General security

Top 7 cybersecurity books for IT auditors in 2020

Fakhar Imam
September 10, 2020 by
Fakhar Imam


Before delving into top cybersecurity books for IT auditors, it is essential to have a short look at who IT auditors are.

IT auditors are responsible for examining and evaluating the enterprise’s IT policies, operations and technological infrastructure. They make sure that corporate assets are properly protected and that data integrity is ensured and aligned with overall business goals. They also identify problems with efficiency, compliance and risk management.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

In this article, we will take a look at six cybersecurity books that are effective for IT auditors in 2020.

1. IT Auditing: Using Controls to Protect Information Assets, Third Edition

“IT Auditing: Using Controls to Protect Information Assets” (Third Edition) is fully updated with leading-edge technologies and tools. This book explains how to implement an effective and successful IT audit program across the entire IT infrastructure, including hardware, software, rules and regulations, policies, compliance standards, frameworks and risk management techniques. This comprehensive guide also explains how to form an effective IT audit team.

Reviews are positive. According to Dr. Joseph S. Maresca, “Overall, ‘IT Auditing Using Controls to Protect Information Assets’, Third Edition by Mike Kegerreis et al. is a comprehensive and easy to understand treatise on IT auditing. This book should be in every collegiate MIS program and in the possession of every IT auditor and IT licensed professional. Most importantly, the authors explain the human relations dimensions of IT auditing and practical ways to approach the audit and auditee.”

Another review is given by Billy Rodgers, the Co-founder of Fanpage. He highly recommends “IT Auditing: Using Controls to Protect Information Assets, Third Edition” because the book provides a systematic and straight forward approach to perform a comprehensive audit to ensure security of digital assets and data. It also includes templates, checklists and breakdowns of the latest technology. 

This book is authored by industry-leading IT auditors: 

Chris Davis: He is a senior IT auditor for “Texas Instruments” and author of the best-selling book: “Hacking Exposed: Computer Forensics.” Chris holds an MBA degree as well as CISA, CISSP and CCNP certifications. 

Mike Schiller: He is the Chief Information Security Officer (CISO) at Texas Instruments and has over 15 years of experience in the IT audit field. Mike holds a CISA certification.

Mike Kegerris: Mike holds a CISSP certification. He is the leading information security architect at Texas Instruments. 

2. The Basics of IT Audit, First Edition

“The Basics of IT Audit” (First Edition) helps IT auditors by providing a thorough and comprehensive overview of the IT auditing process.

Key features:

  • Allows IT auditors to prepare for, conduct and respond to the results of IT audits
  • Elaborates on the advantages and disadvantages of performing external and internal IT audits
  • Discusses the fundamental points of complex standards and regulations such as HIPAA, FFIEC, SEC and Sarbanes-Oxley
  • Provides insight into some cybersecurity frameworks such as ISO-27000, FISCAM, ITIL, COSO, GAAS and COBIT.

If you are pursuing a career in IT audits or looking for a degree in IT assurance, this book is a good primer for you. It demystifies the audit process and is recommended for anyone in IT who may be involved in his company’s audit process. (Book review: “The Basics of IT Audit” at Security Ramblings.)

The author, Stephen Gantz, is an information security and IT consultant with more than 20 years of experience in security and privacy management, strategic planning, enterprise architecture, systems development and integration. He holds several certifications, including CISSP-ISSAP, CEH, CRISC, CGEIT, C|CISO and CIPP/G. 

3. Auditing IT Infrastructures for Compliance, 2nd Edition

“Auditing IT Infrastructures for Compliance” (Second Edition) provides a unique overview of US-based compliance laws related to IT infrastructure and information systems. These laws apply to both private and public organizations. 

This concise book helps IT auditors know how to audit IT infrastructure in order to meet compliance requirements, protect privacy data and prevent business disruption due to IT failures. It is divided into three parts:

Part One: The Need for Compliance

  • IT security assessment
  • IT security audit
  • Importance of governance and compliance
  • US compliance laws
  • PCI DSS, FERPA, COPPA, CIPA, HIPAA, Gramm-Leach-Bliley, Red Flags Rules and Sarbanes-Oxley
  • Scope of IT compliance audit that includes the protection of data and design and implementation of security controls
  • IT infrastructure that needs to be audited includes remote access domain, application/system domain, WAN domain, LAN domain, LAN-to-WAN domain, workstation domain and user domain
  • Maintenance of IT compliance

Part Two: Auditing for Compliance: Frameworks, Tools and Techniques

  • How to audit frameworks and standards? (e.g., COBIT, COSO, ISO/IEC 27001/27002 standards, NIST 800-53 and so on)
  • Plan and conduct audit of IT infrastructure for compliance
  • Write a report after the audit of IT infrastructure
  • Compliance within the workstation domain, LAN domain, WAN domain, LAN-to-WAN domain, user domain, remote access domain and system/application domain

Part Three: Beyond Audits

This section discusses ethics, education and certification for IT auditors. This helps IT auditors gain career opportunities, professional ethics and integrity and codes of conduct. This part also supports the certifications of some vendors such as ISACA and IIA.

The second edition of “Auditing IT Infrastructures for Compliance” is a part of the Information Systems Security and Assurance Series from Jones and Bartlett Learning. This series is designed for curriculums and courses in cybersecurity, IT security, information systems security and information assurance. This book also includes real-world examples and applications. 

This book has been reviewed by the leading technical experts in the field. It is current and forward-thinking and will help its reader solve the cybersecurity challenges of today and tomorrow. 

The author, Martin Weiss, is a manager of information security gurus at RSA, which assists organizations accelerate their business by solving their most sensitive and complex challenges. Martin holds several certifications, including CISSP, Security+ and MCSE. 

