from independent third-party assessors on the effectiveness of the entity's cybersecurity risk
            management program.




            How to use in conjunction with cybersecurity risk mitigation

            The practitioner's evaluation of management's risk assessment process — that is, the assessment of
            potential events and circumstances that could threaten the achievement of the entity's cybersecurity
            objectives — includes consideration of items such as the following:

              The process management uses to
               –  identify its cybersecurity objectives,
               –  identify information and other assets,
               –  determine the threats to information and other assets,
               –  design and implement controls to address identified risks, and
               –  incorporate information from its monitoring activities that identify previously unconsidered
                   potential events and circumstances
              The frequency with which management updates the risk assessment and supporting risk
               management processes and controls.
              Whether management uses an appropriate management framework for managing its processes and
               controls — for example, the National Institute of Standards and Technology’s  Framework for
               Improving Critical Infrastructure Cybersecurity (NIST Cybersecurity Framework) or International
               Standardization Organization/International Electrotechnical Commission (ISO/IEC) Standards 27001
               and 27002 — as part of its assessment and management process.

            Factors such as the size and complexity of the entity, the goods or services provided, and commitments
            made to customers and others are important considerations when evaluating the suitability of the design
            of controls. A smaller, less complex entity may be able to address risks that threaten the achievement of
            the entity's cybersecurity objectives using a different set of controls than a larger, more complex entity.
            For example, a smaller, less complex entity may


              have policies and procedures that are less formal and detailed but sufficient for the practitioner to
               evaluate;
              have fewer levels of management, which may result in more direct oversight of the operation of key
               controls; and
              make greater use of manual controls versus automated controls.





















            © 2019 Association of International Certified Professional Accountants. All rights reserved.    1-34