7122(a)(2)—7122(a)(2)
>Control Description
The auditor may be internal or external to the business but must exercise objective and impartial judgment on all issues within the scope of the cybersecurity audit, must be free to make decisions and assessments without influence by the business being audited, including the business’s owners, managers, or employees; and must not participate in activities that may compromise the auditor’s independence. For example, the auditor must not participate in business activities that the auditor may assess in the current or subsequent cybersecurity audits, including developing procedures, preparing the business’s documents, making recommendations regarding the business’s cybersecurity program (separate from articulating audit findings), or implementing or maintaining the business’s cybersecurity program.
Ask AI
Configure your API key to use AI features.