ASSIGNMENT ONE ISSC

KAREN WANJAU
ADM NO- 21/04632
QUESTION:
You have been employed by company XYZ as their lead Information security officer and Since
they have neither had an Information security audit nor do they know about information and
cyber security you are required to develop a plan on the two types of cybersecurity audits and
why they are important for the organization.
1. You are also required to detail the steps to be followed during the audit to the
management for resource and allocation.
2. Finally you are to briefly explain using the FOUR stages of the information security
lifecycle why it is a continuous and cyclic process for the organization.
3. List the FIVE Steps for Risk Management Process

You have been employed by company XYZ as their lead Information security officer and
Since they have neither had an Information security audit nor do they know about
information and cyber security you are required to develop a plan on the two types of
cybersecurity audits and why they are important for the organization.
As XYZ's lead information security officer, I would suggest carrying out internal and external
cybersecurity audits. These audits are essential for preserving a strong cybersecurity posture and
guaranteeing adherence to pertinent laws.

1. Internal Cybersecurity Audits: The organization's own IT, security, risk, and compliance
departments carry out these audits. They entail a careful examination of the organization's
information technology setup, rules, and practices in order to spot any possible weaknesses and
gauge how well the security measures that are in place are working. Among the advantages of
internal audits are:
1. System Knowledge: Internal auditors are well-versed in the systems and procedures
used by the company.
2. Cost-Effectiveness: Internal audits may be more economical to do.
3. Regular Reviews: Internal audits can be carried out more regularly, enabling ongoing
observation and development.
4. Compliance: Internal audits assist in making sure the organization complies with
legal obligations.

2. External Cybersecurity Audits: These audits are carried out by independent consultants or
organizations that provide expert security audit services. They offer an unbiased evaluation of
the organization's cybersecurity posture and find weaknesses in security policies and procedures
by utilizing cutting-edge techniques and tools. Among the advantages of external audits are:
1. Independence: An objective assessment of the organization's cybersecurity position is given
by external auditors.
2. Expertise: Outside auditors contribute sophisticated tools and a wealth of experience
conducting cybersecurity audits.
3. Regulatory Compliance: To prove compliance to regulators, clients, and other stakeholders,
external audits might be useful.

They audits provide several significant benefits that contribute to the overall security and
resilience of an organization:
General importance of both internal and external audits to the organization:

1. Identify Vulnerabilities: Audits help find weak spots in an organization’s systems,

networks, and security protocols. This helps the organization understand where it might
be at risk.
2. Ensure Compliance: Audits check if the organization is following laws, protecting
sensitive data, and keeping customers’ trust. This helps the organization avoid legal
issues and maintain its reputation.
3. Manage Risks: Audits help identify potential risks, allowing organizations to take steps
to reduce these risks. This helps the organization protect itself from potential security
incidents.
4. Improve Incident Response: Audits help improve how the organization responds to
security incidents. This can lead to better risk management and increased confidence
from stakeholders.
5. Assure Business Continuity: Audits help ensure that the organization can continue
operating even when cyberattacks occur. This helps the organization maintain its
operations and services.
6. Identify Security Gaps: Audits help find vulnerabilities in the organization’s IT
infrastructure, policies, and procedures. This helps the organization understand where it
needs to improve its security.
7. Establish a Security Baseline: Audits provide a snapshot of the organization’s security
posture at a specific point in time. This can be used in future audits to measure progress
and the effectiveness of security improvements.
8. Align with Internal Policies: Audits ensure that the organization’s security practices
align with its internal policies. This helps the organization ensure that it is following its
own guidelines.
9. Meet Regulatory Requirements: Many industries require regular audits to demonstrate
compliance. Audits help the organization ensure it is meeting these requirements and
avoid penalties.
10. Assess Security Training: Audits can help assess the effectiveness of the organization’s
security training programs. This can help the organization ensure that its employees are
properly trained.
 11. Identify Unnecessary Resources: Audits can help identify resources that are no longer
needed or that pose a security risk. This can help the organization streamline its IT
infrastructure and reduce potential attack vectors.

1. Detail the steps to be followed during the audit to the management for resource and
allocation.
1. Agree on Goals: All parties involved, including management, IT personnel, and external
auditors, convene at this first stage to deliberate and reach a consensus over the audit's
objectives. Identifying security flaws, evaluating the efficacy of the organization's present
security measures, assuring regulatory compliance, and enhancing the organization's overall
security posture are a few possible objectives. Well-defined objectives give the audit focus and
guarantee that all parties are in agreement with the anticipated results.
2. Define the Scope of the Audit: Listing every asset that will be audited is part of this process.
Computer hardware, software, networks, data, and internal documentation are examples of
assets. The organization's business procedures, operations, and any outside parties with access to
its information systems should all be taken into account when defining the scope. By defining the
scope, you can make sure the audit is manageable and targeted.
3. Conduct the Audit and Identify Threats: In this step, the auditors conduct a systematic
review of the scoped assets to identify potential threats. Threats can include anything that could
exploit vulnerabilities in the systems or networks, such as malware, unauthorized users, or
natural disasters. The auditors use various tools and techniques to identify these threats, which
could be internal or external.

4. Evaluate Security and Risks: Once the threats have been identified, the auditors assess the
risk of each threat happening and how well the organization can defend against them. This
involves evaluating the effectiveness of the organization's current security controls and measures.
The auditors also consider the potential impact of each threat on the organization's operations
and reputation.

