InfoSec-Specific Executive Development for
CISOs and Aspiring Security Leaders.
Live Faculty-led instruction and interactive
labs to build you and your team's InfoSec skills
The terms “audits,” “assessments” and “testing” (AAT) have both legal and common-usage distinctions and are now essential tasks in cybersecurity. These terms fit into multiple compliance, regulatory and security hygiene
usage scenarios and have become required functions.
This piece details the key definitions to consider regarding these terms, and helps you to understand their contextual meaning, use them properly and get the organization standardized on their legal interpretations.
AAT terms are often used very imprecisely between various industries and organizations. The definitions below cover the key distinctions between these terms but be sure to also check with your GRC and legal teams to understand key distinctions for
your organization and get authoritative answers and legal advice for use in your organization’s context. The 3 terms are defined in detail below:
An audit is usually understood in very precise terms:
The terms “audit” and “auditor” should be reserved for use only in those situations where they are appropriate. Most companies have an internal audit department that employs auditors who perform their duties within the company,
often to help ensure the company is ready to receive an audit from an external entity (SOX, SOC 2, etc.).
READ: Why SOC Audits Are Key Drivers of Business Competitiveness
“Assessment” is a broader term than “audit.” It usually has a descriptive adjective ahead of it – e.g., risk assessment, maturity assessment, compliance assessment – that explains what it is intended to accomplish.
In each case, performing an assessment requires setting the context for the evaluation itself.
For example, in performing a risk assessment, you first need to establish the risk framework, such as measuring software or hardware against NIST standards or Center for Internet Security (CIS) Top 20 controls.
A compliance assessment, as the term implies, measures compliance against a set of:
Usually, a compliance assessment has no legal bearing. It is advisory in nature, telling the subject of the assessment how well it meets the relevant requirements. This is very different from an audit, which is performed by qualified auditors and (usually)
has legal bearing.
For example, a company may internally assess its compliance with PCI DSS, but that is only useful for deciding whether the company is ready for a formal audit by a qualified security assessor (QSA). The “A” in QSA stands for “assessor,”
but it is just another term for “auditor.” PCI gives QSAs the authority to determine whether the company meets PCI DSS, usually documented in a Report on Compliance (ROC).
A maturity assessment measures the level of maturity of a security program using the Software Engineering Institute’s (SEI’s) Capability Maturity Model for Software or using the ISO/IEC 21827:2008 System Security Engineering - Capability Maturity
“Testing” is the broadest term of the three, with some of its elements performed as part of audits and assessments. To illustrate its breadth, some items that are tested include:
In each of these cases, “testing” of the controls is performed and, from an information security perspective, involves elements like user account management, privilege management, role definitions, separation-of-duties considerations, and
so on, involving financial management and reporting systems. Testing usually involves actions like taking the list of users who have accounts on the system and verifying a statistically significant sample of those users still deserve the privileges
they have, are still employed, have not changed jobs and are not violating separation-of-duties rules.
To ensure everyone understands these terms the same context:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
September 29, 2022
By IANS Faculty
Understand the integration points between information security and enterprise architecture. Find guidance for functional organizational constructs to maintain a solid EA practice.
September 27, 2022
By IANS Research
Learn how to ensure full cyber insurance policy coverage and find 5 tips to help maximize your potential cyber insurance claims.
September 22, 2022
Find information on cyber insurance coverage types along with best practices to choose a cyber insurance carrier and policy for optimal security coverage.