How not to trip over The Three Lines of Defence (3LD) in your organization’s IT security strategy

The Three Lines of Defence is an often-cited model an organisation may adopt as part of its enterprise risk management (ERM) strategy. This model is derived from a 2013 position paper entitled “The Three Lines of Defence in Effective Risk Management and Control” from the Institute of Internal Auditors (The IIA)[i]. 

Written by:

Sapience Consulting

A key highlight of this model is that it divides the accountabilities of managing risk into three key lines, as follows:

  1. Operational Management

The first line is operational management, which is responsible for setting up and handling operative controls. The first line of defence is best placed for this as it is the closest to daily business operations. An emphasis of this line of defence is risk ownership.

  1. Risk and Compliance

The second line is risk and compliance. This line is responsible for monitoring and overseeing the first line of defence, provides policies, frameworks, as well as expertise and support.

  1. Audit

The third line of defence is audit. This line provides independent assurance and validation and ensures that the first two lines of defence are operating effectively and gives input on how the first two lines may be improved.

When handling IT security risks in an organisation, it is important to understand that IT security risks are essentially just another form of risk and should not be handled in isolation with regards to other risks.

The concept of defence in depth is a key tenet in IT security, which aims to layer security controls in a meaningful manner in order to protect the confidentiality, integrity and availability of information. This makes the Three Lines of Defence model complementary to handling IT security risks within an organisation, as it closely mirrors the defence in depth concept. Each line is complementary to the other and provides the necessary checks and balances when applied to IT security risk management.

No model is perfect, so there will be things to look out for when applying the Three Lines of Defence. In an article by the Financial Stability Institute, the following points are mentioned in a root cause analysis of where and when the Three Lines of Defence model may fail in practice[ii]:

  • Misaligned incentives for risk-takers in the first line of defence – management may have put greater emphasis on and set compensation [or career progress] based on the achievement of financial objectives rather than control-orientated objectives.
  • Lack of organisational independence of functions in second line of defence.
  • Lack of skills and expertise in second line functions.
  • Inadequate and subjective risk assessment performed by internal audit. Failure by Internal Audit to identify high-risk areas or processes will lead to audits focusing on the wrong areas therefore undermining the effectiveness of the third line of defence.


As mentioned in the findings above, some of the issues that an organisation may face are the lack of skills and expertise, and failing to identify high risk areas in audits, which is something that will invariably happen without the right skills and knowledge of internal audit staff. These are both essentially symptoms of not having the right competencies within the organisation.

Therefore, before your organisation adopts the Three Lines of Defence model as an IT security risk management strategy, it is essential to have the necessary competencies for each line of defence. In the first line of operational management, having the right necessary competencies in IT security management is important for dealing with IT security operations. Having staff with certifications such as ISACA’s Certified in Information Security Management (CISM), or (ISC)²’s Certified Information Systems Security Professional (CISSP) will be useful in this line of defence. On the other hand, the second line of defence benefits from having competencies in Risk management, which ISACA’s Certified in Risk and Information Systems Control (CRISC) covers in depth. Lastly, the third line of defence deals with audit, which is catered to by skills acquired in ISACA’s Certified Information Systems Auditor (CISA).

At Sapience Consulting, we provide a variety of quality training programmes for both ISACA and (ISC)² certifications, including those mentioned above. As an ISACA Elite training partner as well as an (ISC)² official training partner, you can be sure that Sapience Consulting will provide you and your staff with access to the latest official training materials in classes taught by accredited and experienced trainers. Be sure to enquire and enrol with us today!

Learn more about Cybersecurity with these available courses today!