Framework for Risk-Based IoT Cybersecurity Audit Engagements

TL;DR

This paper introduces a comprehensive risk-based framework for auditing IoT devices' cybersecurity, addressing a critical gap in current literature and supporting auditors across industries and experience levels.

Contribution

It proposes a novel, adaptable auditing framework specifically designed for IoT devices, applicable to diverse organizational contexts and auditor expertise levels.

Findings

Framework enables systematic IoT security assessment

Applicable across industries and auditor experience levels

Addresses a significant gap in IoT cybersecurity literature

Abstract

The use of Internet of Things (IoT) devices is growing at a rapid rate. While much of this growth is consumer devices, IoT devices are also commonly found in corporate and industrial environments, as well. These devices can be organization-owned and managed by an information technology unit, deployed organizationally without the knowledge and involvement of technology staff or brought in to the corporate environment by user-owners. In each case, these devices may have access to corporate networks and data and are, thus, important to consider as part of organizational cybersecurity risk assessment. Despite the prevalence of these devices, there is little literature about how to audit their security. This paper presents a risk-based auditing framework which can be used by both internal and external auditors, of any experience level and in any industry, to assess IoT devices.