An organisation is drafting its annual security assessment strategy and wants to distinguish a security assessment from a security audit so the right activity is scoped for each engagement. Which statement BEST captures the conceptual difference between these two activities?
- AAn assessment is always performed by external parties for regulatory reasons, whereas an audit is always performed internally by the security function for management oversight.
- BAn assessment evaluates the overall effectiveness of controls against stated objectives, whereas an audit verifies conformance to a defined standard or policy and produces formal evidence of compliance. Correct
- CAn assessment uses automated scanning tools while an audit relies exclusively on interviews and document review, with no overlap in technique.
- DAn assessment is concerned with detecting vulnerabilities and an audit is concerned with detecting fraud, so the two engagements rarely share scope or stakeholders.
Why A is wrong: Tempting because external assessors and internal auditors are common patterns, but the distinction is incorrect: assessments can be internal and audits can be external. Independence and scope are separate from the assessment-versus-audit distinction.
Why B is correct: Correct. Assessments are broader, advisory engagements that judge whether controls achieve risk-management goals, while audits are evidence-driven exercises that test conformance to a specific baseline such as ISO 27001 or an internal policy and yield an attestation.
Why C is wrong: Plausible because assessments often involve scanners and audits often involve interviews, but both activities can use a mix of automated and manual techniques. The defining difference is purpose and evidentiary rigour, not toolset.
Why D is wrong: Conflates security assessment with vulnerability assessment and audit with financial fraud detection. Security audits cover control conformance broadly, and assessments examine more than vulnerabilities; the framing is too narrow.