Cyber security assurance: What is right for my business?
Cyber security can be complex enough without adding compliance and assurance obligations. Yet without these, it is unlikely a security programme will succeed in it’s objectives because you’re not running it for you — you’re running it for your stakeholders, both internal and external. And boards, managers, clients, regulators, customers — all quite reasonably want to know that your organisation does not pose a risk to them, and would like you to prove it. It’s easier to trust if you can first verify.
That expectation of reasonable assurance leaves most organisations with a lot to consider, as cyber security assurance takes many forms and which you need will depend on your organisation - it’s risk profile; it’s size, complexity or regulatory status; it’s objectives — and, yes, it’s budget and resources too.
It is of course possible to build a great internal monitoring programme based around your own security policies, and this is also important. For today’s purposes though we are talking about external or independent assurance. That’s means someone else marking your homework — not you marking your own.
The key types of cyber security assurance you will see in practice will be:
a) assurance over your risk management system — how you identify, assess and manage your risks
