Assurance

Owned by Jodie Miners
Last updated: Jun 11, 2024
2 min read

Topics about Security Assurance

Read more about Assurance at ISACA.

“The lowest level of assurance is realized by performing self-assessments. The second level of assurance is realized by third-party statements and the third level of assurance is realized by continuous auditing.

There are several measures that can be used to assess a suppliers’ environment:

  • Certification of global standards and frameworks such as ISO 27001, Uptime TIER, TIA-942, and the Payment Card Industry Data Security Standard (PCI DSS)

  • Self-assessment questionnaires for the supplier, based on standards and frameworks such as ISO 27001, Trust Service Principles and CSA

  • Type II third-party reports that test the operation of measures periodically using robust standards or frameworks such as ISAE 3402/SSAE16 and SOC reports

  • Continuous monitoring of measures where there is continuous insight into the functioning of an organization’s control environment and security measures”

There are a few steps to assurance:

  • Understand the legislative framework in which the business exists (eg does the Mandatory Data Breach legislation apply to you, are you a financial organisation and need to follow APRA regulations).

    • Keep up to date with the legislative frameworks, eg a new policy from APRA released in June 2024 around Backups).

  • Understand the risk appetite of your business (this will probably evolve over the course of doing the assurance process).

  • Conduct a risk assessment (either formally or just as you are going through the assurance process).

  • Understand or create a cybersecurity strategy - it could be as simple as “we need to be better at cybersecurity” or a full document that states goals, objectives, steps, and priorities).

  • Understand the controls required - you may need some help with this. Like what exactly is Application Control?

  • Understand the scope of the controls within the business - eg is it just the Administrative side of the business to tackle first, or is there Manufacturing, or other areas of the business that needs to be addressed later.

  • Implement the controls as outlined in the Assurance level you are wanting to achieve.

  • Document the controls put in place.

  • Monitor, measure, and audit the controls regularly.

  • Rinse and Repeat.

 

Contents