Audit committees should be scrutinising cyber security arrangements. To aid them, this guidance complements government advice by setting out high-level questions and issues for audit committees to consider.

Jump to downloads

Audit committees should gain the appropriate assurance for the critical management and control of cyber security and information risk.  

Cyber security is the activity required to protect an organisation’s data, devices, networks and software from unintended or unauthorised access, change or destruction via the internet or other communications systems or technologies. Effective cyber security relies on people and management of processes as well as technical controls. 

Our guide supports audit committees to work through this complexity, being able to understand and question the management of cyber security and information risk.  

It takes into account several changes which affect the way in which we interact with and manage our information and can drive increased risk. These include changes to the way we work and live due to the COVID-19 pandemic and the ongoing demand to digitise and move to cloud-based services.   

The strategic advice, guidance and support provided by government has also been updated to keep pace with these changes, detailing the impact and risks on the management of cyber security and information risk.  

The guide provides a checklist of questions and issues covering: 

  • The overall approach to cyber security and risk management 
  • Capability needed to manage cyber security 
  • Specific aspects, such as information risk management, engagement and training, asset management, architecture and configuration, vulnerability management, identity and access management, data security, logging and monitoring and incident management.  

Our guidance is based on our previous work and our detailed systems audits, which have identified a high incidence of access-control weaknesses. It also provides links to other government guidance and NAO resources. 

October 2021