Academy
Governance, Risk and Audit experimental
Governance, Risk and Audit One taught spine, three examinable views: govern the program, run the risk lifecycle, audit the evidence Governance as a program. Why security governance is a standing program rather than a project: the NIST CSF 2.0 Govern function, board accountability, the three lines model, and Aldergate Mutual, the fictional insurer the whole course builds against.. Explain why governance asks for a standing, evidenced program rather than one-off fixes.. Place the six NIST CSF 2.0 functions and state what the Govern function added in 2024.. Assign a duty to the correct line in the three lines model for a given scenario.. Programs versus projects, The CSF 2.0 Govern function, Boards and the three lines, Aldergate Mutual, the teaching case Governance as a program A firewall can be bought; governance cannot. Governance is the standing arrangement by which an organization decides what security must achieve, assigns accountability for achieving it, and verifies, on evidence, that it is achieved. This module sets the frame the whole course reuses: security as a program that outlives any single project, budget cycle or incident. Programs versus projects A project ends; a program persists. When Aldergate Mutual, the fictional insurer this course builds against, "did security" as a 2023 project, the controls decayed within a year because nothing owned their upkeep. A program carries three permanent features a project lacks: an accountable owner, a recurring evidence cycle, and a route by which the board learns whether its risk decisions still hold. The CSF 2.0 Govern function NIST's Cybersecurity Framework (CSF) 2.0 (2024) reorganized the field around six functions by adding Govern to the historic five: Govern is deliberately first: every other function's outcomes are decisions someone must own. The rest of VERDICT hangs off this function. Before 2024, CSF 1.1 treated governance as implicit, folded into Identify's asset and risk-management categories. Practitioners noticed the gap: a framework that named Identify, Protect, Detect, Respond and Recover but never named who decided the risk appetite those functions serve left accountability to inference. CSF 2.0's Govern function makes explicit six things that used to live in unwritten custom: organizational context, risk management strategy, roles and responsibilities, policy, oversight, and supply chain risk management. Aldergate Mutual's 2023 lapse is exactly what an implicit Govern function produces: controls with no named owner decay the moment the person who happened to care moves on. Boards and the three lines The three lines model places operational management first (it owns and treats risk), risk and compliance functions second (they set method and challenge), and internal audit third (it gives the board independent assurance). The board itself sits above the lines: it sets appetite and receives assurance. When a duty cannot be placed on a line, that itself is a governance finding. Some organizations now describe a fourth line: regulators, external auditors and rating agencies who form an opinion the board did not commission but must still answer to. VERDICT treats the fourth line as context rather than structure, because Aldergate Mutual cannot assign it duties the way it assigns duties to the first three; it can only prepare for what the fourth line will ask to see. A board that manages only the three lines it controls, while ignoring how the fourth line will read its evidence, is preparing for the wrong audience. Aldergate Mutual, the teaching case Aldergate Mutual runs a regulated claims platform, an outsourced claims-imaging supplier, and a three-person internal audit team. Each module tests its concepts against this organization, and module m8 goes further: you will audit real, inspectable CCICCS artifacts, not just case text. Open the planned lab to map Aldergate Mutual's duties onto the three lines, then take the self test. Related CCI capabilities Computer Architecture (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/computer-architecture/). Optics Primer Series (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/optics/). Maths Refresher Series, Finance (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/maths-finance/). System Dynamics (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/system-dynamics/). CCI Lab: Run it, build with it, read the thinking, reuse the data. (https://www.cambridgecyberinternational.com/en/insights/lab/) Governance instruments. The working tools of a governance program: the policy hierarchy from policy to procedure, accountability structures, security metrics a board can act on, and alignment of security strategy with the organization's objectives and legal duties.. Order the policy hierarchy (policy, standard, guideline, procedure) and state what each binds.. Design a metric that measures a control outcome rather than activity volume.. Trace a legal or regulatory duty into a specific governance instrument at Aldergate Mutual.. The policy hierarchy, Accountability and ownership, Metrics boards can act on, Aligning strategy with obligations Governance instruments Governance without instruments is a speech. This module covers the four working tools that turn intent into obligations someone can be held to: the policy hierarchy, accountability structures, metrics, and strategic alignment. The policy hierarchy The hierarchy exists so that an auditor (module m5 onward) always has criteria: a standard states what should be, and evidence shows what is. ISO/IEC 27014:2020, co-published by the International Organization for Standardization and the International Electrotechnical Commission (IEC), frames these instruments as the governing body's channel for directing and evaluating the security program. The hierarchy also disciplines drafting. A document that mixes intent and step-by-step execution in one paragraph is neither reviewable as policy nor usable as procedure, and it ages badly: a procedural detail changes every quarter, while a policy principle should survive years. Aldergate Mutual splits documents on that test alone; if a clause needs updating whenever a tool changes, it belongs in a procedure, not a policy. Accountability and ownership Every instrument needs an owner with the authority to change it and the duty to answer for it. A policy owned by "the security team" is owned by nobody. Aldergate Mutual assigns each standard to a named role, reviewed annually, and its steering committee charter states who may grant exceptions and for how long. Exceptions without expiry dates are policy repeals in disguise. Ownership also has to survive personnel change, which named-role assignment