.png){kind=small}
The IIA issued the Cybersecurity Topical Requirement (the “Requirement”), establishing a mandatory baseline for Internal Auditors when evaluating cybersecurity governance, risk management, and control processes.
Below, we provide a summary of the Requirement and key implementation considerations. Find the full text of the Cybersecurity Topical Requirement here: Cybersecurity_Topical_Requirement Final For implementation guidance, see the Cybersecurity Topical Requirement User Guide: Cybersecurity_TR_User_Guide
The Requirement was approved for publication on February 5, 2025, with an effective date of February 5, 2026.
Cybersecurity
NIST defines cybersecurity as the ability to protect cyberspace from cyberattacks. It is a subset of information security, focused on safeguarding information and systems to ensure confidentiality, integrity, and availability.
Because digital systems and data underpin critical operations, cybersecurity risk affects nearly every organization. The Requirement establishes a minimum, risk-based framework for Internal Auditors to evaluate the design and implementation of cybersecurity governance, risk management, and control processes. Organizations with higher risk profiles may require expanded coverage.
The Requirement applies when cybersecurity is:
Internal Auditors must document applicability and any exclusions. Conformance is subject to quality assessment.
Governance
Evaluating cybersecurity governance involves assessing whether leadership has established a formal cybersecurity strategy aligned with organizational objectives and whether it is periodically reviewed and communicated to the board.
Internal Auditors should determine whether a formal strategy and objectives are established and updated with appropriate board oversight and resource review; whether policies and procedures are documented and maintained; whether roles, responsibilities, and competencies are clearly defined and periodically assessed; and whether key stakeholders such as IT, risk management, HR, legal, compliance, operations, and vendors are engaged to address vulnerabilities and emerging threats. Effective governance facilitates appropriate visibility, oversight, and accountability at the board and senior management levels, consistent with The IIA’s Three Lines Model.
Risk management
The Requirement calls for a structured approach to identifying, assessing, mitigating, monitoring, and escalating cybersecurity risks.
Internal Auditors should evaluate whether cyber risk assessments are integrated into enterprise risk management and aligned with strategic objectives; whether accountability is clearly assigned; whether risks are escalated based on defined thresholds and financial and nonfinancial impacts; whether risk awareness and remediation efforts are communicated and reviewed; and whether a tested incident response and recovery process is in place. The User Guide emphasizes that applicability begins with the risk assessment and that professional judgment guides scope and documentation.
Controls
The Control Processes section sets baseline expectations for cybersecurity controls across internal systems and third-party relationships.
Internal Auditors should assess whether controls, including vendor controls, protect the confidentiality, integrity, and availability of systems and data and are periodically evaluated; whether talent management supports cybersecurity competencies; whether continuous monitoring identifies emerging threats; whether cybersecurity is integrated into the life cycle of IT assets; and whether core technical, network, and endpoint controls such as configuration management, encryption, patching, access management, firewalls, VPN, IDS or IPS, and secure communication tools are implemented.
How we can help
Socorro Partners supports Internal Audit and IT functions in strengthening cybersecurity governance, risk management, and control processes in alignment with the Cybersecurity Topical Requirement.
We work with management and boards to assess cybersecurity programs against baseline expectations, align existing frameworks such as NIST, COBIT, ISO, or sector standards, enhance risk assessment and escalation processes, evaluate incident response readiness, and provide independent or co-sourced cybersecurity assurance. Our team combines cybersecurity, risk management, and internal audit experience to help organizations enhance resilience and meet evolving standards.
Socorro Partners es la denominación comercial bajo la cual Socorro CPAs & Advisors, LLC (una sociedad de responsabilidad limitada constituida en Florida, EE. UU.) y Socorro Consulting, LLC (una sociedad de responsabilidad limitada constituida en Delaware, EE. UU.), junto con su subsidiaria, prestan servicios profesionales bajo una estructura de práctica alternativa, de conformidad con el Código de Conducta Profesional del AICPA y con las leyes, regulaciones y normas profesionales aplicables. Socorro CPAs & Advisors, LLC es una firma de contadores públicos independientes debidamente autorizada que presta servicios de atestiguamiento. Socorro Consulting, LLC y su subsidiaria no son firmas de contadores públicos autorizadas y prestan únicamente servicios no sujetos a atestiguamiento, incluidos servicios tributarios y de consultoría.
El logotipo de Socorro Partners, incluido el ícono, y el lema “Navegando el ruido” son marcas comerciales de Socorro Consulting, LLC.
© 2026 Socorro Partners. Todos los derechos reservados.
Todo el contenido de este sitio web es propiedad de Socorro Partners. El uso no autorizado está estrictamente prohibido. El contenido del sitio web socorropartners.com se ha preparado únicamente con fines informativos generales y no debe interpretarse ni utilizarse como asesoría contable, fiscal ni de otro tipo profesional. Usted debe consultar con sus asesores profesionales respecto de sus circunstancias específicas.
