Information Security / Cyber Security: Audit vs Gap Assessment vs Risk Assessment

To begin with, these terms are not interchangeable. As a matter of fact, they represent three different type of assurance activities:

  • Audit– is used for assessing the compliance of information security function against a given a standard or guideline.
  • Gap assessment– is used for assessing the adherence and maturity of information security processes defined.
  • Risk assessment– is used for assessing the effectiveness of information security controls, that can be management or technical controls.

If you have ever had a hard time deciding which one to pick I advise you to read further.

Information Security / Cyber Security Audit

An audit of the information security function is always against a standard that is either implemented and certified or is in the process of certification, and is aiming to provide assurance that standard’s mandatory policies, processes and procedures are documented, approved, communicated and applied consistently.

A common example of certifiable and auditable standards are ISO/IEC 27001 for information security management systems (ISMS) and PCI DSS for entities involved in payment card processing. The audit of information security management systems covers the requirements of ISO/IEC 27001 standard main body, and the control objectives in Annex A which are also released separately as ISO/IEC 27002.

If the scope of the ISMS is extended to include cyber security, then the organizations implementing ISO/IEC 27001 will be aligned also to ISO/IEC 27032 which has not been released as an auditable standard. For PCI DSS certified organizations it doesn’t matter that ISO/IEC 27032 is not certifiable and auditable, but for the rest of organizations there will be lot more work to implement full ISO/IEC 27001, extend the ISMS scope to cyber security and get certified.

ISO/IEC 27002 Code of practice for information security controls is another example of a standard which is not certifiable and auditable. However, these controls are audited indirectly because are included in Annex A of the ISO/IEC 27001:2013.

NIST Cybersecurity Framework is also not certifiable and auditable, for it is a set of voluntary cyber security standards for critical infrastructure companies.

The terms Cybersecurity and Information security are often used interchangeably. Some use the term Cybersecurity as a synonym for information security, IT security and information risk management. Others, particularly in government circles, have adopted more technical definitions related to national defense, including cyber warfare and protection of critical infrastructure. Although different groups tend to adapt terminology for their own purposes, there are some important distinctions between Cybersecurity and Information security.

Information Security deals with information regardless of its format, and it encompasses paper documents, digital and intellectual property in people’s minds, and verbal or visual communications.

Cybersecurity is concerned with protecting digital assets, meaning everything from networks to hardware and information that is processes, stored or transported by internetworked information systems.

Information Security / Cyber Security Gap Assessment

Where a certifiable and auditable standard has not been implemented or it has been implemented but not certified, a gap assessment against the standard should provide assurance that current practices are aligned to international best practices.

Not only that the gap assessment is reviewing existing practices, but is also reviewing any policies, processes and procedures that may exist in order to assess their alignment with the referenced standard, and establish the level of maturity of your information security processes.

Hopefully there are no more doubts now, and you know when to ask for an audit and when to ask for a gap assessment. The difference between them will save you money and prevent you from reading an audit report saying there are missing policies, procedures and processes and you have to implement them so they can be audited, which by the way is a true statement.

Information Security / Cyber Security Risk Assessment

There will be times when neither an audit nor a gap assessment will suffice, for example when you need assurance on the effectiveness of information security controls in place.

A risk assessment should cover People, Process and Technology and assess whether or not there had been anything wrong happened because of lack of policies and procedures or because of current technologies, controls in place, policies, procedures and practices.

A risk practitioner should involve all stakeholders (business owners, system owners) in the identification of critical information assets and in the valuation of information assets and supporting infrastructure, applications and services.

A risk assessment should provide a clear image of current threats, vulnerabilities and their exploitability (these three equal risk), assess the effectiveness of controls in place, estimate the impact and likelihood of the risk and calculate the residual risk.

Now let’s bring it all together on the topic of risk:

An audit mission should provide assurance that a Risk management framework exist:

  • Risk Management Policy encompassing scope, requirements, responsibilities and criteria for accepting risks
  • Risk Assessment and Treatment Methodology: process and procedure describing step by step the entire process

An audit mission should also provide assurance that the Risk management framework is applied effectively, meaning that risks are reduced to an acceptable level and are monitored, a risk assessment occurs annually and before any change in process & technology.

A gap assessment should assess the maturity of risk management processes and provide the level of maturity for each process step.