handles better than named-person assignment. A standard owned by "the Head of Identity and Access Management" keeps an owner through a resignation; a standard owned by a person's name quietly becomes ownerless the day that person leaves, and nobody notices until an auditor asks who last reviewed it. Metrics boards can act on A board metric must connect to a decision. "Phishing emails blocked" rises with attack volume and says nothing about control effectiveness. Better: "percentage of leavers revoked within 24 hours" measures an outcome the board set through a standard, trends meaningfully, and fails visibly. Control Objectives for Information and Related Technology (COBIT) 2019 calls this the goals cascade: enterprise goals decompose into alignment goals and then into measurable governance and management objectives. The cascade matters because it stops metrics from being invented bottom-up. A team that picks whatever it can already count tends to report volume, not outcome. Working the cascade top-down instead, from an enterprise goal such as regulatory compliance, forces the question "what measurable governance objective would tell the board this goal is on track," and only then does the team ask what data already exists to answer it. Aligning strategy with obligations Security strategy earns its budget by tracing each initiative to either an organizational objective or a legal duty. Aldergate Mutual keeps a one-page obligations register: each regulation or contract clause points at the standard that implements it and the metric that evidences it. Module m10 applies the same tracing discipline to certification blueprints. Open the planned lab to assemble a policy stack for one obligation, then take the self test. Related CCI capabilities Computer Architecture (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/computer-architecture/). Optics Primer Series (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/optics/). Maths Refresher Series, Finance (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/maths-finance/). System Dynamics (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/system-dynamics/). CCI Lab: Run it, build with it, read the thinking, reuse the data. (https://www.cambridgecyberinternational.com/en/insights/lab/) The risk vocabulary. ISO 31000:2018 as the shared language of the whole track: principles, framework and process; risk appetite versus risk tolerance; risk criteria set before assessment; and why one vocabulary serves CRISC, CISM, CSF 2.0 Govern and DORA at once.. Define risk, risk source, event, consequence and likelihood in ISO 31000 terms.. Distinguish risk appetite from risk tolerance and compute a numeric example of each.. Explain why risk criteria must be set before assessment begins, not after results arrive.. Principles, framework, process, Appetite versus tolerance, Risk criteria come first, One vocabulary, many exams The risk vocabulary Before assessing anything, agree on words. ISO 31000:2018 supplies the vocabulary this whole track shares: the same terms serve Certified in Risk and Information Systems Control (CRISC), the Certified Information Security Manager (CISM) governance domains, the NIST Cybersecurity Framework (CSF) 2.0 Govern function, and Digital Operational Resilience Act (DORA)'s risk articles, which is why this module exists once instead of four times. Principles, framework, process ISO 31000 is organized in three parts. The principles state what good risk management is like (integrated, structured, customized, inclusive, dynamic, evidence-based, human-aware, continually improving). The framework is the governance shell: leadership commitment, integration into the organization, design, implementation, evaluation, improvement. The process is the working loop: establish scope and criteria, assess (identify, analyse, evaluate), treat, record, monitor, communicate. The three parts depend on each other in a specific order that is easy to skip. A framework without committed leadership produces a process nobody follows under pressure; a process without a framework behind it produces one-off assessments that never accumulate into an organizational capability. Aldergate Mutual's first attempt at ISO 31000 adoption ran the process directly, skipped the framework, and had to redo the exercise a year later once turnover erased what the one trained analyst had known. The core terms Note what risk is not: it is not "a hack," not a vulnerability, not a budget line. It is defined relative to objectives, which is why governance (m0, m1) had to come first: without stated objectives, risk has no referent. The table's ordering also matters. A risk source and a vulnerability are not interchangeable: a risk source is the element capable of giving rise to risk at all (an internet-facing portal, a third-party supplier), while a vulnerability is a weakness a specific threat can exploit. Treating the two as synonyms is how registers end up listing "phishing" as a risk when phishing is an event, not the objective it threatens. Appetite versus tolerance Appetite is the broad amount and type of risk an organization is willing to pursue or retain: Aldergate Mutual has a high appetite for digital-channel growth. Tolerance is the specific, measurable boundary around a given objective: at most 4 hours of claims-platform outage per quarter. Appetite sets direction; tolerance is what an auditor can test against. Risk criteria come first Criteria (scales, thresholds, how likelihood and consequence combine, when a risk is acceptable) must be fixed before assessment. Set afterwards, they bend to justify whatever the assessment found, and the register becomes a rationalization engine. Module m3 shows what happens inside the scales themselves. Aldergate Mutual learned this the hard way: an early register scored the claims-imaging outage risk as low only after the assessment was already underway, once it became clear a high score would trigger an expensive contract renegotiation. Fixing criteria first does not remove judgment from risk assessment; it removes the assessor's ability to move the goalposts once the answer is inconvenient. Open the planned lab for a vocabulary drill against short scenarios, then take the self test. Related CCI capabilities Computer Architecture (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/computer-architecture/). Optics Primer Series (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/optics/). Maths Refresher Series, Finance (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/maths-finance/). System Dynamics (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/system-dynamics/). CCI Lab: Run it, build with it, read the thinking, reuse the