Definition: A Security Audit for an information system involves the assessment of existing conditions and practices compared to a baseline or a standard. There are a number of standards that might be adopted by an organization. One such standard is the ISO 27000 series and others include COBIT and FISMA.
More commonly, a third-party who is familiar with the standard conducts a review of how the organization provides for information assurance. Ideally the audit validates what is prescribed in the organization's information security plan. Comparisons are made between what the standard purports to be a best practice with what the organization actually does. A formal report is prepared based upon on-site observations.
Its Relevance: Organizations need to be aware of the viability of their information assurance program. Falling short of meeting a standard is critical and must be noted. Adjusting to make the necessary changes is vital. Organizations are increasingly requiring that the companies with whom they do business be certified as having met a particular standard.
The organization has a chance to maintain a path toward continual improvement.