Working on contracts for B2B, B2G, or B2C engagements can be daunting. The intense focus on proving the security and privacy of your systems is usually at the heart of the process. Your customers need to know if they can trust you.
Knowing the difference between an audit, an assessment, and a certificate will help your organization to streamline the work involved to assuage the concerns of customers, vendors, and shareholders and convince them to work with you. While evaluating the best way to convince them, you will come across a plethora of security frameworks, standards, regulations, The list is endless… You will usually be asked to provide more than one set of documents to meet the eligibility requirements of an RFQ (Request for Quote) by a potential customer or prove your compliance with a regulatory framework. Let’s dive deep into each of the three concepts from a practical point of view.
Audit: An audit is often the most misunderstood term. A good example of an audit is an IRS audit or a HIPAA audit by the OCR. These put the truth about audits into perspective. The purpose of an audit is to inspect or investigate against a set of rules & regulations and to find gaps at a point in time. An audit does not refer to the past or future health of your systems. It focuses on the ‘here and now’ or ‘point in time’.
An external party conducts an audit. Hence, it should not be confused with an internal audit. An internal audit is actually an assessment. The external party has trained personnel to review if an organization has violated rules and regulations set by the government or authorized body for your industry. You usually undergo an audit if they suspect you have deviated from the norms you are required follow. Hence the term ‘You’re being audited!’
Assessment: An assessment is an internal audit or an evaluation that an organization undertakes to identify gaps and implement a corrective action plan. You need to reference a set of guidelines or frameworks and adhere to best practices to assess if your organization is meeting a specific benchmark successfully. Conducting regular assessments and implementing corrective actions to meet the required frameworks can save your organization millions of dollars in fines and penalties. It can also save your personnel from jail time and your brand from a bad reputation. It also demonstrates your due diligence towards the requirement in the court of law.
Some examples of an assessment are a Security Risk Assessment or a HIPAA Compliance Assessment. You can conduct these in collaboration with a vendor, paid by your organization, to help you streamline the documentation and prove that you are complying with a framework. Vendors are also supposed to help you develop a corrective action plan, provide policies and procedures you can use as a benchmark, and ensure you have access to staff training to meet specific requirements. For example, when you conduct an annual HIPAA Compliance Assessment, certified experts at databrackets can guide you to meet the latest requirements announced by the Department of Health and Human Services (HHS); ensure your staff has access to HIPAA training; review your documentation; conduct the required Pen Test to assess your systems and ensure your policies and procedures meet the mark. This annual activity gives you the information and support you need to ensure that your systems have no scope for a HIPAA violation and will not lead to a penalty, a fine, jail time, and loss of trust by your customers.
Certification: A certificate is an official document that attests to the status or level of achievement by an organization. It shows the level of adherence of an organization against a specific process or technology. Certifications are not mandatory, and organizations pursue certifications to win contracts. Security certifications like ISO 27001 are popular globally, while SOC 2 is often a requirement for B2B contracts in the US.
Certification is more expensive than an assessment since it is managed entirely by an external certifying body, which is paid for by your organization. It follows very stringent processes, and there are no guarantees that you will get the certificate. One way to enhance your chances of getting the certificate you want is to undergo a readiness prep with a certified vendor to ensure your systems, policies, and procedures comply with the standard before the external party begins the certification process. Investing in readiness prep assessments can save a significant amount of time and money you would have to spend on remediation and a second attempt at certification. We recommend this 2-step process since you get financial rewards when you are awarded the certificate and can convert potential leads into business partners.
What’s the difference between an audit, assessment and certification?
A detailed set of differences between the three terms is included in the table below:
Audit | Assessment | Certification | |
|---|---|---|---|
Objective | To inspect/investigate against a set of rules & regulations, find gaps at a point in time | Type of an evaluation to help an organization identify gaps and implement a corrective action plan
| An official document that attests to the status or level of achievement by an organization. It shows the maturity of an organization against a specific process / technology. |
Examples | HIPAA Audit by the OCR, IRS Audit | Security Risk Assessment, GDPR/HIPAA Compliance Assessment | ISO 27001, SOC 2 |
Sponsored by | Generally by an outside organization | Funded by the organization | Funded by the organization |
Type of Resources Required / Who can conduct it | External resources | Internal / outsourced | Certification Body |
Experience level of Resources | Senior Level / Subject Matter Experts | Experienced Subject Matter Experts | Certified Professionals Only |
Reports are used by | Vendors / Customers / Shareholders | Mainly for internal use | Vendors / customers / Shareholders |
Engagement Type | Formal | Informal | Formal |
Industry / Department | Financial, IT | Financial, IT | Product / Manufacturing / Services |
Time / Duration | Usually short | Few weeks-few months | Usually short – based on guidelines fixed by the certifying body |
Cost | N/A since it is borne by an external party | $$ | $$$ |
Validity | Point in time / Past events | 6 months – 1 year | 1-3 years – based on the certification guidelines |
Frequency of Engagement | Infrequent | On demand | Annual. For certificates which triennial there are usually annual surveillance audits required to maintain the certification |
Impact / Result | Monetary fines, penalties and/or jail time for violations | Plan of action and milestones for improvements | Certificate |
What you need to reference
| Rules and Law | Guidelines, Frameworks and Best Practices | Manuals, Standards, Criteria etc. |
databrackets can help you with an Audit, Assessment and Certification
With over a decade of industry experience and technical excellence, a dedicated team at databrackets can protect your organization from threats and adapt to each industry’s unique requirements, including law firms, healthcare, financial services, law enforcement agencies, SaaS providers, Managed Service Providers and other commercial organizations. The only way to defend everything you’ve worked so hard to create is to be protect your systems from security lapses.
Our certified experts have developed specialized Do-It-Yourself Assessments and we offer consulting and hybrid services as well. We conduct readiness prep assessments for SOC 2 and ISO 27001 as well. Contact us to know more about how our services can help your company.
We would love to hear your thoughts and feedback in the comments section below.
Related Links
How to Select a Security Vendor
Comparing NIST, ISO 27001, SOC 2, and Other Security Standards and Frameworks