CIS Controls Audit/Assurance Program 


Bookstore Purchase the Download:  Member US $25 | Non-Member US $50

  Provide feedback on this document
Knowledge Center  Visit the Audit Tools and Techniques Knowledge Center community
Knowledge Center  Visit the Audit Guidelines Knowledge Center community

Objective: The objective of a cyber security audit is to provide management with an evaluation of the effectiveness of cyber defense, with a focus on the most fundamental and valuable actions that each organization should take. These controls are based on the Center for Internet Security's (CIS) “Critical Security Controls for Effective Cyber Defense”.

Scope: The audit/assurance review will rely upon other operational audits of the incident management process, configuration management and security of networks and servers, security management and awareness, business continuity management, information security management, governance and management practices of both IT and the business units, and relationships with third parties.

The primary security and control issues are protection of:

  • sensitive data
  • intellectual property
  • networks to which multiple information resources are connected
  • devices and the responsibility and accountability for the device and the information it contains

As an IT audit and assurance professional, you are expected to customize this document for your unique assurance process environment. Use it as a review tool or starting point to modify for your purposes, rather than as a checklist or questionnaire. Keep in mind that to use this document for maximum effectiveness, you should hold the Certified Information Systems Auditor (CISA) designation or have the necessary subject matter expertise to conduct your assurance process while under the supervision of a professional who holds the CISA designation.

The Audit Program is based on the CIS Controls.