Philip Hung Cao

Stay Hungry. Stay Foolish.

New NIST-Based Audit/Assurance Program Validates Cyber Controls

2 min read


We live and work in a high-tech, interconnected world that is seeing increases in the volume and sophistication of cyberattacks. In order to function safely in this technology-driven, digital world, we must have strong cybersecurity controls. But how do we know if we have the right controls or if our controls are functioning as planned?

Because of the need for audit and assurance programs and processes around cybersecurity, ISACA has developed a new IS audit/assurance program, Cybersecurity: Based on the NIST Cybersecurity Framework. The goal of this program is to provide organizations with a formal, repeatable way to validate cybersecurity controls.

The program is based on the NIST Cybersecurity Framework and is built around the following five critical cybersecurity activities:

  1. Identify – Determine if the systems, assets, data and capabilities critical to cybersecurity have been identified and are understood by the organization. Process sub-areas include asset management, business environment, governance, risk assessment and risk management strategy.
  2. Protect – Review cybersecurity safeguards designed to limit the impact of potential events.  Process sub-areas include access control, awareness and training, data security, information protection processes and procedures, maintenance, and protective technology.
  3. Detect – Assess activities designed to identify the occurrence of cybersecurity events. Process sub-areas include anomalies and events, security continuous monitoring and detection processes.
  4. Respond – Evaluate action plans to take after learning of a security event. Process sub-areas include response planning, communications, analysis, mitigation and improvements.
  5. Recover – Analyze plans for resilience and the timely repair of compromised capabilities and services. Process sub-areas include recovery planning, improvements and communications.

The program is offered as a Microsoft Excel file with columns created so users can define controls to be tested (including frequency and results), as well as add references and comments. Testing steps have been identified for each NIST Cybersecurity Framework functional subcategory. These subcategories are labeled “Controls” in the program.

In addition, controls are referenced to COBIT 5 and ISO/IEC 27001:2013, making it easier for professionals to integrate the program into existing frameworks and/or audit programs.

Editor’s note: To download the Cybersecurity: Based on the NIST Cybersecurity Framework audit/assurance program, visit:

ISACA also is offering a one-day workshop entitled “Cybersecurity for Auditors” immediately following the 2017 North America CACS conference in Las Vegas, Nevada. For more information and to register, visit:

Russell Horn, CISA, CRISC, CISSP, President, CoNetrix

[ISACA Now Blog]

Leave a Reply

Copyright © 2006-2022 Philip Hung Cao. All rights reserved