Risk assessment is an activity to identify and characterise the inherent and/or residual risks within a given system, situation etc. (according to the scope of the assessment). It tends to be a somewhat theoretical hands-off exercise, for example one or more workshop sessions involving staff and managers within and familiar with the scope area plus other experts in risk and control, such as Risk Managers, Information Security Managers and (sometimes) Auditors, discussing and theorising about the risks.
While
audit planning and preparation also normally involves assessing the inherent
risks in a given system, situation, process, business unit etc. (again according to the scope), auditors go on to check and
validate the controls actually within and supporting the process, system,
organization unit or whatever in order to determine whether the residual risks are
sufficiently mitigated or contained. Audit fieldwork is very much a practical
hands-on exercise.
Risk
assessments are normally performed by the users and managers of the systems and
processes in scope, whereas audits are invariably conducted by independent
auditors. Auditor independence is more than simply a matter of organization
structure i.e. auditors not reporting
to the business managers in charge of the areas being audited. More important is
the auditors’ independence of mind, the ability to “think outside the boxâ€. Whereas
those closely involved in a process on a day-to-day basis tend to become
somewhat blinkered to the situation around them through familiarity, auditors
see things through fresh eyes. They have no problem asking dumb questions, challenging
things that others take for granted or accept because they have long since
given up trying to resolve them. They are also perfectly happy to identify and
report contentious political issues, resourcing constraints and opportunities
for improvements that, for various reasons, insiders may be reluctant even to
mention to their management. Audits are arguably the best way to find and
address corporate blind spots and control weaknesses that sometimes lead to
significant information security incidents.
Compliance audits are a particular type of audit that assess the extent to which the in-scope processes, systems etc. comply with applicable requirements or meet their obligations laid down in laws, regulations, policies and standards. In the case of ISMS certification audits, for instance, certification auditors from an accredited certification body check that the ISMS complies with and fulfils the requirements in ISO/IEC 27001. There is also an element of risk assessment in compliance audits, however, since noncompliance can vary in gravity between purely inconsequential (e.g. trivial spelling mistakes in information security policies) and highly material (e.g. a complete lack of documented information security policies). Issues at the lower end of the scale (as determined by the auditors) may not necessarily be reported while those at the higher end will definitely be reported to management and will probably result in a refusal to certify the ISMS compliant until they are adequately resolved.
The risk
assessment process is potentially auditable, by the way, while auditors are
also concerned about audit risks (for example the possibility that their
sampling and checking may fail to identify or highlight something truly
significant.
User questions & answers