5. Determine the Needed Controls: Based on the identified threats and their assessed risks, the
auditors identify what security measures need to be implemented or improved to minimize the
risks. These could include technical controls like firewalls and encryption, administrative
controls like policies and procedures, and physical controls like locks and surveillance cameras.
The auditors provide recommendations on how to implement these controls effectively.

2. Finally you are to briefly explain using the FOUR stages of the information security
lifecycle:

1. Identify: The first step in the Information Security Lifecycle is to identify what you are trying
to protect. This involves defining the scope of the assessment, which includes all hardware,
software, and data within the organization. It’s crucial to understand the organization’s assets,
their value, and how they’re interconnected. This step sets the foundation for the rest of the audit
process.
2. Assess: This step involves a comprehensive review of the organization’s current processes,
procedures, and security controls. It includes performing vulnerability scans to identify potential
weaknesses in the organization’s IT infrastructure. The goal is to understand the organization’s
current security posture and identify areas of risk.
3. Monitor: Once the assessment is complete and security measures have been updated, it’s
important to continuously monitor the security controls in place. This includes monitoring
changes made to the security infrastructure and new systems introduced into the company’s
network. Regular monitoring helps ensure that the organization’s security posture remains strong
and can quickly identify and respond to any new threats.
4. Protect: Also referred to as the “mitigation” step, this phase involves implementing or
enhancing security measures to mitigate the risks identified during the assessment period. This
could include technical controls (like firewalls or encryption), administrative controls (like
policies or training), or physical controls (like locks or surveillance cameras). The goal is to
reduce the likelihood of a security incident or minimize its impact should one occur.

Why it is a continuous and cyclic process for the organization:

1. Dynamic Threat Landscape: The environment of cybersecurity is always changing as new
threats and vulnerabilities appear on a regular basis. Regular audits are required to stay on top of
these changes and guarantee that the organization's security measures are working.
2. Changes in Technology and Business Processes: The organization's business procedures and
technology are always changing and growing. Business processes shift, new systems are
implemented, and old ones are modified. Since every one of these modifications has the potential
to create new vulnerabilities, ongoing auditing is required to find and fix them.
3. Compliance with Regulations: Regulations pertaining to numerous businesses necessitate
periodic audits to verify adherence. Regular audits keeps the company in compliance and helps it
stay out of trouble.
4. Continuous Improvement: An audit's objectives extend beyond finding and resolving
immediate problems to include strengthening the organization's general security posture.
Because every audit yields information that may be utilized to strengthen security protocols,
continuous auditing enables continuous improvement.
5. Risk Management: Continuous auditing is a key part of risk management. By regularly
identifying and assessing risks, the organization can take proactive steps to mitigate them.
3. List the FIVE Steps for Risk Management Process

1. Identify Risks: This entails identifying possible hazards that can impair an organization's
capacity to carry out business. These risks may be connected to external sources, procedures, IT,
security, or compliance.
2. Analyze Risks: After risks are identified, they must be evaluated to determine the probability
that they will materialize. Understanding the risk's possible effects and the harm the organization
could sustain is necessary for this phase.
3. Evaluate or Rank the Risks: Following analysis, a priority order is constructed by ranking
the risk based on its probable severity. This stage aids in the planning of an organization's risk-
reduction or elimination initiatives.
4. Treat the Risks: Depending on the risk's ranking, this entails reducing, removing, accepting,
or transferring it. Putting policies in place to manage or lower the risks is the aim here.
5. Monitor and Review the Risks: The last phase entails an ongoing process of risk assessment
and evaluation of the efficacy of the prescribed course of action. By taking this step, the risk
management plan is kept current and relevant.
REFERENCES
1. Reciprocity. (n.d.). Best Practices for Cybersecurity Audits. Retrieved from
https://reciprocity.com/resource-center/best-practices-cybersecurity-audits/
2. ISACA Journal. (2019). IS Audit Basics: Auditing Cybersecurity.
https://www.isaca.org/resources/isaca-journal/issues/2019/volume-2/is-audit-basics-
auditing-cybersecurity
3. UpGuard. (n.d.). How to Perform a Cybersecurity Audit. Retrieved from
https://www.upguard.com/blog/how-to-perform-a-cybersecurity-audit
4. Anderson Technologies. (n.d.). What is a Cybersecurity Audit? Retrieved from
https://andersontech.com/resources/learn/what-is-cybersecurity-audit/
5. The Center for Audit Quality (CAQ). (2019). Cybersecurity and External Audit: How to
Approach the Cybersecurity Risk in Your Audit.
https://www.thecaq.org/wp-content/uploads/2019/03/cybersecurity_and_external_audit_f
inal.pdf
6. ISACA. (2022). Essentials for an Effective Cybersecurity Audit. Retrieved from
https://www.isaca.org/resources/news-and-trends/industry-news/2022/essentials-for-an-
effective-cybersecurity-audit
7. The Institute of Internal Auditors (IIA). (2022). Auditing Cybersecurity Operations.
https://www.theiia.org/globalassets/documents/content/articles/guidance/gtag/2022/
gtag_auditing_cybersecurity_operations_final.pdf
8. Cyber Security Intelligence. (n.d.). The Scope of a Cyber Security Audit. Retrieved from
https://www.cybersecurityintelligence.com/blog/the-scope-of-a-cyber-security-audit-
4734.html
Books:
9. Moeller, R. R. (2010). IT Audit, Control, and Security. John Wiley & Sons.
10. Pompon, R. (2016). IT Security Risk Control Management: An Audit Preparation Plan.
Apress.