4. Information Technology Control and Audit, Fifth Edition

The new edition of “Information Technology Control and Audit” provides a concise look at IT infrastructure and environment, including outsourcing, governance, strategy, legislation, audit process and revolutionizing technologies. This comprehensive book also provides an insight into IT audit risk, IT audit procedures, and involvement within the IT audit realm. 

This book consists of four parts:

Part 1: Foundation for IT Audit

  • IT audit and IT environment
  • IT legislation
  • IT audit process
  • IT auditing tools and techniques

Part 2: Planning and Organization

  • IT governance and strategy
  • Project management
  • Risk management
  • System development life cycle 

Part 3: Audit Environment

  • Application system: Risk and controls
  • Change control management
  • Operations of information systems
  • Information security
  • Systems acquisition, service management and outsourcing 

Part 4: Appendices

What sets this book apart is its appendices. It offers a great starting point and things to consider when performing all technology audits. Its offerings include:

  • Understand the IT environment and IT planning memo
  • Sample of IT audit programs
  • Risk assessment employing NIST SP 800-30
  • Operations policy of information systems
  • Audit end user’s computing groups
  • Recommended control areas for auditing software acquisitions

If you are a student, this provides you with flashcards to test your knowledge of key terms and recommend further readings. For lecturers and instructors, there are manuals, course schedules and sample syllabi, test questions and PowerPoint lecture slides. 

The author, Anel R. Otero, holds a Ph.D. degree and several certifications, including CPA, CISA, CITP and CRISC. Furthermore, he holds active memberships at ISACA, Institute for Internal Controls (IIC) and the American Institute of Certified Public Accountants (AICPA). 

5. Operational Assessment of IT

This book presents concepts and ideas about business processes and effectively achieving organizational goals. It concentrates on organizational processes rather than focusing on computing environment, resource program, enterprise risks or specific technologies.

Key features

  • Organizational goals
  • Measuring the success of the processes and organization
  • Operational auditing
  • Operational assessment fieldwork
  • Operational assessment planning
  • Assessment reporting
  • COBIT and IT

Author Steve Katzman has 14 years of experience in auditing, both internal and external. He also holds various cybersecurity certifications, including CISSP, CRISC, CRMA, CISA and CIA. 

This book has been reviewed well. According to Barak Engel, “Steve’s book is truly a delight. I have worked with hundreds of auditors, and only a couple of them have ever shown the scope and breadth of experience, the desire to go beyond the following rote process, and the sheer interest in staying true to the purpose of an audit – any audit – that Mr. Katzman exhibits in his book. For me, this work provided a great insight into the mind of an auditor, in a way that I never quite grasped before. That is undoubtedly going to help me in future audits. Considering the way Steve seamlessly transitions between the client and auditor viewpoints, if you are an auditor (the stated target audience for this book), then I cannot imagine how it would fail to help in a mirrored fashion.” 

6. CISA Review Manual, 27th Edition

As the name implies, the “CISA Review Manual” is specifically designed for the CISA certification exam offered by ISACA. However, this book is equally useful for all IT auditors, as CISA certification is recommended to IT auditors. The “CISA Review Manual” assists IT auditors with audits and assessing, monitoring and controlling an organization’s IT and business systems.

After the strong grasp on this book, you will be a master of auditing process of information systems, governance and management of IT, information systems acquisition, development and implementation, as well as information systems operations and business resilience and protection of information assets. If you are starting a career in IT auditing and want CISA certification, then this book is for you. 

7. IT Audit, Control, and Security, 2nd Edition

The role of auditors is indispensable in today’s computer security. They must ensure that IT infrastructure is protected and secured. To this end, the book — “IT Audit, Control, and Security” (Second Edition) — provides them with the guidance they need to make sure that their IT systems are protected and secured from both external and internal threats. 

After reading this book, you will learn the types of internal security controls, security and integrity procedures that security professionals must build into their automated systems. 

Author Robert R. Moeller has more than 30 years of experience in internal auditing. He has also served in Fortune 50 as an audit director. His certifications include CISSP, PMP, CISA and CPA. 


In this article, you have seen some of the best cybersecurity books for IT auditors in 2020. While not every IT auditor needs the full set of them on their bookshelf, it’s worth deciding what knowledge you will need in your day-to-day operations in order to know which volumes should be considered indispensable. If IT auditor is your career track of choice for the long term, you will probably want most of these and more easily at hand, but these six will provide you with a good start. 



  1. IT audit (information technology audit), TechTarget
  2. What is an IT auditor? A vital role for risk assessment, CIO
  3. The Basics of IT Audit 1st Edition, Elsevier
  4. The Basics of IT Audit 1st Edition, Amazon 
  5. Book review: The Basics of IT Audit, Security Ramblings 
  6. IT Auditing Using Controls to Protect Information Assets, Third Edition, Amazon
  7. Auditing IT Infrastructures for Compliance, 2nd Edition, Amazon 
  8. Auditing IT Infrastructures for Compliance, 2nd Edition, OREILLY
  9. Information Technology Control and Audit, Informa
  10. Operational Assessment of IT, Routledge Taylor & Francis Group
  11. Operational Assessment of IT (Internal Audit and IT Audit) 1st Edition, Amazon 
  13. IT Audit, Control, and Security 2nd Edition, Amazon 
Fakhar Imam
Fakhar Imam

Fakhar Imam is a professional writer with a master’s program in Masters of Sciences in Information Technology (MIT). To date, he has produced articles on a variety of topics including on Computer Forensics, CISSP, and on various other IT related tasks.