Chapter 2

Accepting and Planning a Cybersecurity Risk Management Examination

Management and the practitioner each have specific responsibilities in the cybersecurity risk management examination. This chapter describes the practitioner’s responsibilities, including the preconditions of engagement acceptance and the need to obtain a written assertion from and establish an understanding about the terms of the engagement with management. As part of establishing the terms of the engagement, it is helpful for the practitioner to understand management’s responsibilities in the engagement; therefore, this chapter also provides a brief overview of management’s responsibilities.

Introduction

2.01 Prior to accepting a cybersecurity risk management examination, AT-C section 105, Concepts Common to All Attestation Engagements (AICPA, Professional Standards), requires the practitioner to determine that certain preconditions are met. Among other things, those preconditions require the practitioner to determine whether the engagement team meets the ethical and competency requirements set forth in the professional standards and whether the engagement meets the relevant requirements of the attestation standards. Prior to engagement acceptance, a practitioner is also required to establish an understanding with management about its responsibilities and those of the practitioner in the cybersecurity risk management examination.

2.02 Once an engagement has been accepted, AT-C section 205, Examination ...

Get Guide: Reporting on an Entity's Cybersecurity Risk Management Program and Controls now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial