Vendor Risk Management

Cybersecurity Audit Vs. Assessment: Which Does Your Program Need?

Melissa Stevens | October 20, 2016

Whether you’re a security leader asked by the board to facilitate a cybersecurity audit, or a member of the board planning to request one, it’s crucial to know what is a cybersecurity audit, and what it isn’t. You need to know precisely what is being asked for to make sure the right information is collected.

Below we will give you a quick introduction to what is a cybersecurity audit, and why you may actually want a cybersecurity assessment instead.

Cybersecurity Audit Vs. Cybersecurity AssessmentNew Call-to-action

Your organization has a number of cybersecurity policies in place. The purpose of a cybersecurity audit is to act as a ‘checklist’ that validates the policies a cybersecurity team stated are actually in place, and that there are control mechanisms in place to enforce them.

There are thousands of questions you could ask your internal team or your vendors about security. Finding which of them are the most important will help you use your resources more efficiently, and can help determine when it’s necessary to assess a cybersecurity program vs. perform an audit.

Finding The Difference

Both an audit and an assessment are formal processes, but there are some key distinctions between the two:

  1. An audit is more formal than an assessment. 
  2. An audit must be performed by an independent third-party organization, and that third party typically must have some kind of certification. An organization can have an internal audit team, but that team should act as an independent agency.

One of the primary differences with what is considered a cybersecurity audit is the cost. It can be very expensive for a third-party auditing company to come on-site, conduct interviews, and comb through your policies. It also might be more difficult to conduct what is considered a thorough cybersecurity audit with workforces primarily remote during the COVID-19 pandemic.  

Additionally, what is considered a cyber security audit only shows a snapshot of your network health. While an audit might provide an in-depth look at your cyber-health at a specific point in time, it doesn’t provide any insight into your ongoing cyber management.

Using Assessments To Gain A Complete Picture 

While a cybersecurity audit is used to find the presence of controls, auditors rarely test the effectiveness of those controls. The fact that a control exists does not necessarily mean that it is doing its job to successfully mitigate cyber risk. 

For example, your cybersecurity auditors might check a box that says you have a firewall in place to reduce the number of websites employees can visit while using company equipment. If that firewall isn’t properly configured, then the control might be useless, and definitely should be flagged to your security team.

This is where organizations can choose to conduct cybersecurity assessments. An assessment can be a formalized process, but the person or organization conducting the assessment is not performing what is considered a cybersecurity audit. If you’re trying to develop a complete picture of your cybersecurity posture, a cybersecurity assessment will help you evaluate the true effectiveness of your program by examining current technology, documentation, and network configuration.

In Conclusion

Here’s the bottom line: A cybersecurity audit program has a time and a place—but it shouldn’t be considered the be-all, end-all solution. Most audits will not reveal the true effectiveness of the security controls you have in place. If you perform an audit, we recommend following it up with a cybersecurity assessment. We also recommend using Security Ratings to help you develop a broader understanding of cybersecurity effectiveness, as well as comparison to your competitors.

Using Security Ratings for Cybersecurity Benchmarking Ebook

Suggested Posts

Can Your Vendor Assessments Be More Efficient?

If you’re using a “one-size fits all” approach to managing your vendor lifecycle, you are missing opportunities to save money and operate more efficiently. Vendor management efficiencies don’t end in the onboarding stage: using a...

READ MORE »

Do You Have The Right Vendor Management Policies?

If you’re experiencing frustrating delays and procedural roadblocks during your vendor management process, you’re not alone. Security managers are seeing an increase in the number of third-parties integrating with their business, and ...

READ MORE »

3 Ways To Make Your Vendor Lifecycle More Efficient

During this dynamic and stressful workplace environment 2020 has brought us, finding the most efficient ways to perform in your job has never been more important. When it comes to managing your vendor lifecycle, there are three ways you...

READ MORE »

Subscribe to get security news and updates in your inbox.