Understanding the IIA’s Proposed Topical Requirement for Cybersecurity

Publication Date: November 15, 2024

By Anthony Thompson

The Institute of Internal Auditors (IIA) is developing a new element of the International Professional Practices Framework called Topical Requirements. A Topical Requirement is a specific set of guidelines or standards focused on subject areas deemed essential by regulatory bodies or professional organizations. These requirements aim to ensure internal auditors possess the necessary knowledge and skills to address critical areas effectively and provide a framework for consistent and comprehensive auditing practices across various industries and environments. The use of Topical Requirements will be mandatory when an internal audit function performs an audit engagement of a covered topic.

In an era where cyber threats are rapidly evolving, the IIA recently unveiled a draft of the first Topical Requirement on Cybersecurity.  This framework provides structured guidelines for evaluating and enhancing organizational cybersecurity measures. The 90-day public comment period has closed, and the final version of this guidance is anticipated to become effective on January 1, 2025.

Topical Requirements are part of the IIA’s new global guidance.

Topical Requirement Format

The 15-page Cybersecurity Topical Requirement draft provides a consistent, comprehensive approach to assessing the design and implementation of cybersecurity governance, risk management, and control processes. It provides requirements for evaluating and assessing each control process, links to related Standards and Global Technology Audit Guides (GTAGs), and detailed considerations for each requirement. There is a tool to document conformance with the Topical Requirement in Appendix B. The following are examples of the proposed requirements:

Governance

• Establishment of policies and procedures related to cybersecurity risk management.
• Examining the existing control environment, including preventative and detective controls, as well as a review of existing information security policies to determine alignment with industry standards (e.g., ISO 27001, CIS, and NIST).
• Discussions with relevant stakeholders, senior management, and the board.
• Sufficient required resources, including hardware, software, and training.
• Regularly reviewing organizational policies related to information security, ensuring they are exhaustive and align with industry standards like ISO 27001.

Risk Management

• Establishment of an organization-wide risk management process with a specific focus on cybersecurity risks.
• Having a cross-functional management team that includes members from information technology, risk management, legal, compliance, etc.
• Accountability and responsibility regarding the management of cybersecurity risks, including those who manage, mitigate and identify emerging risks.
• Existing processes are in place to quickly escalate and evaluate risks.
• Issues, gaps, deficiencies and control failures are communicated to appropriate parties, and the status of remediation is closely monitored and reported.

Control Processes

• Ensuring cybersecurity controls are functioning in an effective manner.
• Compliance monitoring is included within the scope of the Requirement to determine adherence to existing laws, regulations, and standards such as GDPR, HIPAA, or CCPA.
• The existence of employee training and awareness initiatives which are considered vital for maintaining a robust cybersecurity culture within the organization.
• Implementation of effective controls surrounding common desktop communication services such as email, internet browsers, videoconferencing, messaging, and file-sharing protocols.
• Appropriate physical security controls.
• Determining the effectiveness of incident management and recovery controls.

Implementation Guidelines

Internal Audit should share the final Topical Requirements with their IT departments. To effectively adopt these requirements, organizations should conduct an initial assessment, update policies accordingly, implement periodic employee training sessions, and perform periodic audits to ensure ongoing compliance with the requirements.  The internal audit function can test and evaluate these requirements using the tool in the appendix.

While implementing these requirements may present challenges such as resource constraints or resistance to change, overcoming these barriers is crucial for building a resilient cybersecurity framework.

Final Thoughts

Proactive cybersecurity measures are indispensable in today’s digital world. The IIA’s Cybersecurity Topical Requirement provides a comprehensive roadmap for internal auditors aiming to fortify their organization’s defenses against cyber threats through well-structured audits and proactive strategies. By adhering to these guidelines, organizations can expect an enhanced security posture, improved compliance measures, and more efficient incident response mechanisms. For more detailed information, visit the IIA’s Topical Requirements website and read the proposed Cybersecurity Topical Requirement.