data. (https://www.cambridgecyberinternational.com/en/insights/lab/) Assessing risk. The assessment step done honestly: NIST SP 800-30r1 threat-event scenarios, likelihood and impact scales, what risk matrices can and cannot do (Cox's compression and ranking failures), and the quantitative alternative sketched by Gordon and Loeb.. Build a threat scenario with source, event, vulnerability, asset and consequence per SP 800-30r1.. Identify a ranking reversal or compression error in a qualitative risk matrix.. State the Gordon-Loeb insight on how much to invest in protecting an information set.. Scenarios per SP 800-30r1, Scales and their traps, What matrices cannot do, The quantitative alternative Assessing risk Assessment is where honesty is easiest to lose. This module teaches the scenario discipline of NIST Special Publication (SP) 800-30 Rev. 1, the traps inside qualitative scales, the documented failure modes of risk matrices, and the quantitative alternative that at least states its assumptions in numbers. Scenarios per SP 800-30r1 A threat scenario is a sentence with five mandatory parts: a threat source initiates a threat event exploiting a vulnerability on an asset producing a consequence. "Simulated: a criminal affiliate (source) sends credential phishing (event) exploiting Aldergate Mutual's unenforced Multi-Factor Authentication (MFA) on the claims supplier portal (vulnerability, asset) leading to fraudulent claim payouts (consequence)." Incomplete scenarios produce unanchorable likelihoods. Drop any one of the five parts and the sentence stops being testable. "Fraud might happen on the portal" names an asset and a consequence but no source, event or vulnerability, so two assessors will silently imagine two different scenarios and score them as if they agreed. Writing the full sentence is slower than writing the short one, which is exactly why it is worth doing before, not after, the scoring meeting. Scales and their traps Qualitative scales (1 to 5) are compressions. Two risks scored likelihood 4, impact 5 may differ by an order of magnitude in expected loss. Anchor every scale point to a range ("impact 5: above 2 million or regulatory license threat"), or the same number silently means different things to different assessors, and averages across assessors mean nothing at all. Anchoring is cheap and rarely done. A workshop that spends ten minutes writing one sentence per scale point, before scoring a single risk, removes most of the disagreement that otherwise surfaces as an argument about the final number. The argument was never really about the number; it was about what the number meant, and that should have been settled first. What matrices cannot do Cox (2008) proved the standard objections: matrices can assign identical cells to risks differing by orders of magnitude (compression), can rank a quantitatively smaller risk above a larger one (ranking reversal), and their qualitative categories can be inconsistent with any coherent quantitative interpretation. The practical rule this course adopts: a matrix may sort conversation priorities, but a decision with money attached deserves at least an interval estimate of loss. None of this makes matrices useless; it bounds what they are for. A matrix is a communication device that lets a room agree on rough priority quickly, and that is a real job worth doing. The mistake Cox's critique targets is using the same tool to make a decision that turns on the difference between a 50,000 and a 5 million dollar expected loss, where a compression built for conversation cannot carry the weight of the number. The quantitative alternative Gordon and Loeb (2002) showed that the optimal security investment for an information set never exceeds roughly 37 percent of the expected loss, and that investment should target information sets of intermediate vulnerability rather than the most vulnerable ones. The point for a Level II learner is not the algebra: it is that a quantitative frame produces statements that can be checked and challenged, which is what governance (m0) and audit (m5 to m9) require of every other management claim. A quantitative estimate does not have to be precise to be useful; it has to be checkable. Stating a loss range of 200,000 to 2 million with the assumptions written down lets a colleague challenge the assumptions and narrow the range; a qualitative score of "high" invites no such challenge because there is nothing under it to disagree with. That checkability, not the arithmetic itself, is the property module m5 onward calls evidence. Open the planned lab to reproduce a ranking reversal inside a 5 by 5 matrix, then take the self test. Related CCI capabilities Computer Architecture (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/computer-architecture/). Optics Primer Series (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/optics/). Maths Refresher Series, Finance (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/maths-finance/). System Dynamics (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/system-dynamics/). CCI Lab: Run it, build with it, read the thinking, reuse the data. (https://www.cambridgecyberinternational.com/en/insights/lab/) Risk response and monitoring. Closing the lifecycle: the four treatment options, the risk register as a living instrument, key risk indicators that fire before losses, and NIST SP 800-37r2's RMF as the depth reference that CRISC's response and monitoring domains sit on.. Select and justify a treatment option (modify, retain, avoid, share) for an evaluated risk.. Design a key risk indicator with a threshold that triggers action before loss.. Identify and map the seven RMF steps onto Aldergate Mutual's claims-platform lifecycle.. Four treatments, one justification, The living register, Key risk indicators, RMF as the depth reference Risk response and monitoring Assessment without response is documentation. This module closes the risk lifecycle: choosing a treatment, keeping the register alive, watching leading indicators, and the NIST Risk Management Framework (RMF) as the depth reference underneath Certified in Risk and Information Systems Control (CRISC)'s response and monitoring domains. Four treatments, one justification Whatever the choice, the justification must cite the criteria from m2: a retention that breaches stated tolerance is not a decision, it is a breach, and the capstone (m11) tests exactly this discipline. The four treatments are not equally reversible. Modify and retain can be revisited at the next review; avoid usually cannot, once the activity and its revenue are gone; share depends on a counterparty staying solvent and the policy staying in force. Aldergate Mutual records which treatment closes off future options, because a