Objective assurance for your board and the Central Bank that your response to the IT & Cybersecurity Thematic Review findings is not just documented, but designed correctly and operating effectively in practice.
Why Independent Assurance Matters
The Central Bank's Thematic Review set clear expectations for how credit unions manage IT and cybersecurity risk. Boards are now accountable for demonstrating that remediation is real, effective and independently confirmed.
A Readiness Review of control design, followed by an Operational Effectiveness Review in practice.
The review team is separate from your IT provider and who performed your original gap analysis or remediation.
IT Governance and Risk Management, IT Security, IT Outsourcing, and Business Continuity Management.
A submission-ready Independent Effectiveness Report for the Central Bank of Ireland.
Not a Rubber Stamp.
The value of this assessment rests on independence. We confirm the review team is separate from the parties who performed your original gap analysis or remediation, then map each CBI finding to the specific control intended to address it.
We confirm and document that our team is independent of the parties who performed your original gap analysis and remediation.
We first confirm your policies, procedures and plans are designed to address the findings, then test that those controls are actually operating effectively in practice.
Each CBI finding is traced to the specific documentation and control intended to address it, so nothing is left unaccounted for in your submission.
Who Performs Your Assessment
Your review is carried out by a senior assessor who does this work day in, day out. Each engagement is led by a practitioner with over 15 years' experience and industry-recognised qualifications across audit, governance, privacy and payments.
Held credentials include CISA, CISM, CIPP/E and PCI QSA; evidence of audit, governance, privacy and technical rigour.
Over 15 years delivering security assessments and control reviews 8 of them within the financial sector.
Equally comfortable inspecting a vulnerability scan or a board risk register and able to test controls and judge whether governance meets expectations.
Familiar with the expectations placed on credit unions and other CBI-regulated firms, and what constitutes acceptable evidence.
Behind every assessor stands an accredited firm. Secora Consulting is CREST accredited and holds ISO 27001 and ISO 9001 certification so the individual qualifications delivering your review are backed by assured, independently audited processes.
Our Proposed Methodology
We first confirm the design of your documentation against the CBI's expectations, then independently test that those controls are operating effectively in practice.
Independently confirm that policies, procedures, plans and supporting documentation are designed to address the CBI findings.
What we review
Independence & scoping. Confirm the review team is independent of the original gap analysis and remediation, and map each CBI finding to the document(s) intended to address it.
Policy & asset documentation. Information security and asset management policies, definition of controls, asset criticality and replacement dates.
Technical assurance. Documented scope and frequency of penetration testing and vulnerability scanning, remediation timeframes and reporting routines.
Access management. Procedures for password management, generic account removal and periodic access recertification.
Continuity. BIA critical activities, RTOs and RPOs; IT continuity and test plans for plausible interruption scenarios and secondary-site operation at normal transaction volumes.
Third-party resilience. Evidence of formal review of IT critical third-party provider (CTPP) business continuity arrangements.
Governance. Board reporting format for IT risk, incident reporting and continuity testing; the IT and outsourcing risk register, including concentration risk.
Phase 1 Output
A Readiness Review report stating, finding by finding, whether the documented design meets the CBI's expectations and any gaps to close before operational testing begins.
Independently confirm that the documented controls are operating effectively in practice, not merely committed to on paper.
How we test it
Technical re-validation. Inspect recent penetration test reports and vulnerability scan outputs; verify scanning cadence and that remediation timeframes are met in practice.
Access control testing. Sample user accounts to confirm password management, generic account removal and access recertification are operating as documented.
BIA / RTO / RPO alignment. Verify documented RTOs and RPOs are reflected in operational recovery arrangements for the systems supporting critical activities.
Continuity testing efficacy. Review execution evidence of the most recent IT continuity test, plausible scenarios and services demonstrated at normal transaction volumes from secondary sites.
Third-party resilience in practice. Confirm IT CTPP continuity arrangements have actually been reviewed, not merely committed to in policy and that outcomes are recorded.
Board reporting in practice. Inspect board minutes to confirm IT risk, incidents and continuity test outcomes are reported in the structured, detailed format policy requires.
Risk register in practice. Sample entries to confirm IT, outsourcing and concentration risks are recorded, owned and maintained.
Phase 2 Output
The Independent Effectiveness Report for submission to the CBI comprising Remediation Status, an Effectiveness Statement and any Residual Risk.
How It Works
A structured engagement designed to minimise disruption to your team while producing evidence the Central Bank will accept.
We confirm reviewer independence and map each CBI finding to the specific documents intended to address it, agreeing scope and the evidence we'll need.
We assess the design of your policies, procedures and plans against the CBI's expectations and report, finding by finding, any gaps to close.
We inspect evidence and sample live controls to confirm they are operating effectively in practice, from technical testing to board reporting.
You receive the Independent Effectiveness Report including Remediation Status, Effectiveness Statement and Residual Risk ready to submit to the Central Bank.
Common Questions
Leave us your details and one of our team will reach out to explore how we can assist with your cybersecurity requirements.
The BASE Enterprise Centre
Railway Road
Stranorlar
Co. Donegal
Ireland
F93 VAK6
The form is loading. If it doesn't appear, JavaScript may be disabled in your browser.
You can reach us any time at info@secoraconsulting.com or by phone on +353 74 970 7876.