Chapter 4

Forming the Opinion and Preparing the Practitioner’s Report

This chapter describes the practitioner’s responsibilities when forming his or her opinion and preparing the report in the cybersecurity risk management examination. This chapter focuses on the required elements of the practitioner’s report and the practitioner’s considerations when determining the type of opinion and other modifications to the report that might be necessary.

Responsibilities of the Practitioner

4.01 In the cybersecurity risk management examination, the practitioner is responsible for directly expressing an opinion, in a written report, on the following matters:

  1. Whether the description of the entity’s cybersecurity risk management program is presented in accordance with the description criteria and

  2. Whether the controls within that program were effective to achieve the entity’s cybersecurity objectives based on the control criteria

4.02 Because there are two distinct but complementary subject matters, the practitioner expresses an opinion on each in his or her report. Therefore, unless otherwise stated, a reference to the practitioner’s report in this chapter includes the practitioner’s responsibility to express an opinion on both the (1) description and (2) effectiveness of controls within the cybersecurity risk management program.

4.03 In some circumstances, management may engage the practitioner to perform an examination on the design of the controls rather than on their effectiveness. ...

Get Guide: Reporting on an Entity's Cybersecurity Risk Management Program and Controls now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial