<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1175921925807459&amp;ev=PageView&amp;noscript=1">
Vendor Risk Management

Cybersecurity Audit Vs. Cybersecurity Assessment: Which Do You Need?

Melissa Stevens | October 20, 2016

Whether you’re a CIO or a CISO that has been asked by the board to facilitate a cybersecurity audit or you’re a member of the board and are planning to request one, it’s extremely important to know what a cybersecurity audit is and what it isn’t. You need to know precisely what is being asked of you or what you’re asking for. 

In this article, we’ll give you a quick introduction as to what a cybersecurity audit is—and why you may actually want a cybersecurity assessment instead.

Cybersecurity Audit Vs. Cybersecurity Assessment

Cybersecurity Audit Vendor Security Assessment Guide

Your organization has a number of cybersecurity policies in place. The purpose of a cybersecurity audit is to act as a ‘checklist’ that validate that what you’ve said in a policy is actually happening and that there’s a control mechanism in place to enforce it.

There are thousands of questions you could ask your vendor about security. Can you determine which of them are the most important?

Both an audit and an assessment are formal processes, but there are some key distinctions between the two:

  • An audit is more formal than an assessment. 
  • An audit must be performed by an independent third-party organization, and that third party typically must have some kind of certification. (An organization can have an internal audit team, but that team should act as an independent agency.)

One of the primary concerns with a cybersecurity audit is the cost. It can be very expensive for a third-party auditing company to come on-site, conduct interviews, and comb through your policies. Additionally, the audit only shows a snapshot of your cybersecurity—and doesn’t provide any insight into your ongoing cyber health.

Cybersecurity Assessment

While a cybersecurity audit is used to find the presence of controls, auditors rarely test the effectiveness of those controls. And the fact that a control exists does not necessarily mean that it is effective in mitigating cyber risk. For example, your cybersecurity auditors might check a box that says you have a firewall in place to reduce the number of websites employees can visit while using company equipment. But if that firewall isn’t properly configured, then the firewall might be useless. So just because you have a control in place, does not mean that the control is an effective one.

It is for this reason that cybersecurity assessments are often conducted. An assessment can be a formalized process, but the person or organization conducting the assessment does not need to be an auditor per se. If you’re trying to develop a complete picture of your cybersecurity posture, a cybersecurity assessment will help you kick the tires on current technology, documentation, network configuration, and overall effectiveness.

In Conclusion

Here’s the bottom line: A cybersecurity audit program has a time and a place—but it shouldn’t be considered the be-all, end-all solution. Most audits will not reveal the true effectiveness of the security controls you have in place. If you perform an audit, we recommend following it up with a cybersecurity assessment as well as using Security Ratings to help you develop a broader understanding of cybersecurity effectiveness.

40 Questions Your Vendor Security Assessment

Suggested Posts

Worthwhile TPRM Certifications for Security & Risk Professionals

As the importance of third-party risk management (TPRM) continues to grow, organizations are hiring for related roles more seriously than ever before. To compensate, security and risk professionals are seeking out certification programs in...

READ MORE »

Which Third-Party Risk Management Tools Do You Really Need?

With high-profile breaches being traced back to supply chain vulnerabilities and a regulatory environment that’s waking up to the realities of vendor risk, many organizations are investing heavily in third-party risk management (TPRM)...

READ MORE »

New Study: Organizations Struggle to Manage Cyber Risk in Their Supply Chains

A new report from McKinsey & Company sheds light on something we’ve known for many years – organizations are struggling to make significant progress in managing cybersecurity risk in their supply chains.

READ MORE »

Subscribe to get security news and updates in your inbox.