Vendor Risk Management

Cybersecurity Audit Vs. Cybersecurity Assessment: Which Do You Need?

Melissa Stevens | October 20, 2016

Whether you’re a CIO or a CISO that has been asked by the board to facilitate a cybersecurity audit or you’re a member of the board and are planning to request one, it’s extremely important to know what a cybersecurity audit is and what it isn’t. You need to know precisely what is being asked of you or what you’re asking for. 

In this article, we’ll give you a quick introduction as to what a cybersecurity audit is—and why you may actually want a cybersecurity assessment instead.

Cybersecurity Audit Vs. Cybersecurity Assessment

Cybersecurity Audit Vendor Security Assessment Guide

Your organization has a number of cybersecurity policies in place. The purpose of a cybersecurity audit is to act as a ‘checklist’ that validate that what you’ve said in a policy is actually happening and that there’s a control mechanism in place to enforce it.

There are thousands of questions you could ask your vendor about security. Can you determine which of them are the most important?

Both an audit and an assessment are formal processes, but there are some key distinctions between the two:

  • An audit is more formal than an assessment. 
  • An audit must be performed by an independent third-party organization, and that third party typically must have some kind of certification. (An organization can have an internal audit team, but that team should act as an independent agency.)

One of the primary concerns with a cybersecurity audit is the cost. It can be very expensive for a third-party auditing company to come on-site, conduct interviews, and comb through your policies. Additionally, the audit only shows a snapshot of your cybersecurity—and doesn’t provide any insight into your ongoing cyber health.

Cybersecurity Assessment

While a cybersecurity audit is used to find the presence of controls, auditors rarely test the effectiveness of those controls. And the fact that a control exists does not necessarily mean that it is effective in mitigating cyber risk. For example, your cybersecurity auditors might check a box that says you have a firewall in place to reduce the number of websites employees can visit while using company equipment. But if that firewall isn’t properly configured, then the firewall might be useless. So just because you have a control in place, does not mean that the control is an effective one.

It is for this reason that cybersecurity assessments are often conducted. An assessment can be a formalized process, but the person or organization conducting the assessment does not need to be an auditor per se. If you’re trying to develop a complete picture of your cybersecurity posture, a cybersecurity assessment will help you kick the tires on current technology, documentation, network configuration, and overall effectiveness.

In Conclusion

Here’s the bottom line: A cybersecurity audit program has a time and a place—but it shouldn’t be considered the be-all, end-all solution. Most audits will not reveal the true effectiveness of the security controls you have in place. If you perform an audit, we recommend following it up with a cybersecurity assessment as well as using Security Ratings to help you develop a broader understanding of cybersecurity effectiveness.

40 Questions Your Vendor Security Assessment

Suggested Posts

Third-Party Risk Management Best Practices for Enterprise

Companies are becoming increasingly reliant on third-party relationships, and cyber attacks originating in the systems of third parties are on the rise.


Airbus Incident Shines Spotlight on Third-Party Vendor Security Risks

2019 has been a year of high-profile attacks, and, as we predicted, it’s only getting worse. That’s certainly the case for Airbus.


A Vendor Risk Management Questionnaire Template

IT Risk Assessment Questions for Third Parties

Digital relationships with third-party vendors increase opportunities for growth, but they also increase opportunities for cyberattacks — a recent study found that 61% of U.S. companies said...


Subscribe to get security news and updates in your inbox.