cheap decision today that forecloses a cheaper decision next year is not actually the cheap decision. The living register A register row that a Statement of Applicability or an audit can cite needs: an identifier, the scenario, the scores against criteria, the chosen treatment and its controls, an owner, and a review date. A register nobody reads between annual reviews is a graveyard; Aldergate Mutual reviews rows whose indicators moved, not rows whose anniversary arrived. A living register also needs a visible history, not just a current state. When a score moves from amber to red, the row should show what changed and when, so a reviewer six months later can tell whether the treatment failed or the world got worse. Overwriting the previous score erases the very evidence that would let audit (m6 to m9) distinguish a control failure from a genuine shift in the threat environment. Key risk indicators A Key Risk Indicator (KRI) leads; a loss report lags. "Percentage of leavers not revoked within 24 hours" rising above 5 percent fires before an access-abuse loss occurs. Good KRIs attach to a specific register row, have a threshold with a named receiver, and trigger a defined action. An indicator without a threshold is scenery. Indicators also need a stated direction of travel, not just a threshold. "Percentage of leavers not revoked within 24 hours" rising is bad; the same percentage falling toward zero is the treatment working as designed. A KRI dashboard that reports the number without the trend forces the reader to remember last quarter's figure from memory, which is exactly the kind of unverifiable claim module m7's evidence ladder exists to rule out. RMF as the depth reference NIST Special Publication (SP) 800-37 Rev. 2's seven steps (prepare, categorize, select, implement, assess, authorize, monitor) give the engineering-grade version of this module: authorization is a formal, accountable retention decision, and continuous monitoring is KRIs grown to system scale. CRISC's Domains 3 and 4 examine the same loop in management vocabulary; m10 maps the rows. Open the planned lab to build three register rows with one KRI each, then take the self test. Related CCI capabilities Computer Architecture (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/computer-architecture/). Optics Primer Series (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/optics/). Maths Refresher Series, Finance (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/maths-finance/). System Dynamics (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/system-dynamics/). CCI Lab: Run it, build with it, read the thinking, reuse the data. (https://www.cambridgecyberinternational.com/en/insights/lab/) Audit foundations. What makes assurance credible: the ISO 19011 auditing principles, ISACA's ITAF for information systems audit, independence and objectivity as structural properties, and the audit charter that grants the function its mandate.. State the ISO 19011 principles and explain how each protects the audit conclusion.. Distinguish independence (structural) from objectivity (personal) with an example.. Draft and justify the mandate clauses an audit charter needs to survive a management challenge.. Why assurance exists, The ISO 19011 principles, Independence and objectivity, The audit charter Audit foundations Assurance is a manufactured product, and its raw material is credibility. This module explains why anyone should believe an audit conclusion: the principles of ISO 19011, ISACA's IT Assurance Framework (ITAF) for information systems audit, the structural nature of independence, and the charter that grants the mandate. Why assurance exists The board (m0) makes risk decisions on management's information. Management reports on itself, so a third line exists to verify: internal audit examines evidence and reports what it finds to the board, not to the people audited. Power (1997) called the surrounding society's appetite for this "rituals of verification"; the antidote to ritual is method, which is what m6 to m9 teach. Credibility is manufactured the same way every time: a competent auditor, following a disclosed method, examining evidence a reasonable third party could also examine, and reaching a conclusion that does not depend on who asked the question. Remove any one of those four and the conclusion reverts to opinion, however confident its author sounds. Modules m6 to m9 are, in that sense, one long answer to a single question: what exactly makes a conclusion reproducible. The ISO 19011 principles Each finding in m9's anatomy traces back to these: a finding without evidence violates the sixth principle, a hidden finding violates the second. Independence and objectivity Independence is structural: reporting lines, mandate and remuneration free of the activity audited. Objectivity is personal: the individual auditor's unbiased judgment. Structure can be verified from an organization chart; objectivity cannot, which is why the profession leans so hard on structure. An audit head who also operates the IT change process she audits fails independence regardless of her personal honesty. The distinction protects the auditor as much as the auditee. An objective individual placed in a structurally dependent position, reporting to the manager whose work she reviews, will eventually be asked to soften a finding by someone who controls her pay review, and the request rarely arrives as a request. Aldergate Mutual's internal audit head reports functionally to the board's audit committee precisely so that question never has to be answered under pressure. The audit charter The charter is the audit function's own governance instrument (m1): it states purpose, authority (access to records, people, systems), responsibility, and the board reporting line. Without a charter clause granting access, every engagement begins with a negotiation the auditee can win. ITAF standard 1001 makes the charter the first requirement of the profession. A charter is tested rarely and matters most exactly then: the day a business unit head refuses access, cites confidentiality, or tries to narrow scope after fieldwork has already started. An audit head who has to negotiate access from scratch in that moment has, in effect, no charter at all; one who can point to a clause the board itself approved is negotiating from a position the auditee cannot unilaterally move. Open the planned lab to draft mandate clauses against three obstruction scenarios, then take the self test. Related CCI capabilities Computer Architecture (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/computer-architecture/). Optics Primer Series (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/optics/). Maths Refresher