Risk Assessment vs Audit
Over the last few months, we have been doing security risk assessment of many IT systems. Many times when we talk to a stakeholder and apprise them of the activity, I notice that the risk assessment is generally interpreted as an audit. Hence the idea for this blog to explain how risk assessments are different from an audit.
Audit by definition is an activity to check compliance against a statement made. For eg: a financial audit of the balance sheet of an organisation is conducted to check that the financial statements made by the organisation is accurate. Similarly, a PCI-DSS audit is made when an organisation says that they are compliant to PCI-DSS standards and the auditor will check the adherence to those standards.
Risk assessment on the other hand will be open in nature. It will be bound only by the high level scope of the risk assessment – the purpose for which the risk assessment is commissioned - and need not be limited to a single or even a set of standards. For eg: A vendor risk assessment will consider all aspects of a vendor’s ability to deliver the service expected – whether it be financial, credentials, security, logistics, organizational, etc. Similarly a security risk assessment can consider any aspect that will have a bearing on security, and need not be specific to a specific standard like PCI-DSS, ISO27k, CIS Top 20, NIST, etc.
When do we adopt what? Well, it depends on the objective. Audits are needed to show compliance. If I’m a bank, I need to be compliant with the requirements of the regulator. Hence I need to have audits to assure the regulator of the compliance. Similarly if I’m a data center service provider, my customer from healthcare domain may mandate that I’m compliant to HIPAA standards.
So compliance is important. It may affect my license to run my business, or potential to get more business.
However, as we have seen in many cases, compliance does not necessarily result in needed capability. The market dynamics and the context in which my business is run may need me to be more stronger than what the compliance requirements are.
This is where risk assessments play a role. The scope of risk assessment goes beyond any standards or compliance requirements and will consider any and all aspects that may affect me in any and many manner that may ultimately affect the risk in consideration.
Let us take another real life equivalence. If I go for a cholesterol checkup, the lab will take my blood sample and check for cholesterol levels. This is like doing an audit, since the scope of the test is limited to checking the cholesterol related parameters like HDL, LDL, etc. Let us assume I’m anemic. The cholesterol checkup (audit) will not help me identify my anemia. However if I ask for a more holistic health checkup (think risk assessment), with the same blood sample the lab will be able to assess my health for cholesterol, anemia, glucose level, liver and kidney functions, cancer and many more. This is the equivalent of risk assessments and the benefit of having open scope for risk assessment.
Especially in the cyber world, it is important that organisations benchmark their security posture against rapidly evolving risks. This necessitates the organisation to go beyond ensuring compliance and measure themselves frequently on the ability to address the multitude of cyber risks. Even if you have achieved all compliance standards, even if your IT operations are running in perfect alignment to your organisation’s information security policies, it is possible that the risk assessment exercise identifies certain risks that were not seen earlier. And this is for the overall benefit of all stakeholders.
Hence risk assessment should be seen as an exercise to explore opportunities to improve. Once this aspect is appreciated, we will see that there is no need to be defensive when the assessor identifies a risk that has not been treated earlier. Unlike audit where the auditor is checking if what you said is true or not, in risk assessment the assessor’s objective is to identify scope for improving resilience.
