1. Can you give us a brief overview of the CS Audit Manager micro-credential?
This domain is structured into two micro-credentials: the Cybersecurity Audit Manager and the
Cybersecurity Audit Practitioner.
The first targets those involved in setting the audit plan, supervising audit activities and delivering assurance
to stakeholders on the state of internal controls, the adequacy of protections, relevant governance activities,
and the overall organisation posture in cybersecurity.
The second targets audit professionals who are involved in carrying out the audit assignments, ensuring that
adequate assignment planning, exploration activities, field work, findings identification and prioritisation,
recommendation formulation, report writing and presentation of conclusions are completed as required by the
overall assignment expectations.
2. Why have cybersecurity audits become so critical for organisations today?
Many executives, business managers, decision makers, regulators and other stakeholders are not able to evaluate
the efficiency, effectiveness and validity of protections in relevant business and technology domains of cyber-risk.
The third line of defence, as we typically call audit activities, are essential to provide adequate assurance and to
inspire relevant actions and priorities.
3. How does a cybersecurity audit differ from other security assessments or risk reviews that organisations may already be conducting?
The audit is a validation of the activities performed by what we refer to as the second line of defence, such as
risk management, compliance management, quality management and finance management.
It also assesses the relevance of first line of defence activities related to business risk management, intrusion
detection, and other administrative, technical or organisational protections that are built or acquired by the organisation.
4. The course covers the ‘need for audit’. What organisational gaps or risks do audits help uncover that might otherwise go unnoticed?
We start from the assumption that no organisation is 100% secure and that it could never be.
Many organisations, large and small, in various sectors of activities, are far from even basic cyber-hygiene.
Issues such as the need for adequate prioritisation, identification of appropriate protection investments and
decision making on compensatory risks are areas where well-focused audit activities can bring much value.
“No organisation is 100% secure — and it could never be.”
5. Scoping an audit can be challenging. How will the course teach students to define relevant audit objectives and select the right criteria and frameworks?
We will conduct workshops and hands-on exercises designed to help students understand what is at stake in
cybersecurity auditing, including the cost of protections, the return on investment from both building and operating
activities, and the governance processes that are often missing in many organisations.
6. How do standards, sector-specific requirements, and automated tools come together in effective audit planning?
Standards are relevant in providing a comprehensive view of the risks, protections, and domains of concern from both
business and technology points of view. Sector-specific requirements top up regulations and laws to establish a basic
level of hygiene across industries.
Automated tools enable the validation of a series of controls across a large bulk of data and, with the use of artificial
intelligence, support the identification of trends and potential vulnerabilities or threats.
7. What are the key elements of a strong cybersecurity audit plan, and how will the course help students balance risk, resources, and stakeholder expectations?
It is up to the organisation to define its risk, identify relevant resources as mandated by decision makers, and approve
risk appetite and accepted vulnerabilities.
The work of the auditor involves validating the adequacy of those elements with each other and to report back to executives,
encouraging them to act.
8. The course explores platforms such as SIEM and SOAR. How can these tools enhance audit reporting and support continuous improvement?
The first line of defence, i.e. the organisation and its technical staff, should ensure an adequate use of these tools.
Auditors ensure that relevant conclusions are drawn on a continuous basis, leading to protection improvement actions.
Auditors should not spend their limited time on the assignment by operating those tools, as this work should be done on a
regular basis by the technical staff.
9. How does the module align cybersecurity audits with Governance, Risk and Compliance (GRC), including EU cybersecurity regulations and frameworks like COBIT 2019?
The course explains how GRC and compliance actions raise organisational protections to a basic level of hygiene as defined by the regulations.
Risk management and protection implementation actions build on this by addressing actions that are specific to the organisation, its deliverables,
environment and strategic objectives.
Governance adds another layer, enabling a structured approach indicating the various decision makers and interactions between them, defining the
economic and risk acceptance actions, and enabling better decision making and a reduction of wasted effort and costs.
The fundamentals of COBIT 2019 will provide insight into better governance, protection building and operations maturity, and the restructuring of
digital activities into processes and subprocesses that can be analysed inside the black box.
10. What skills or perspectives will professionals gain from this micro-credential?
The course builds the capability to adequately govern cybersecurity, identifying the sequence from strategy setting to decision making, through to
implementation and effective results.
Students will also gain skills related to understanding the various activities involved in cybersecurity management.
Interested in the Digital4Security programme?
Explore the curriculum and register your interest to receive updates about modules, micro-credentials, and upcoming intakes.
Join our mailing list
)