Series, Finance (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/maths-finance/). System Dynamics (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/system-dynamics/). CCI Lab: Run it, build with it, read the thinking, reuse the data. (https://www.cambridgecyberinternational.com/en/insights/lab/) Planning an information systems audit. Risk-based audit planning: building the audit universe, ranking it by risk, scoping one engagement with objectives, criteria and boundaries, and the engagement-level plan that CISA Domain 1 examines and the IIA's 2024 Global Internal Audit Standards require.. Identify and assemble an audit universe, then rank it with explicit risk factors.. Write engagement objectives, criteria and scope that an auditee cannot renegotiate mid-audit.. Match planning duties to the IIA Global Internal Audit Standards' engagement requirements.. The audit universe, Risk-based ranking, Objectives, criteria, scope, The engagement plan Planning an information systems audit Audits fail in planning more often than in fieldwork. This module covers the audit universe, risk-based ranking, and the engagement plan whose objectives, criteria and scope are fixed before the first interview. The audit universe The universe is the inventory of everything auditable: systems, processes, suppliers, projects, entities. At Aldergate Mutual it includes the claims platform, the imaging supplier, the joiner-mover-leaver process, the actuarial models, and the CCICCS emulator estate the Academy runs. If it is not in the universe, it can never be selected, so completeness of the universe is itself a periodic audit topic. A universe drifts out of date the same way an asset inventory does: a new supplier onboards without a corresponding row, a decommissioned system stays listed for years, and nobody notices until a finding elsewhere reveals the gap. Aldergate Mutual ties universe maintenance to the same joiner-mover- leaver discipline it audits in module m9's finding examples, on the theory that a process worth auditing is a process worth practicing. Risk-based ranking Both the Certified Information Systems Auditor (CISA) outline and the Institute of Internal Auditors (IIA)'s 2024 Global Internal Audit Standards require plans built on risk. Rank each universe entry with explicit factors: inherent risk (m3's scores), control maturity, change since last audit, time since last audit, regulatory attention. Publish the factors: an unexplained ranking is an invitation to lobby the plan, and the plan is where audit independence (m5) is first attacked. Ranking also has to be revisited between plan cycles, not just at the annual reset. A supplier that scored low-risk in January because it had no material incidents can score high-risk in June after a breach at a peer institution using the same platform; a static annual ranking treats risk as a snapshot when it is closer to a weather forecast that needs updating as conditions change. Objectives, criteria, scope Criteria come from m1's policy hierarchy: this is why auditors love a clean standard and are helpless before an organization with only vague policies. Scope stated in writing makes mid-audit descoping a formal, justified decision rather than a corridor negotiation after early bad findings. The engagement plan The plan assigns tests to objectives, evidence sources to tests, hours to people, and milestones to dates. It also pre-declares the escalation route for obstruction, which converts a confrontation into a procedure. Fieldwork (m7, m8) then executes the plan, and deviations from it are themselves documented decisions. Pre-declaring escalation matters more than it sounds. An auditor who meets refusal mid-engagement and has to invent a response on the spot is negotiating from a position the auditee chose; an auditor who can point to a clause the charter (m5) and the plan both already state is not negotiating at all, just executing what was agreed before anyone had a reason to resist it. Open the planned lab to rank a ten-entry universe and scope one engagement, then take the self test. Related CCI capabilities Computer Architecture (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/computer-architecture/). Optics Primer Series (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/optics/). Maths Refresher Series, Finance (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/maths-finance/). System Dynamics (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/system-dynamics/). CCI Lab: Run it, build with it, read the thinking, reuse the data. (https://www.cambridgecyberinternational.com/en/insights/lab/) Evidence, sampling and analytics. What counts as sufficient appropriate evidence, statistical versus judgmental sampling, attribute sampling for control deviations, and full-population analytics as the modern complement, with working papers that let a reviewer re-perform the work.. Rank evidence sources by reliability and justify the ranking.. Distinguish statistical from judgmental sampling and choose between them for a stated audit objective.. Compute an attribute-sampling deviation rate and decide against a stated tolerable rate.. Sufficient appropriate evidence, Statistical versus judgmental, Attribute sampling, Analytics and working papers Evidence, sampling and analytics An audit conclusion is a claim about a population, usually formed from a subset of it. This module covers what makes evidence sufficient and appropriate, when to sample statistically, how attribute sampling works, and what full-population analytics changes. Sufficient appropriate evidence Sufficiency is quantity; appropriateness is quality (relevance plus reliability). The reliability ladder, most reliable first: evidence the auditor obtains directly (re-performance, own extraction, observation), then evidence from independent third parties, then auditee-produced records under good controls, then auditee assertions. An interview alone sits at the bottom of the ladder; m8 shows how to climb it on real systems. Sufficiency and appropriateness trade off in practice, not just in theory. A large sample of low-reliability evidence, a hundred self-reported checklist entries, does not outweigh one directly re-performed test, because volume cannot repair a reliability defect. Auditors who confuse the two end up with thick working papers and thin conclusions. Statistical versus judgmental Statistical sampling (random selection, measurable confidence) lets the auditor extrapolate: "with 95 percent confidence, the deviation rate is below 7 percent." Judgmental selection (the largest items, the riskiest quarter) cannot be extrapolated but targets known concerns. Elder and colleagues (2013) synthesized the research: both are legitimate; the