AdobeStock_177663387.jpeg
  • Thomas Jreige

Assessment vs Audit: Understanding the difference…

Understanding the difference between an audit and an assessment could literally save your business.


What do you think of when you hear the word audit? Most responses we receive to this question are those of frustration and box-ticking. Other than receiving a pass or fail, what outcome is truly achieved?


Assessment and audit — aren’t they the same thing?

When auditing your IT security, the auditor will essentially tick boxes that ensure you meet minimum standards. The organisation receives a pass or fail, after which everyone moves forward with a false sense of security, thinking they are protected. The problem here is that audits are made up of rules, but threats to your business are not coming from people who play by the same rulebook — if any.


Audits are important in businesses. However, they serve a different purpose than what they are commonly used for in this particular instance.

To receive any benefit or peace of mind from your IT security check, you need to take a deeper look from a different perspective.

Cybercriminals look at every possible weakness, whether it meets a set of audited standards or not, and generate specific user cases which are continuously proven effective in breaching systems security.


We constantly see examples of typical IT and security audits being performed, generally after a business has experienced a breach. Unfortunately, in the weeks following these audits, many organisations are compromised again. The misunderstanding between an audit and an assessment was enough for systems to be compromised/re-compromised, some at great cost.


It’s not just a misunderstanding. Our mindset following audits relaxes. We move to a state that we refer to as the “I Know” syndrome. In this instance, the “I Know” relates to an organisation, having just been audited, feeling that they know they won’t be affected because they’ve had an IT security audit. It is this relaxed state that makes them even more at risk.


Having a goal to strengthen and protect, a process to identify areas of weakness and a solution to implement moving forward resulting in a positive outcome is not an audit — it’s an assessment.

Because we are in the business of protecting, not reassuring, we conduct assessments, not audits. Our assessments focus on learning where defence line weaknesses are as though we are a cybercriminal, identifying areas exposed to being compromised so that we can adapt your defences in preparation to avoid these exposures.

Yes, we prepare organisations for audits, either traditional ISO 27001 Information Security Management System (ISMS) or the IEC 62443 if you host industrial control systems. Ultimately, without looking at security in a layered approach, these specified audited standards alone are not effective.

Step 1 of any IT security check is a Threat and Risk Assessment. This way we capture the context of the digital environment layer by layer, building a foundation and understanding how information flows in and out of the system.

We identify the following key items in each layer:

  1. WHO is going to threaten the organisation?

  2. WHAT information or data is at risk?

  3. HOW would they breach your defences?

  4. IF compromised, what is the projected cost?

Together, these pieces create a complete picture of the risks your business faces, which we use to develop the security and protection outcomes, to then drive your IT provider to implement a solution that protects your assets.

Once we know this, we will know what risks the organisation faces and can then plan the necessary outcomes and strategies for the organisation to implement good security controls that protect this layered defence. The complexity of these systems can vary from simple to intricate. However, our methodology removes complications and confusion to offer a simple and manageable outcomes.

When was your last IT Security Assessment?

Don’t fall into the same trap others have, assuming their audit means they are safe. Protect your organisation’s reputation and finances by contacting us and booking your complimentary 45-minute meeting to discuss how we can secure your business from all angles.


We can be contacted at https://www.cybercerberus.com and hello@cybercerberus.com