The purpose of risk assessment
The purpose of risk assessment is to find out which problems can happen to your information and/or operations – that is, what can jeopardize the confidentiality, integrity and availability of your information, or what can threaten the continuity of your operations.
As part of the risk assessment you have to do the following:
- Identify all the risks related to your information
- Identify the risk owners
- Identify threats
- Assess the impact and likelihood of risks
- Determine the level of risks
- Decide whether the risk needs to be treated or not/Respond to the risk
The purpose of internal audit/security control assessment (SCA)
The internal audit or SCA, on the other hand, is nothing more than listing all the rules and requirements(controls) and then finding out if those rules and requirements are complied with(testing controls).
When performing an internal audit, you need to check if each and every rule and requirement was complied with.
This is done by using various techniques:
- Examining all the documentation and records, personal observations (e.g., walking around the premises
- Interviewing the employees
- Testing
The main differences between the two
- A risk assessment is a very high-level overview (Interview and Examination) of your technology, controls, and policies/procedures to identify gaps and areas of risk. An internal audit/SCA on the other hand is a very detailed, thorough examination of said technology, controls, and policies/procedures. In an IT Audit, not only are these items listed going to be evaluated, they are going to be tested as well. This is a major difference between the two as the risk assessment looks at what you have in place and the Audit tests what you have in place (Examination, Interview and Testing)
- A risk assessment can be either a self-assessment or completed by an independent third party. An audit must be completed by an independent, certified third party
- Risk assessment is thinking about the (potential) things that could happen in the future, while the internal audit is dealing with how things were done in the past.
- Internal audit/SCA focuses on compliance with various rules and requirements (controls), while risk assessment is nothing but analysis that provides a basis for building up certain rules (controls)
- Risk assessment is done before you start applying the security controls, while the internal audit is performed once these are already implemented
- The risk assessment report contains: risk level, threat, vulnerabilities, likelihood, impact, risk type, recommendation, existing, and residual risk. On the other hand, the Security Assessment Report (SAR) as a result of an internal audit or SCA contains: controls, tools, vulnerabilities, risk level, risk type, and recommendation.