Security Audits

Yeagley (2015) defines audits as periodic validation of the IT security implementation of an enterprise by a certification authority. Security audits should be performed to compare the current security posture against the security policy (Ousley-Rhodes, 2013). Audits can be performed by internal departments as well as outside agencies (2013). Audits by an unbiased third-party agency helps in highlighting the weakness within security policy and its enforcement. It can be performed on an annual, quarterly, monthly or any other regular interval however annual audit ensure the operational compliance of IT security and policy (). Audit is usually performed to comply by federal, state or industry regulations (Yeagley, 2015).

Assessment is defined as evaluation and estimation of IT security against benchmarks and standards for the determination of acceptable level of operation (Yeagley, 2015). Assessment can be performed by internally or through external agency. Assessment of IT security is performed to identify gaps and risks whereas audits are detailed and thorough examination of policy and procedures. Assessments can be performed year long whereas audits are performed on a specific timeframe (2015).

In summary, audit tests what is in place whereas assessment looks at what is in place. Assessments are performed to identify issues that can happen in future whereas audits are performed to identify issues from past. (Kosutic, 2014). Kosutic (2014) defines assessment as a process to identify problems in the security landscape of an enterprise, ISO 270001 and ISO 22301 are often used to perform IT assessment. Assessment is performed before the application of security controls whereas audits are checks to test the implementation (2014). Weisinger (2017) highlights the difference between audits and assessment by giving an example of access control authentication, assessment will check whether strong password policy is in place by enterprise whereas audit actually tests the implementation of system by attempting to create a weak password.

References:

Weisinger, D. (2017). Compliance: Security Assessment vs. Security Audit. Retrieved from http://formtek.com/blog/compliance-security-assessment-versus-security-audit/

Kosutic, D. (2014). Risk assessment vs. internal audits in ISO 27001 and ISO 22301. Retrieved from https://advisera.com/27001academy/blog/2014/12/08/risk-assessment-vs-internal-audit-in-iso-27001-and-iso-22301/

Rhodes-Ousley, M. (2013). The complete reference: Information Security. McGraw Hill: NY

Yeagley, G. (2015). IT Auditing and IT Risk Assessment: What’s the difference? Retrieved from https://www.compassitc.com/blog/it-auditing-and-it-risk-assessment-whats-the-difference