Chapter 18 Assurance and Cyber Risk Management

Stig J. Sunde, Senior Internal Auditor (ICT), Emirates Nuclear Energy Corporation (ENEC), UAE

Mark, the chief audit executive (CAE) looks directly at Tom the CEO, “Are there any intruders inside your organization information systems already? How do you know? How does the board obtain reasonable assurance that you as CEO and the executive team are managing cyber risks effectively? Optimal combined assurance to the board and to you as CEO is obtained by coordinated efforts by different organization functional units.”

Cyber Risk Is Ever Present

Cybersecurity is defined by ISACA as protecting information assets by addressing threats (risks) to information processed, stored, and transported by internetworked information systems. Cyber risks are risks that occur due to the interconnectivity of information and communications technology (ICT) systems. For modern organizations, these connections are present within the organization, between it and its suppliers and customers, and with its employees or on employee own devices. In addition, there are operations technology systems in the form of process control systems or industrial control systems. In some cases these are connected to the organization’s computer network for remote maintenance and monitoring. These industrial control systems are used in the production of products and services such as electricity, production of food, cars, and present in hospital equipment, nuclear plants, ...

Get The Cyber Risk Handbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.