DOMAIN 6Security Assessment and Testing

ORGANIZATIONS NEED TO IDENTIFY and address issues that may put them at risk. To do this, they perform security assessments, risk assessments, and security audits. While they are related, it is important to understand the difference between them.

  • A security audit compares its results against a standard to determine whether the standard is being met. Third-party audits are often required for legal or contractual compliance, but internal auditors are also used by many organizations to provide oversight over their own efforts. Most security audits will determine whether the organization is in compliance with the standard they are auditing against but won’t track whether the organization’s efforts exceed it.
  • Security assessments are used to determine an organization’s security posture. This means that assessors use standards as well as their own knowledge and experience to assess the strength and effectiveness of their security posture. Thus, all security audits are a form of security assessment, but not all security assessments are audits.
  • Risk assessments provide a view of the risks that an organization faces. Many risk assessments categorize risks by probability and impact and include details of findings and potential controls. Since risk is an important element in a comprehensive understanding of an organization’s security posture, risk assessments are often included in a security assessment.

Once an organization has completed an assessment ...

Get The Official (ISC)2 Guide to the CISSP CBK Reference, 5th Edition now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.