"The thing about security also is the threats are always changing. So you can't just keep doing what you've been doing and think you're going to be fine. You have to adapt to the changing threat landscape."
In the world of Cybersecurity, things are everchanging. This week Cybersecurity expert and CEO & Co-Founder of Trava Security Jim Goldman and Ben Phillips CPA and Director at KSM, discuss the differences between an audit and an assessment when it comes to information security internal risk assessments.
Understanding the difference between a cybersecurity audit and assessment is crucial whether you are a business owner, IT professional, or auditor. Jim and Ben shed light on the motivation behind each - whether they are customer-driven or regulatory - and offer thoughts on which is right for you. If you are seeking cybersecurity certifications like SOC2 or ISO, knowing the difference is an important part of the process - along with patience, lots of patience!
What you’ll learn in this episode:
- The differences between audits and assessments and why they should be conducted.
- How audits and assessments work together, and how often they should be conducted.
- Why are both internal and external audits important in the journey to getting certified?
Things to listen for:
[02:47] Various certifications and audits for data security.
[07:53] The main difference between an audit and an assessment
[09:40] Internal audit vs External audit.
[15:54] Information security assessment and preparation advice given.
[21:07] Differences between type 1 and type 2 SOC 2 reports.