sin is mixing them silently, extrapolating from a judgmental sample as if it were random. The choice is also visible in how a finding gets defended later. A statistical result survives a challenge with a confidence interval; a judgmental result survives a challenge only by explaining, convincingly, why those particular items were chosen and what they were meant to reveal. An auditor who cannot answer that question in one sentence probably picked the sample for convenience, not for risk. Attribute sampling For control deviations, the arithmetic is deliberately simple. Test n items, find d deviations: the sample deviation rate is d divided by n. Simulated: at Aldergate Mutual, 3 late revocations in a sample of 50 tickets give a 6 percent sample rate. Compare against the tolerable rate set at planning (say 5 percent) with the sampling risk allowance: here the control fails the test, and the result feeds a finding (m9), not a quiet note. Sample size is fixed before testing begins, from the tolerable rate, an expected deviation rate and the desired confidence, not adjusted afterward to reach a preferred conclusion. Stopping early because the first 20 items look clean, or padding the sample because the first 20 look bad, both break the statistical guarantee that made the 95 percent confidence statement true in the first place. Analytics and working papers Where the full population is extractable (logs, tickets, configuration), test all of it: extrapolation risk disappears for that test, and sampling retreats to what analytics cannot reach (undocumented practice, tone, physical reality). Every step lands in working papers complete enough for a reviewer to re-perform the work: source, extraction method, script, parameters, result, conclusion. The CCICCS emulator estate in m8 makes this concrete, because its logs and configurations are fully inspectable by design. Full-population analytics changes the working paper, not just the test. Instead of documenting which items were selected and why, the working paper documents the query or script that touched every record, so a reviewer re-runs the same script against the same extraction and gets the same answer. That reproducibility is a stronger claim than any sample can make, because there is no sampling risk left to disclose. Open the planned lab to run the sampling simulator against a seeded population, then take the self test. Related CCI capabilities Computer Architecture (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/computer-architecture/). Optics Primer Series (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/optics/). Maths Refresher Series, Finance (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/maths-finance/). System Dynamics (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/system-dynamics/). CCI Lab: Run it, build with it, read the thinking, reuse the data. (https://www.cambridgecyberinternational.com/en/insights/lab/) Auditing real systems. The spine's differentiator: control testing against CCICCS's own inspectable artifacts, configuration and log evidence from the Academy's lab engine and emulators, re-performance as the strongest test, and the AI-audit thread that ODYSSEY Module 09 opened.. Design a control test (inquiry, observation, inspection, re-performance) for a technical control.. Extract and evaluate configuration and log evidence from a CCICCS emulator run.. Identify and connect an AI-system audit question to the ODYSSEY Module 09 landscape.. Four test types, Configuration and log evidence, Auditing the CCICCS emulators, The AI-audit thread Auditing real systems This is the module no commercial preparation course can copy: the systems you audit here are CCICCS's own emulators and the Academy's lab engine, real and fully inspectable, not paragraphs of invented case text. Four test types NIST Special Publication (SP) 800-53A Rev. 5 builds its assessment procedures from exactly these methods (examine, interview, test). The auditor's craft is matching the cheapest sufficient test to each control, and escalating when answers and artifacts disagree. Matching cheapest-sufficient is not the same as cheapest. Inquiry costs a few minutes and answers almost nothing on its own; re-performance costs an hour and answers the question directly. The craft is knowing which controls genuinely need the expensive test, because their failure mode is silent, and which ones a documentary inspection already settles, because their failure mode would be visible elsewhere first. Configuration and log evidence Configuration states intent at rest; logs state behavior over time. The two must corroborate: a config declaring 90-day log retention is contradicted by an extraction showing 30-day rotation, and directly extracted evidence outranks the administrator's statement on the reliability ladder (m7). That contradiction is not an awkward moment; it is a finding with condition and criteria already written (m9). The corroboration step generalizes beyond retention settings. Any control that can be described in two places, a policy document and a running system, a config file and an access log, a schedule and a job-execution record, is a candidate for the same test: pull both, compare them directly, and treat any gap as data rather than as something to explain away before it is even written down. Auditing the CCICCS emulators The planned lab bench mounts an emulator run (the CONDUIT transmission emulator and the Academy lab engine are the first subjects) with its configuration, run logs and access records. Exercises: verify the stated retention against the artifacts, re-perform one access-control decision, trace one transaction end to end, and write the working paper (m7) that lets a reviewer repeat all three. The emulator estate's advantage over case-text scenarios is that its artifacts can be wrong in ways nobody scripted. A written case study only ever contains the contradiction the author intended; a real configuration and its real logs can disagree for reasons the exercise designer never anticipated, which is closer to what fieldwork on a live system actually feels like. The AI-audit thread ODYSSEY Module 09 opened CCICCS's AI-audit landscape; VERDICT connects it to classical method. An AI-assisted control adds three questions to any test: where did the training data come from (provenance), how are model changes managed (change control on a moving object), and how is output monitored against drift (a Key Risk Indicator (KRI), in m4's terms, on the model itself). The methods stay inquiry, observation, inspection, re-performance; only the artifacts are new. Open the planned lab bench when the artifact-engine phase delivers it, then take the self test. Related CCI capabilities