This guide is for audit and risk assurance committees (ARACs) and non-executive directors. It will support scrutiny and challenge by helping you raise key questions necessary for reducing cyber risk and achieving cyber resilience.
Jump to downloadsBackground
Cyber security has transformed since the previous version of this guide in 2021. Hybrid work is now the norm, with people accessing corporate data from anywhere, on any device. Many organisations are increasingly reliant on cloud-based systems. Our ability to work online has also become more unpredictable, with highly capable state and state-aligned actors using sophisticated methods to conduct malicious cyber activity.
Cyber security might sound complex, but it is not solely a technical issue. The non-technical aspects – like governance, policies, processes, training, and practice – are just as critical. Effective oversight does not require deep technical expertise. What really matters is asking the right questions, encouraging accountability, and making sure audit and risk assurance committees (ARACs), senior leaders and technical teams are working together.
How to use this guide
The guide draws from government cyber security guidelines and our experience with the organisations we audit. It includes questions to ask and areas to explore when engaging with management on cyber security and resilience.
Downloads
- Good practice guide - Cyber security and resilience (.pdf — 563 KB)
