Chapter 4

Forming the Opinion and Preparing the Practitioner’s Report

Responsibilities of the Practitioner

4.01 In the cybersecurity risk management examination, the practitioner is responsible for directly expressing an opinion, in a written report, on the following matters:

  1. Whether the description of the entity’s cybersecurity risk management program is presented in accordance with the description criteria and

  2. Whether the controls within that program were effective to achieve the entity’s cybersecurity objectives based on the control criteria

4.02 Because there are two distinct but complementary subject matters, the practitioner expresses an opinion on each in his or her report. Therefore, unless otherwise stated, a reference to the practitioner’s report in this chapter includes the practitioner’s responsibility to express an opinion on both the (1) description and (2) effectiveness of controls within the cybersecurity risk management program.

4.03 In some circumstances, management may engage the practitioner to perform an examination on the design of the controls rather than on their effectiveness. ...

Get Guide: Reporting on an Entity's Cybersecurity Risk Management Program and Controls now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.