Computer Architecture (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/computer-architecture/). Optics Primer Series (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/optics/). Maths Refresher Series, Finance (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/maths-finance/). System Dynamics (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/system-dynamics/). CCI Lab: Run it, build with it, read the thinking, reuse the data. (https://www.cambridgecyberinternational.com/en/insights/lab/) Reporting and follow-up. Findings that change behavior: the condition, criteria, cause and effect anatomy, recommendations aimed at root cause, management responses and agreed actions, follow-up that verifies rather than trusts, and reporting lines to the board that preserve audit's mandate.. Write a finding with condition, criteria, cause and effect clearly separated.. Identify the root cause and aim a recommendation at it rather than the symptom.. Design a follow-up step that verifies remediation with evidence, not assertion.. The anatomy of a finding, Root cause, not symptom, Management response and follow-up, Reporting to the board Reporting and follow-up An audit that changes nothing was a cost. This module covers the finding anatomy, recommendations aimed at root cause, management responses, follow-up that verifies, and the board reporting line that keeps the whole mechanism honest. The anatomy of a finding Condition minus criteria is the gap; cause explains it; effect prices it. A finding missing its criteria is an opinion; missing its cause, it invites a cosmetic fix; missing its effect, it will be deprioritized forever. The four elements also have to agree with each other, not just each be true in isolation. A finding whose effect describes a catastrophic outcome but whose cause is a single missed step in an otherwise sound process reads as exaggerated, and management learns to discount the next one. Calibrating effect to cause is what keeps a finding's severity rating credible over many reports, not just the current one. Root cause, not symptom "Tell staff to revoke faster" treats the symptom. The cause was ownership, so the recommendation assigns an owner, automates revocation on Human Resources (HR) triggers, and attaches a Key Risk Indicator (KRI) (m4) so the process measures itself. A good recommendation names the smallest change that removes the cause, its owner, and its date. Root cause is not always a single failure; sometimes it is a missing control that would have caught several unrelated symptoms at once. A recommendation that only fixes the one revocation ticket the auditor happened to sample, without addressing why no ownership existed for the whole process, will look successful in follow-up and still leave the underlying gap in place for the next symptom to surface through. Management response and follow-up Management may accept the recommendation, propose an alternative, or accept the risk; the third option is a retention decision and must meet the criteria discipline of m2 and m4, at the right authority level. Follow-up verifies with evidence, not assertion: an emailed "fixed" reopens the m8 toolkit (inspect the new config, re-perform the control) before the finding closes. IT Assurance Framework (ITAF) reporting standards require tracking findings to closure. A response of "accept the risk" deserves the same scrutiny as any other retention: it names an owner at the authority level m4 requires, it cites the criteria the risk now breaches, and it carries a review date, or it is indistinguishable from simply ignoring the finding with an extra sentence attached. Reporting to the board The board receives what it can act on: the risk position against stated tolerances, findings with responses and dates, overdue items by owner, and prior-finding status. Reporting detail is calibrated to decision rights (m0): the board does not need the log extract; it needs to know which of its stated tolerances are breached and who owes the fix by when. Open the planned lab to compose one complete finding from the m8 evidence, then take the self test. Related CCI capabilities Computer Architecture (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/computer-architecture/). Optics Primer Series (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/optics/). Maths Refresher Series, Finance (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/maths-finance/). System Dynamics (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/system-dynamics/). CCI Lab: Run it, build with it, read the thinking, reuse the data. (https://www.cambridgecyberinternational.com/en/insights/lab/) The certification landscape. The bridge module: how VERDICT's spine maps onto CISA (2024 outline) and CRISC (2025 outline) domain by domain, what each exam demands beyond the taught material, and the CISM row held as a clearly labelled placeholder until the 2026-11-03 outline publishes.. Locate each CISA 2024 domain on the VERDICT module map and name the gap items.. Locate each CRISC 2025 domain on the VERDICT module map and assess the gap items.. State why the CISM crosswalk is gated and what the 2026-11-03 date changes.. The CISA 2024 view, The CRISC 2025 view, The CISM gate (2026-11-03), How the item bank is written The certification landscape VERDICT teaches one spine; certifications are views over it. This bridge module maps the spine onto the two published outlines, holds the third behind its gate, and explains how this course writes original exam-style items. The Certified Information Systems Auditor (CISA) 2024 view The gap column is honest on purpose: a bridge that claims full coverage teaches you to fail the exam. D4's resilience depth lives in CODEX's ISO 22301 layer; D5's technical depth lives in the Security track courses. Treat the gap column as a reading list, not an apology. A learner sitting CISA within the next quarter should walk D3 through D5's gap notes before the exam, not after a first attempt, because VERDICT was scoped to teach the governance-and-audit spine once, correctly, rather than thinly duplicate technical material that CODEX and the Security track already own. The CRISC 2025 view Certified in Risk and Information Systems Control (CRISC)'s four domains land almost entirely on the risk spine: governance at 26 percent (m0, m1), risk assessment at 22 percent (m2, m3), risk response and reporting at 32 percent (m4, m9), and technology and security at 20 percent (m8 applied, with the same technical depth gaps as CISA D5). CRISC rewards the vocabulary discipline of m2: most distractor answers are vocabulary confusions. That vocabulary discipline pays off beyond the exam. A CRISC-certified professional who can distinguish appetite from