IIA Cybersecurity Topical Requirement: What Internal Audit Teams Must Do Before 5 February 2026

At Pyralink Innovation Ltd, our team has been working through the Institute of Internal Auditors’ new Cybersecurity Topical Requirement with internal audit functions on both sides of the Atlantic. The requirement becomes effective on 5 February 2026, and any internal audit function that conforms with the IIA’s Global Internal Audit Standards will need to apply it. This article walks through what the Topical Requirement covers, when it triggers, and how Chief Audit Executives can prepare their teams.

What Is the IIA Cybersecurity Topical Requirement?

The IIA Cybersecurity Topical Requirement is the first in a new series of mandatory topical requirements issued by the Institute of Internal Auditors. According to the IIA, it “provides a consistent, comprehensive approach to assessing the design and implementation of cybersecurity governance, risk management, and control processes.”

It sets out 17 specific requirements across three domains: Governance, Risk Management, and Control Processes. Internal audit functions that conform with the Standards must apply the Topical Requirement to any engagement that touches cybersecurity — not only to dedicated IT audits.

The challenge is wider than it first appears. As Rehmann notes in its analysis of the requirement, the trigger is not limited to engagements titled “cybersecurity audit”. Any audit planning activity, fieldwork discovery, or ad hoc request that touches systems, data, or access can bring the Topical Requirement into scope. In Rehmann's words, “the most challenging aspect of the requirement is determining the applicability of the individual requirements at the internal audit engagement level.”

Domain 1: Governance — The Six Foundation Requirements

The Governance domain covers the leadership, structure, and accountability needed for cybersecurity to be managed as an organisational priority rather than a technical afterthought. Internal auditors are expected to assess:

  1. Cybersecurity strategy and objectives — is there a documented, board-approved cybersecurity strategy aligned to business objectives?
  2. Cybersecurity policies and procedures — do the policies cover the relevant risk areas, and are they kept current?
  3. Roles and responsibilities — is accountability for cybersecurity clearly assigned, including at executive and board level?
  4. Board oversight — does the board receive sufficient information to oversee cybersecurity risk?
  5. Resources and funding — is the cybersecurity programme adequately resourced?
  6. Accountability — are individuals and committees held to account for cybersecurity outcomes?

In our team's experience, the documentation question is the one that catches audit functions out. The board may receive cybersecurity papers, but the audit trail showing how those papers map to the documented strategy and policy framework is often missing. Internal auditors will need that evidence to demonstrate applicability decisions for each requirement.

Domain 2: Risk Management — Six Requirements on Identifying and Responding to Cyber Risk

The Risk Management domain shifts from governance structures to how the organisation actually identifies, treats, monitors, and recovers from cyber risk. The six requirements are:

  1. Risk identification and assessment — is there a documented methodology for identifying cyber risks across the business?
  2. Risk response and mitigation — are risks treated proportionately, with documented decisions on accept, mitigate, transfer or avoid?
  3. Risk monitoring and reporting — are cyber risks tracked over time and reported to the right audiences?
  4. Incident response and recovery — is there a tested incident response capability?
  5. Third-party risk management — are suppliers, cloud providers, and other third parties assessed for the risk they introduce?
  6. Business continuity and disaster recovery — can the organisation continue to operate — and recover — after a significant cyber event?

Third-party risk and incident response are where our consultants see the largest evidence gaps. Many organisations have policies. Far fewer have the recent tabletop exercise records, vendor risk assessments, and recovery test results that an internal auditor will reasonably expect to see when evaluating these requirements.

Domain 3: Control Processes — Five Requirements on the Day-to-Day Controls

The Control Processes domain assesses whether the actual controls operating across the business are designed and implemented to manage cyber risk. The requirements are:

  1. Control design and implementation — are controls designed to address identified risks?
  2. Control effectiveness assessment — is there evidence the controls are operating effectively?
  3. Compliance with laws and regulations — is the organisation meeting its obligations under data protection and sector-specific regimes such as the UK GDPR, HIPAA in the United States, and the CCPA in California?
  4. Training and awareness — are staff trained appropriately for their role?
  5. Physical and environmental controls — are physical access, environmental safeguards, and asset handling in place?

