ICT and systems analysis

Cyber security and information risk guidance for Audit Committees

Audit committees should be scrutinising cyber security arrangements. To aid them, this guidance complements government advice by setting out high-level questions and issues for audit committees to consider.

People at a board room table

Cyber security is the activity required to protect an organisation’s computers, networks, programmes and data from unintended or unauthorised access, change or destruction via the internet or other communications systems or technologies. Effective cyber security relies on people and management processes, as well as technical controls.

Government guidance makes it clear that cyber security is now an area of management activity that audit committees should scrutinise. Together with the rapidly changing nature of the risk, this means that audit committees need to understand whether management is adopting a clear approach, and whether the organisation is complying with its rules and standards, and is adequately resourced for cyber security.

‘Cyber security and information risk guidance for Audit Committees’ is fully consistent with and complements the guidance provided by the government. It provides a checklist of questions and issues covering:

  • The overall approach to cyber security and risk management
  • Capability needed to manage cyber security
  • Specific aspects, such as information risk management, network security, user education, incident management, malware protection, monitoring, and home and mobile working
  • Related areas, such as using cloud services and developing new services or technology

Our guidance is based on our previous work and our detailed systems audits, which have identified a high incidence of access-control weaknesses. It also provides links to other government guidance and NAO resources.

September 2017