Because effective and secure interaction between companies and business partners, suppliers and service organisations is crucial for efficient operational management, companies implement risk management programmes in order to address these risks. However, they often have trouble gathering internal and external risk management information about cyber security.
We have developed a framework to help firms collect this internal and external risk management information. Companies can use the framework when communicating relevant and useful information about the effectiveness of their cyber security risk management programmes to various stakeholders.
The framework offers a general approach to evaluating and reporting on an entity’s cyber security risk management programme. The resulting cyber security investigation report consists of two parts:
- The description by the management of the cyber security risk management programme and the position of the management with regard to the programme.
- The effectiveness of the controls within the cyber security risk management programme and the opinion of the independent IT auditor from KPMG about the description and effectiveness of those controls in achieving the cyber security objectives.
Due to the complexity, volume and dynamic nature of their information systems, as yet few companies are prepared to undergo an investigation at entity level. The cyber security framework can be a valuable tool for businesses in preparing for an investigation or in communicating the status of the cyber security risk management programme to senior management and other relevant internal and external stakeholders.
KPMG can use the framework and the criteria to perform a ‘readiness assessment’ that can help the management identify elements in their cyber security risk management programme that may need improvement or require simple documentation improvements.