This domain is where internal auditors will most often need to coordinate with second-line functions, IT, and external assessors. Evidence from existing ISO 27001 audits, SOC 2 reports, and cloud security assessments can legitimately be used — the Topical Requirement does not require auditors to start from a blank sheet, only to assess what is in place against the framework.

When Does the Topical Requirement Trigger?

This is the question every Chief Audit Executive is asking, because the answer determines workload. Rehmann's guidance is consistent with what our team is seeing in practice:

  • Audit planning — when the annual or rolling audit plan includes any engagement with a cybersecurity dimension, applicability has to be considered.
  • Fieldwork discovery — if cybersecurity issues surface during an audit that was not originally framed as cyber, the Topical Requirement may need to be applied retrospectively to that engagement.
  • Ad hoc requests — requests from the board, audit committee, or executive that touch cyber risk also trigger the requirement.

For each engagement, internal audit must document which of the 17 requirements apply, which are excluded, and why. That applicability assessment is itself audit evidence, and it is the single most common gap we see when we review audit functions against the new standard.

What This Means for FTSE 350 and Regulated Firms

Internal audit functions in regulated UK firms already work to high evidence standards under FCA and PRA expectations. For these firms, the Topical Requirement is less of a new obligation and more of a structured way to articulate what good cybersecurity assurance looks like across Governance, Risk Management, and Controls. The work to prepare typically involves mapping existing audit programmes to the 17 requirements, identifying gaps, and refining the engagement-level applicability assessment.

For NHS Trusts, public sector internal audit teams, and mid-market organisations, the lift is usually larger. The Topical Requirement assumes a mature documentation set across all three domains. Where that documentation is patchy, internal audit's own conformance assessment becomes harder to defend.

How Pyralink Helps Internal Audit Functions Prepare

Pyralink Innovation Ltd works with Chief Audit Executives, Heads of Internal Audit, and audit committees to operationalise the IIA Cybersecurity Topical Requirement. Our team brings CISM, CISA, and CC qualifications across all eight English-speaking markets we serve, and we offer three engagement models depending on where you are in your preparation:

  • CloudAuditX evidence platform — our autonomous multi-cloud security assessment platform produces structured evidence aligned to ISO 27001, NIST, MITRE ATT&CK, STRIDE, SCF, and CIS. The output supports requirements covering risk identification, control design, control effectiveness, and regulatory compliance. Run a free CloudAuditX assessment to see the format of evidence the platform produces.
  • ISO 27001 Toolkit — 65 documented policies and procedures that map directly onto the Governance and Risk Management domains. Used as a starting point, the toolkit provides the policy backbone for requirements 1, 2, 3, 5, 6, 10, 11, and 12.
  • Fractional vCISO engagement — for organisations that need ongoing leadership through the first 12 months of the Topical Requirement, our fractional vCISO retainer covers the full lifecycle: gap assessment, remediation plan, board reporting, and engagement-by-engagement applicability documentation. See our vCISO service for details.

Next Steps for Chief Audit Executives

With the 5 February 2026 effective date now firmly in view, our team recommends three practical actions:

  1. Map your current audit universe against the 17 requirements and document which engagements will need an applicability assessment.
  2. Identify evidence gaps — particularly around third-party risk, incident response testing, and control effectiveness assessment, where we see the most common shortfalls.
  3. Confirm your documentation approach for engagement-level applicability decisions, since that is the single most challenging aspect highlighted by both the IIA and independent commentary on the requirement.

If you would like our team to review where your internal audit function stands against the Topical Requirement, you can book a discovery call or start with a free assessment via our CloudAuditX scanner. We will respond within one working day.

Sources: Institute of Internal Auditors — Cybersecurity Topical Requirement; Rehmann analysis of the IIA Cybersecurity Topical Requirement; UK Information Commissioner's Office guidance on the UK GDPR.