Vendor Risk Management

Cybersecurity Audit Vs. Cybersecurity Assessment: Which Do You Need?

Melissa Stevens | October 20, 2016

Whether you’re a CIO or a CISO that has been asked by the board to facilitate a cybersecurity audit or you’re a member of the board and are planning to request one, it’s extremely important to know what a cybersecurity audit is and what it isn’t. You need to know precisely what is being asked of you or what you’re asking for. 

In this article, we’ll give you a quick introduction as to what a cybersecurity audit is—and why you may actually want a cybersecurity assessment instead.

Cybersecurity Audit Vs. Cybersecurity Assessment

Cybersecurity Audit Vendor Security Assessment Guide

Your organization has a number of cybersecurity policies in place. The purpose of a cybersecurity audit is to act as a ‘checklist’ that validate that what you’ve said in a policy is actually happening and that there’s a control mechanism in place to enforce it.

There are thousands of questions you could ask your vendor about security. Can you determine which of them are the most important?

Both an audit and an assessment are formal processes, but there are some key distinctions between the two:

  • An audit is more formal than an assessment. 
  • An audit must be performed by an independent third-party organization, and that third party typically must have some kind of certification. (An organization can have an internal audit team, but that team should act as an independent agency.)

One of the primary concerns with a cybersecurity audit is the cost. It can be very expensive for a third-party auditing company to come on-site, conduct interviews, and comb through your policies. Additionally, the audit only shows a snapshot of your cybersecurity—and doesn’t provide any insight into your ongoing cyber health.

Cybersecurity Assessment

While a cybersecurity audit is used to find the presence of controls, auditors rarely test the effectiveness of those controls. And the fact that a control exists does not necessarily mean that it is effective in mitigating cyber risk. For example, your cybersecurity auditors might check a box that says you have a firewall in place to reduce the number of websites employees can visit while using company equipment. But if that firewall isn’t properly configured, then the firewall might be useless. So just because you have a control in place, does not mean that the control is an effective one.

It is for this reason that cybersecurity assessments are often conducted. An assessment can be a formalized process, but the person or organization conducting the assessment does not need to be an auditor per se. If you’re trying to develop a complete picture of your cybersecurity posture, a cybersecurity assessment will help you kick the tires on current technology, documentation, network configuration, and overall effectiveness.

In Conclusion

Here’s the bottom line: A cybersecurity audit program has a time and a place—but it shouldn’t be considered the be-all, end-all solution. Most audits will not reveal the true effectiveness of the security controls you have in place. If you perform an audit, we recommend following it up with a cybersecurity assessment as well as using Security Ratings to help you develop a broader understanding of cybersecurity effectiveness.

40 Questions Your Vendor Security Assessment

Suggested Posts

Mitigating Risk in Your Expanding Digital Ecosystem

As time goes on, organizations are taking on more and more new digital transformation initiatives to become increasingly agile and boost productivity — dramatically transforming the number of digital touchpoints employees interact with on...


FBI Alerts Companies of Cyber Attacks Aimed at Supply Chains

Earlier this month, ZDNet broke the news that the FBI had sent a cybersecurity alert to the U.S. private sector warning of an ongoing hacking campaign against supply chain software providers. According to the FBI, hackers are attempting to...


Guide: Fourth-Party Cyber Risk & Management

In today’s interconnected world, supply chains are growing exponentially. As a result, third-party risk has become a big focus for senior management. But what about the vendors that your suppliers rely on and the threat of fourth-party...


Subscribe to get security news and updates in your inbox.