
The tangible outcome of a cyber security audit or assessment is a clear cut road map which is expected not only to improve your cyber security readiness but also ensures long-term compliance and robust system of risk management.
Although a lot of organisations would like to do a cyber security audit, cost remains a primary concern, especially when payments for this need to be made to third-party auditing firms.
As great as they are, cyber security audits only go as far as providing a snapshot of an organisation’s cyber security space but do not provide a detailed insight into the lapses in an existing system.
A practical example of this is when cyber security auditors check the box in their audit document that says an organisation has anti-virus in place but do not test to see if it is effectively set up and how it will stand up to an attack or ward off attempts to infiltrate the system.
In conclusion, cyber security audits and assessments are very important and every organisation should put in place a periodic audit.
This is not to say that these audits are fool proof, magic bullet solution and should be complemented by functional effective controls.
The writer is Director of Innovations at Penplusbytes.org - you can reach him at
