ISACA has launched new audit and assurance materials on cybersecurity control and artificial intelligence (AI) in order to better prepare auditors to keep up with the rapidly evolving cyber and emerging technology scene. The ISACA Cybersecurity Audit Programme: based on the Artificial Intelligence Audit Toolkit and the NIST Cybersecurity Framework 2.0.
The ISACA Cybersecurity Audit Program: Based on NIST Cybersecurity Framework 2.0 updates ISACA’s 2016 IS Audit/Assurance Cybersecurity Program to include new content that reflects the changes in the NIST CSF 2.0.
Covering the six NIST CSF 2.0 functions (govern, identify, protect, detect, respond, and recover), it delves into a number of topics, including platform security, adverse event analysis, cybersecurity supply chain risk management, and the implementation of incident recovery plans.
With the help of the audit programme, auditors can confirm that the NIST CSF 2.0 is being followed, evaluate the efficacy of security controls, policies, procedures, and programmes, update management and other important stakeholders on control status and cybersecurity readiness, and pinpoint areas where the organisation is currently or potentially at risk.
Each subcategory now has more suggested request list items, along with a freshly made appendix that provides a summary of the request list. Furthermore, an assessment worksheet has been included to the audit programme so that auditors can record the assessment of the NIST CSF 2.0 subcategory implementation status.
The Artificial Intelligence Audit Toolkit, a library of AI controls derived from specific control frameworks and legislation, can be used by auditors to better understand how these controls relate to various aspects of the AI lifecycle, even though there isn’t currently a single standardised framework or methodology for auditing AI.
The Artificial Intelligence Audit Toolkit’s evaluation guide section offers a technique for assessing the control architecture and operational efficacy of AI-enabled tools, systems, and procedures.
It addresses controls in a number of control families and categories covering a wide variety of topics, such as secure systems design and development, human-AI interaction and experience, AI data privacy and rights, and AI bias mitigation and fairness.
It also covers the six AI explainability dimensions logic, accountability, data, fairness, safety, performance, and impact. Furthermore, it covers the essential components of the assessment development approach: control synthesis and mapping, as well as explainability integration.
With spreadsheets that offer guidance on the AI control evaluation relevant to each explainability dimension, the Excel-based toolbox offers a comprehensive resource to support AI assessment efforts.