The course combines structured theory, facilitated discussion, hands-on exercises, and a capstone RCM development to ensure participants leave with practical, immediately usable tools aligned to the IIA Cybersecurity Topical Requirement.
Topics Covered
Day 1 – Theory Foundations (Governance, Risk Management, Control Activities)
Introduction to the IIA Cybersecurity Topical Requirement
- Purpose and intent of Topical Requirements under the Global Internal Audit Standards
- When and how the cybersecurity requirement applies
- Relationship to assurance, advisory, and combined engagements
Cybersecurity Governance
- Board and senior management responsibilities
- Cybersecurity strategy, policies, and standards
- Roles of the first, second, and third lines
- Metrics, reporting, and oversight expectations
Cybersecurity Risk Management
- Cyber risk identification and assessment techniques
- Threat landscape and business impact considerations
- Risk appetite, tolerance, and prioritisation
- Integration with enterprise risk management
Cybersecurity Control Activities
- Control categories: preventative, detective, and corrective
- Key technology and non-technology controls
- Control design vs operating effectiveness
- Common gaps observed in audits
Day 2 – Practical Application and Worked Examples
Case Study 1: Governance Assessment
- Reviewing board oversight and management accountability
- Mapping governance practices to Topical Requirement criteria
Case Study 2: Cyber Risk Assessment Review
- Evaluating risk assessment quality and completeness
Linking risks to business objectives and controls
Case Study 3: Control Testing Scenario
- Testing selected cybersecurity controls
- Interpreting evidence and forming audit conclusions
Capstone Practical Exercise – Cybersecurity RCM Project
- Building a comprehensive Cybersecurity Risk and Control Matrix
- Mapping risks, controls, testing approaches, and assurance coverage
- Peer review and facilitator feedback
Learning Outcomes
By the end of this two-day course, participants will be able to:
- Interpret and apply the IIA Cybersecurity Topical Requirement in the context of internal audit engagements, assurance planning, and advisory activities.
- Evaluate cybersecurity governance arrangements, including roles, accountability, strategy alignment, and oversight mechanisms, against leading practices and IIA expectations.
- Assess cybersecurity risk management practices, including risk identification, assessment, prioritisation, and integration with enterprise risk management.
- Test and conclude on the design and operating effectiveness of key cybersecurity controls across preventative, detective, and responsive control activities.
- Apply tools and approaches, to compare against leading technology frameworks such as NIST 800-53, NIST Cybersecurity Framework 2.0, ISO27001, Essential Eight.
- Develop a practical Cybersecurity Risk and Control Matrix (RCM) that can be directly used to support audit planning, fieldwork, and reporting.
- Apply professional judgement to real-world cybersecurity scenarios, balancing technical depth with executive-level communication and assurance needs.
Course information:
IIA-Australia Member: $660.00 AUD
IIA-Australia Non-member: $795.00 AUD
Knowledge Level: Intermediate
CPE Points: 7
Delivery Format: Facilitator-led training via Zoom (Note: This training program will be delivered in two 4-hour lessons, over two days using Zoom. Registrations will be strictly limited to 15 participants to allow maximum interaction in the online environment.)
Facilitator: Aamir Husain PMIIA CIA – Consultant and Lead Auditor, GCC Australia and VIC Chapter Chair 2023-2025, IIA-Australia
Aamir is a highly experienced GRC professional and trainor, specialising in practical, hands-on delivery of large-scale regulatory remediation programs including technology risk management improvements. With senior leadership experience across financial services, fintech, and legal sectors, he brings deep expertise in internal audit, risk, compliance, and technology risk. Aamir is recognised for turning complex regulatory and technical requirements into clear, actionable solutions that work in real operating environments. He holds a BCom (Hons), MBA, FCPA, CIA, CISA, and is currently pursuing his CISSP.