<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1175921925807459&amp;ev=PageView&amp;noscript=1">
Vendor Risk Management

Cybersecurity Audit Vs. Cybersecurity Assessment: Which Do You Need?

Melissa Stevens | October 20, 2016

Whether you’re a CIO or a CISO that has been asked by the board to facilitate a cybersecurity audit or you’re a member of the board and are planning to request one, it’s extremely important to know what a cybersecurity audit is and what it isn’t. You need to know precisely what is being asked of you or what you’re asking for. 

In this article, we’ll give you a quick introduction as to what a cybersecurity audit is—and why you may actually want a cybersecurity assessment instead.

Cybersecurity Audit Vs. Cybersecurity Assessment

Cybersecurity Audit Vendor Security Assessment Guide

Your organization has a number of cybersecurity policies in place. The purpose of a cybersecurity audit is to act as a ‘checklist’ that validate that what you’ve said in a policy is actually happening and that there’s a control mechanism in place to enforce it.

There are thousands of questions you could ask your vendor about security. Can you determine which of them are the most important?

Both an audit and an assessment are formal processes, but there are some key distinctions between the two:

  • An audit is more formal than an assessment. 
  • An audit must be performed by an independent third-party organization, and that third party typically must have some kind of certification. (An organization can have an internal audit team, but that team should act as an independent agency.)

One of the primary concerns with a cybersecurity audit is the cost. It can be very expensive for a third-party auditing company to come on-site, conduct interviews, and comb through your policies. Additionally, the audit only shows a snapshot of your cybersecurity—and doesn’t provide any insight into your ongoing cyber health.

Cybersecurity Assessment

While a cybersecurity audit is used to find the presence of controls, auditors rarely test the effectiveness of those controls. And the fact that a control exists does not necessarily mean that it is effective in mitigating cyber risk. For example, your cybersecurity auditors might check a box that says you have a firewall in place to reduce the number of websites employees can visit while using company equipment. But if that firewall isn’t properly configured, then the firewall might be useless. So just because you have a control in place, does not mean that the control is an effective one.

It is for this reason that cybersecurity assessments are often conducted. An assessment can be a formalized process, but the person or organization conducting the assessment does not need to be an auditor per se. If you’re trying to develop a complete picture of your cybersecurity posture, a cybersecurity assessment will help you kick the tires on current technology, documentation, network configuration, and overall effectiveness.

In Conclusion

Here’s the bottom line: A cybersecurity audit program has a time and a place—but it shouldn’t be considered the be-all, end-all solution. Most audits will not reveal the true effectiveness of the security controls you have in place. If you perform an audit, we recommend following it up with a cybersecurity assessment as well as using Security Ratings to help you develop a broader understanding of cybersecurity effectiveness.

40 Questions Your Vendor Security Assessment

Suggested Posts

Third-Party Cyber Risk: Blind Spots, Emerging Issues & Best Practices

Recently, BitSight and the Center for Financial Professionals (CeFPro) released a joint report that explores how financial services organizations are addressing challenges associated with third-party cyber risk management.

READ MORE »

Vendor Due Diligence Checklist: 31 Steps to Selecting a Third Party

Due diligence processes for vendor procurement vary by company, industry, and region. Some regulatory bodies dictate due diligence practices, and some industry groups have adopted standardized processes. In addition, requirements may...

READ MORE »

What Are Security Ratings?

Security ratings are a data-driven, objective and dynamic measurement of an organization’s security performance. Thousands of organizations around the world use BitSight Security Ratings as a tool to address a variety of critical,...

READ MORE »

Subscribe to get security news and updates in your inbox.