David Malcom (CISA, CIA) has seen the problem from all angles — as a Big Four IT auditor, IT audit consultant, CISO, Internal Audit SVP, and now President/CEO of cybersecurity consulting firm Malcom Risk Advisors. David led an Internal Audit Collective webinar focused on giving CAEs the tools to confidently identify and propose detailed cybersecurity audit projects focused on the risks that actually matter. His approach offers a blueprint for upping YOUR game in 2026. 

THE BIG QUESTION: How Can CAEs Without Deep Cybersecurity Experience Target Their Cybersecurity Assessments More Effectively?

With cyber attacks, it’s a question of when, not if. Nobody’s immune, and the knock-on effects can be devastating. 

At the same time, most CAEs are still unsure how to audit cybersecurity. Lacking in-depth IT audit knowledge, skills, or experience, they make cybersecurity a general line item on their audit plans — but don’t know how to get more specific. Unfortunately, such broad audits don’t deliver the insights and assurance organizations need.

THE BIG TAKEAWAY: Cybersecurity is a core business risk deserving CAEs’ urgent focus. Understanding and effectively managing cyber risk requires CAEs to move past “analysis paralysis” to targeted assessments, data-driven prioritization, and meaningful assurance.

THE MISSION: Building a Better Cybersecurity Audit Playbook

How can you better define your organization’s cybersecurity audit risk universe, translating broad risks into auditable entities? 

How can you make sure the audits you choose are relevant and important?

David’s step-by-step approach helps you build out your playbook. 

In fact, David shared an example playbook with webinar attendees, offering it as a template. But here’s an overview. 

THE APPROACH: Use Risk Frameworks and Scoring to Level Up

Step 1: Develop Cyber Risk Register

What cybersecurity risks have you identified throughout the year? Pull them into a risk register.

Risks can come from:

• Audit reports — prior issues identified by Internal or External Auditors or regulators
• Stakeholder conversations — traditional 1:1s (incorporating ERA risks), including CISOs 
• External intelligence — cybersecurity risk publications (e.g., Big Four, consulting firms, IAF, IIA, IBM, Microsoft); known threats
• Data analytics — including KRI monitoring 

David detailed several example risks. To keep it simple, we’ll use the broad risk “unauthorized access to critical systems,” which could result in data breach/loss, IP theft, disruptions to mission-critical systems, financial losses, and other impacts. 

Step 2: Identify Risk Frameworks to Ensure Broad Coverage

Risk management frameworks are the key to breaking down broad risks into auditable entities. So the next step is identifying which frameworks fit your organization’s needs. 

Each framework views risk through a slightly different lens. Layering frameworks helps you ensure coverage across all relevant risks and controls. 

Common choices include:

• ISO 31000:2018 (Risk Management) — high-level ERM-focused standard
• COSO ERM — governance-forward framework linking enterprise risks to strategy/performance
• NIST SP 800-30 — step-by-step guidance for infosec risk assessments
• NIST CSF 2.0 — cybersecurity-specific framework clearly organizing risks and controls
• ISO 27001 — infosec requirements aligned with ISO 27000 certification; Annex A lists recommended controls 
  
  • ISO IEC 27005:2022 — infosec component of ISO 27001
• COBIT 2019 — not a risk framework per se, but aligns processes with IT governance and maturity/control objectives
• FAIR — newer quantitative framework assessing information risk in financial terms 
• PCI DSS — standard focused on protecting payment account data

Step 3: Use Frameworks to Group Risks Into Auditable Entities

Say you’ve decided to stack: 

• NIST CSF to guide risk assessment workflow
• ISO 27001 Annex A to ensure coverage of ISO certification requirements
• PCI DSS to ensure payment card compliance
• COBIT 2019 to map process maturity to governance

Work through your risk register, locating each risk in each framework. Where does it map to? Those are your domains — your auditable entities.

For example, here’s how “unauthorized access to critical systems” maps to each:

• NIST CSF — PR.AA (Identity Management, Authentication, and Access Control)
• ISO 27001 Annex A — A.9 (Access Control)
• PCI DSS — Req. 7-8 (Access Control)
• COBIT 2019 — DSS05.04 (Manage User Identity and Logical Access)

These categories all map to the larger domain of identity and access management (IAM).

Other risks from your register may map to the same domains; group those together. Your long risk register thereby becomes a manageable handful of domains. Your domains are your auditable entities, forming the backbone of your cyber audit risk universe.  

Step 4: Define Weighted Risk Scoring Model

You’ve got your auditable entities. But some audits are higher-priority, and some can wait. 

Your frameworks — alongside your risk assessment inputs (audit reports, stakeholder conversations, analytics, external intelligence) — help you decide. You’ll use them to:

• Identify threats/vulnerabilities
• Assess likelihood/impact
• Determine inherent risk scores

Developing those scores requires defining a weighted risk scoring model. David shared his, which defines 1–5 scales for each of the following:

• Inherent likelihood
• Business impact
• Data sensitivity 
• Control maturity 
• Change velocity/complexity 
• Third-party dependency (e.g., redundancies, reliance, concentration)
• Detection coverage (e.g., monitoring capabilities/gaps)

These scores come together to create the overall score, helping drive frequency and prioritization over your multi-year rolling audit plan.

Step 5: Score Risks to Create Audit Plan

Your scoring system should also weigh:

• Is it mandatory?
• Was there a recent incident?
• Is it a management request? 
• When was it last audited?

Of course, you also need to consider (1) audit capacity, (2) risk tolerance, and (3) overall risk scores.

Using this method, David’s initial list of 12 auditable entities was cut to four — voila, his 2026 audit plan. 

Step 6: Develop Risk Assessment Outputs

Following this process creates the following deliverables:

• Risk-ranked cyber audit universe
• Proposed audit plan, including clear rationales for each item’s inclusion

David also shared tips for developing KRIs/thresholds for continuous monitoring, which then enable:

• Ongoing monitoring plan, including KRIs, owners, and thresholds for monitoring
• KRI results/trends, helping direct subsequent assessment cycles

WHY THIS WORKS: A Dynamic Approach Built on Solid Foundations

As David pointed out, “The cyber environment changes so rapidly that what you have on your cyber audit plan for 2026 — because of changes in the threat environment, emerging vulnerabilities, and changes in attack vectors — may look completely different by this time next year.”

That’s why you need a methodology that helps you pinpoint the most important risks at that time. 

Grounding cybersecurity risk assessments in this process provides:

• Expert support/guidance from widely accepted risk frameworks
• A consistent taxonomy and common language for talking about cybersecurity risk
• Increased confidence that coverage focuses on the risks that matter

THE LAST WORD: You Can Step Up Your Cyber Game

In Protiviti and NC State’s 2025 Executive Perspectives on Top Risks for the Near and Long Term, cyber threats rank #2 for the near term and #1 long term. Interestingly, CAEs rank the risk more highly than any other C-Suite executive. 

In other words, we know how important this is. Let’s prove it, moving past the general 500-hour cybersecurity audit to more focused, relevant audits targeting high-priority risks. 

You don’t need to be a cybersecurity expert. You only need to be a process expert — which you already are, if you’re an auditor. 

Want more help upleveling your cybersecurity audit game? David Malcom hosts recurring Internal Audit Collective roundtables on cybersecurity. Bring your questions, risk assessments, and audit plans. Sign up today! Not a member yet? What are you waiting for? Join now. 

‍