Chapter 7 - Cybersecurity Audit and Compliance Considerations


The role of audit and compliance in cybersecurity needs to evolve to effectively address the concerns arising from the evolution of technology and the threats to it. The compliance regime is going through rapid changes with the increasing quantity and complexity of cyber risks. Global emphasis on data and privacy protection requires enterprises to allocate substantial budget toward meeting compliance requirements and keeping an eye on the changed regulations and risks of non-compliance. However, it is crucial that compliance does not become the security standard of organizations.

More extensive effort must be put into addressing security at the enterprise level. Internal and external audit needs to provide insights on risk areas across the enterprise by shifting away from traditional approaches. To do so, audit needs to engage with other functions in the enterprise to align its activity with the business objectives of the organization and take part in strategic project practice to acquire better understanding of the innovative technologies and methods being introduced to organizations. The audit and compliance organizations may experience substantial change with the introduction of advanced technologies. These are projected to increase efficiency and effectiveness through automation and deep learning processes but will certainly add more risk factors to be considered and managed. At the end, audit and compliance requirements are set to support organizations in achieving business objectives and promote growth while maintaining appropriate compliance. With proper assessment and management more fitted for the evolving market, audit and compliance will play a value-added role in achieving enhanced cybersecurity for organizations.

Key Ideas
  • Audit and compliance functions need to continue their evolution from a “check-the-box” approach to cybersecurity and incorporate a strategic, risk-based approach to risk assessment to achieve good cyber governance and effective risk management.

  • While compliance with the various regulatory or contractual regimes are critical, an organization must be mindful that compliance does not equal security.

  • The role of audit is expanding to provide assurance and insight over the controls and activities of critical risk areas and digital transformation efforts.

  • The audit model for cybersecurity has been updated to stress the importance of communication between the “third line” and other lines in the corporate structure to better fit the strategic and operational needs of the organization.

  • The introduction of advanced technologies such as AI and blockchain, while introducing new risks, should eventually serve to enhance audit and compliance activities through effective risk management and increased efficiency.

Combining Technology, Public Policy and Economics to Create a Sustainable System of Cybersecurity


| 703-907-7090


| 2500 Wilson Blvd, #245
Arlington, Virginia 22201


ISA provides cybersecurity expert testimony and thought leadership in government and serves as an expert witness to the press.