tolerance, or risk source from vulnerability, in a live meeting is applying the same distinctions module m2 teaches, at the moment they prevent a badly scoped decision rather than merely a wrong answer on a practice question. The CISM gate (2026-11-03) The Certified Information Security Manager (CISM) 2026 exam content outline publishes on 2026-11-03. VERDICT's governance and risk spines already serve CISM Domains 1 and 2 as historically defined, but this course writes no crosswalk row and no item against unpublished blueprint text. When the outline lands, this module gains its CISM table and Phase (PH)-GOVASSURE-3 unblocks its item-writing task. Until then the placeholder is visible and deliberate. How the item bank is written Every item follows the Architecture Decision Record (ADR)-018 method: one crosswalk row, one atomic learning outcome, one item, tested against either a real incident (cited and independently described) or a scenario clearly labelled simulated. No item copies or paraphrases official exam-bank material; facts, methods and standards are uncopyrightable, expression is not, and a standing intellectual-property review precedes any publication of the bank. The atomic-outcome rule is what keeps the bank traceable. Because every item traces to exactly one crosswalk row and one outcome, a learner who misses an item can walk back to the exact module and paragraph that taught it, and the bank's own coverage against each published domain can be audited the same way module m8 audits any other system: by inspecting the artifact directly. Open the planned lab to walk one crosswalk row into one drafted item, then take the self test. Related CCI capabilities Computer Architecture (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/computer-architecture/). Optics Primer Series (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/optics/). Maths Refresher Series, Finance (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/maths-finance/). System Dynamics (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/system-dynamics/). CCI Lab: Run it, build with it, read the thinking, reuse the data. (https://www.cambridgecyberinternational.com/en/insights/lab/) Capstone: one full cycle. Everything at once on Aldergate Mutual: charter the governance program, set criteria and assess the claims-platform risks, choose treatments and indicators, plan and execute the audit against CCICCS artifacts, and report to the board, one evidence chain end to end.. Run the govern, assess, respond, audit, report cycle on the teaching case without prompting.. Identify and keep one evidence chain consistent from risk criteria through audit finding to board report.. Defend each decision against the standards taught in modules m0 to m9.. The brief, Govern and assess, Respond and audit, Report and defend Capstone: one full cycle Everything at once, on one organization, with one evidence chain. The capstone runs Aldergate Mutual through govern, assess, respond, audit and report, and grades the chain's consistency rather than any single artifact. The brief Aldergate Mutual's board has approved a digital-growth strategy, stated its tolerances (at most 4 hours quarterly claims-platform outage; no leaver with access beyond 24 hours), and chartered internal audit. You hold three roles in sequence: the second-line risk function, then the third-line auditor, then the report's author. The emulator estate from m8 supplies the systems. Govern and assess First, the governance instruments (m1): confirm the obligations register, the standards implementing each tolerance, and the owners. Then assessment (m2, m3): criteria before scores, five-part scenarios, anchored scales, and at least one risk where the matrix and an interval estimate disagree, resolved in writing. This is the point in the cycle where most shortcuts get taken, because the govern and assess phases feel like paperwork before the real work of audit. The capstone is graded precisely to punish that instinct: an assessment built on criteria nobody wrote down produces an audit with nothing stable to test against, and the failure only becomes visible three phases later, when it is expensive to trace back. Respond and audit Choose treatments (m4) that respect the stated criteria; any retention beyond tolerance must travel the exception route, or the audit phase will find it. Then switch roles: plan the engagement (m6), gather evidence (m7), test the controls on the emulator artifacts (m8). The capstone deliberately seeds one contradiction between a configuration and its log trail; finding it is not optional. Switching roles mid-capstone is deliberate, not just a narrative device. The same person who set the risk criteria as second line now has to test her own earlier work as third line, with the same evidence standard she would apply to a stranger's. That discomfort is the whole point: an evidence chain that only survives when the auditor is generous to herself is not a chain, it is a courtesy. Report and defend Write the findings (m9), collect management responses, and compose the board report: risk position against tolerances, findings with owners and dates, follow-up status. Then defend it: the assessor challenges three of your decisions against the standards taught in m0 to m9, and the pass criterion is that your evidence chain answers without new facts being invented. Defending the chain out loud is harder than building it, because a question under pressure has to be answered from memory, not from notes. A capstone candidate who can explain why a given risk score led to a given treatment, and why that treatment's evidence satisfied a given audit test, has demonstrated something no single module's self test can: that the chain holds together as one argument, not as four separate exercises. One chain, end to end: the criteria you set in the risk role are the criteria your auditor role tests against and the tolerances your report shows the board. If the chain holds, you have done governance, risk and audit as one discipline, which is the whole argument of this course. Open the planned capstone bench when the artifact-engine phase delivers it, then take the self test. Related CCI capabilities Computer Architecture (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/computer-architecture/). Optics Primer Series (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/optics/). Maths Refresher Series, Finance (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/maths-finance/). System Dynamics (Course): (https://www.cambridgecyberinternational.com/en/insights/academy/system-dynamics/). CCI Lab: Run it, build with it, read the thinking, reuse the data. (https://www.cambridgecyberinternational.com/en/insights/lab/)