4.01 In the cybersecurity risk management examination, the practitioner is responsible for directly expressing an opinion, in a written report, on the following matters:
Whether the description of the entity’s cybersecurity risk management program is presented in accordance with the description criteria and
Whether the controls within that program were effective to achieve the entity’s cybersecurity objectives based on the control criteria
4.02 Because there are two distinct but complementary subject matters, the practitioner expresses an opinion on each in his or her report. Therefore, unless otherwise stated, a reference to the practitioner’s report in this chapter includes the practitioner’s responsibility to express an opinion on both the (1) description and (2) effectiveness of controls within the cybersecurity risk management program.
4.03 In some circumstances, management may engage the practitioner to perform an examination on the design of the controls rather than on their effectiveness. ...