A Security Audit is an independent examination of security controls, policies, and practices against established criteria. Internal audits are conducted by the organization’s own audit function, while external audits involve independent third parties. Audits verify that controls exist, operate effectively, and meet compliance requirements.
Audit types include compliance audits against specific regulations, operational audits of security processes, and technical audits examining system configurations. Auditors gather evidence through documentation review, interviews, observations, and testing, then issue reports with findings and recommendations.
CISSP Relevance
Domain 6 (Security Assessment and Testing) covers audit processes, and Domain 1 (Security and Risk Management) addresses audit’s role in governance. Understand audit types, the difference between internal and external audits, auditor independence requirements, and how to respond to audit findings. Know frameworks like SOC 2 and ISO 27001 that drive audit requirements.
ISACA provides audit standards at IT Audit Resources.
Related terms: Compliance, Governance