Description
Practical guide to cybersecurity controls, systems, programs, and management
This book is a comprehensive, field-tested guide to the full spectrum of cybersecurity auditing, enabling readers to assess, evaluate, and improve security controls across today’s complex IT environments. It covers cybersecurity operations, governance, and risk management, offering a practical auditing roadmap that spans internal systems, cloud infrastructure, application development, and vendor ecosystems.
From the fundamentals of audit planning to the nuanced challenges of assessing hybrid environments, each chapter is structured to deliver actionable insights, technical depth, and strategic relevance. Forward-looking chapters explore automation, continuous auditing, and AI integration, making the book a future-ready resource in an evolving cybersecurity landscape.
Cybersecurity Auditing discusses:
- Security standards and regulations (NIST CSF/800-53, ISO 27001, SOC 2, PCI, HIPAA), risk assessment, and control design for modern systems
- Identity and access management, network and perimeter security, application and API security/CI-CD (DevSecOps)
- Incident response, crises and vulnerability management, pen test oversight, and third party and supply-chain security
- Audit reporting, executive communication, annual audit planning, and capability development
Suitable as a primary reference, instructional text, or professional desk guide, Cybersecurity Auditing provides the structure and depth needed to effectively elevate cybersecurity audit engagements and improve organizational assurance.
Table of Contents
Preface xiii
Acknowledgments xv
About the Companion Website xvii
1 The Role of Audit in Security Governance, Risk, and Compliance 1
2 Security Standards and Regulations 19
3 Risk Assessment and Control Design for Modern Systems 35
4 Evidence, Sampling, and Testing Techniques 51
5 Auditor Ethics, Independence, and Professional Judgment 71
6 Identity and Access Management 89
7 Network and Perimeter Security 105
8 Application and API Security/CI-CD 125
9 Cloud and SaaS Security 141
10 Data Protection 157
11 Logging, Monitoring, and Detection 177
12 Incident Response and Crisis Management 197
13 Vulnerability Management and Pen Test Oversight 219
14 Third-party and Supply-chain Security 239
15 OT/ICS and Critical Infrastructure Audits 261
16 Sector Overlays (Financial, Healthcare, Public) 285
17 Automation, Continuous Auditing, and Advanced Analytics 303
18 AI Threat Modeling and Attack Surfaces 323
19 Secure MLOps and Model/Endpoint Controls 341
20 AI Monitoring and Incident Response 359
21 Audit Reporting and Executive Communication 379
22 Annual Audit Planning and Capability Development 399
Chapter Answers 419
Glossary 445
Index 453
