Definition: A Security Audit for an information system involves the assessment of existing conditions and practices compared to a baseline or a standard. There are a number of standards that might be adopted by an organization. One such standard is the ISO 27000 series and others include COBIT and FISMA.
More commonly, a third-party who is familiar with the standard conducts a review of how the organization provides for information assurance. Ideally the audit validates what is prescribed in the organization's information security plan. Comparisons are made between what the standard purports to be a best practice with what the organization actually does. A formal report is prepared based upon on-site observations.