Educause.edu defines an assessment as "the process of identifying technical vulnerabilities in computers and networks as well as weaknesses in policies and practices relating to the operation of these systems."
TechTarget.com defines an audit as "a systematic evaluation of the security of a company's information system by measuring how well it conforms to a set of established criteria. Many times audits are often used to determine regulatory compliance, in the wake of legislation (such as HIPAA, the Sarbanes-Oxley Act, and the California Security Breach Information Act) that specifies how organizations must deal with information."
As you can see, these definitions are actually very similar. But one difference is that assessments can take on an adversarial role. One example would be "Eligible Receiver." This 1997 internal security assessment initiated by the Department of Defense was designed to simulate what a team of hackers could do if they targeted the Pentagon's computer system.
Audits do not typically take on such an adversarial role. While it's true that audits assess the strength and effectiveness of controls that are designed to protect information and safeguard assets, they usually look more at existing policy and controls. They also seek to determine if these policies are being followed by employees. When controls are not in compliance, the auditor may report who and what is not in compliance.
That brings us to a second difference between an assessment and an audit. Assessments tend to practice non-attribution.
Finally, while audits tend to measure performance against existing polices and best practices like HIPAA, the SOX's, and the California Security Breach Information Act, assessments go a step further and actually seek out vulnerabilities and may even exploit them. This is something you will not usually see during an audit.
This was first published in October 2005