.png){kind=small}
The IIA issued the Cybersecurity Topical Requirement (the Requirement) on February 5, 2025, effective February 5, 2026. The IIA’s Cybersecurity Topical Requirement provides internal auditors with a minimum baseline for assessing an organization’s design and implementation of cybersecurity governance, risk management, and controls.
The Requirement is a new component of the IIA’s 2024 IPPF. The IIA implemented Topical Requirements to provide internal auditors with a consistent approach for assessing governance, risk management, and control processes in specific topics” or areas.
Below, we provide a summary of the Requirement. Find the full text of the Requirement here: The IIA's Cybersecurity Topical Requirement.
To evaluate and assess cybersecurity governance, internal auditors are required to assess whether the organization has a defined and regularly updated cybersecurity strategy, cybersecurity policies and procedures, established roles and responsibilities aligned to cybersecurity objectives, and proactive engagement with key stakeholders to address vulnerabilities and emerging threats.
Internal auditors are required to evaluate whether an organization's risk assessment and risk management processes effectively identify, analyze, mitigate, and monitor cybersecurity threats and their impact on strategic objectives. Auditors must assess the breadth of cybersecurity risk management activities across functional areas, the establishment of clear accountability and oversight responsibilities, and the implementation of processes to escalate risks that exceed acceptable thresholds. Additionally, they must confirm that the organization promotes cybersecurity risk awareness across all levels and has implemented an incident response and recovery plan.
Internal auditors are required to assess and evaluate whether cybersecurity processes and controls are in place, tested regularly, and aligned with organizational objectives. This includes internal and vendor-based safeguards, workforce capabilities, continuous threat monitoring, and secure IT asset management. The Requirement highlights key focus areas in the life cycle management of all IT assets, software development, and network-related controls.
The IIA is preparing to expand its focus on key risk areas critical to an organization. The IIA plans to issue the Requirements on third-party risk during Q3 2025. Public consultations are coming soon for culture and organizational resilience risks.
Socorro Partners offers tailored advisory services to help organizations manage and monitor cybersecurity risk effectively. We work with management to design and implement processes and controls that align with the IIA’s Cybersecurity Topical Requirements, strengthening organizational resilience and compliance. Leveraging deep subject matter expertise, our professionals also support internal audit functions in evaluating and assessing the design and effectiveness of cybersecurity governance, risk management, and control activities.
© 2025 Socorro Partners. All rights reserved. Socorro Partners is the brand name under which Socorro CPAs & Advisors, LLC, a licensed CPA firm, and affiliated entities perform professional services. The Socorro Partners logo, including the icon, and the Look through the noise slogan, are trademarks of Socorro CPAs & Advisors, LLC.
All content on this website is the property of Socorro CPAs & Advisors, LLC. Unauthorized use is strictly prohibited. Content on the socorropartners.com website has been prepared for general information only and is not intended to be relied upon as accounting, tax, or any other professional advice. Please communicate with your advisors for specific advice.
