In this compliance-driven age of information security, regulatory requirements are increasing audit costs nearly as much as the auditors themselves. But the value of an audit is driven by the assets, not the controls. Let me explain why.

Controls have no intrinsic value – their value is determined by the assets they were put in place to protect (e.g. people, processes & technology). If you accept that as true, then the value of a controls assessment is not dictated by the controls being assessed but the value of the assets being protected by the controls under assessment. Therefore, a controls assessment is an evaluation of asset protection from loss/damage. The purpose of a controls assessment is to identify how effectively an assets’ value is being protected from loss/damage. If the process itself is fundamentally asset-based, then how can the value of an assessment be legitimately based on anything else? A gap assessment is no different. It’s a measurement of the gaps between actual & desired asset protection.

So with that in mind, some of the advantages of an asset-based assessment are as follows:

1. Provides a measure of asset protection from the loss/damage of value.

An asset-based assessment provides an evaluation of the impact controls have on the risks that threaten an assets’ value. An assessment solely focused on the compliance of the controls’ design with a standard doesn’t provide an evaluation of asset protection from risk because the only “risk” that falls within the context of that type of assessment is the risk of non-compliance. That approach works for a compliance assessment like the PCI-DSS self-assessment but it doesn’t work for ISO 27000 assessments because compliance is only important if the organization has already identified the necessary controls for effective asset protection and the purpose of the engagement is to support the requirements for monitoring & review. That type of engagement provides no value to an organization that doesn’t already have an ISMS in place because it hasn’t been established that compliance equals effective asset protection.

2. More cost-effective use of client resources.

An asset-based assessment only focuses on those controls necessary for asset protection while a compliance assessment will consume resources to evaluate controls that may not be necessary for asset protection. This extends beyond the costs of the auditor’s time because the client will also spend resources reviewing the consultant’s deliverables that include analysis of compliance with useless control requirements. A potential side effect resulting from this approach is waning support for the assurance effort as people begin to wonder why they’re spending resources on analysis that doesn’t impact actual security. Additionally, the work required for an asset-based assessment will have to be done sooner or later and will probably be cheaper if it’s done up front than after an unnecessary compliance assessment.

3. Focus on long-term value instead of short-term gains.

An asset-based assessment provides long-term value by establishing a picture of asset protection that’s independent of changing standards. It may be a snapshot of a point in time but it can still be used as a baseline. In a situation where compliance isn’t mandatory, the only possible value of a compliance assessment is that it provides an estimate of work that may be required for asset protection. But even if the estimate turns out to be “very little work required,” it’s not very trustworthy because it was done outside the context of asset protection, so “very little work required” for one asset to be adequately protected may be “a lot of work” for another asset to be adequately protected.

Is ISO 27001 Right for (Y)our Organization?

Thinking about ISO 27001 Certification? View our free On-Demand ISO 27001 Webinar

• How to deal with increasing threats
• How to manage multiple regulatory requirements
• How to handle client requests for attestation
• To validate that significant changes did not have unanticipated results

Download: Information Security Attestation Guide

A Best-Practices Guide to Information Security Attestation

Download our proven Information Security Guide to simplify the process of protecting your data, proving you’re secure and growing your business.

Free Whitepaper: Five Best Practices for SIEM

The promise of SIEM is the consolidation of all relevant Security Event Logs from disparate sources into a single unified and normalized data store.

• Simplify compliance monitoring/reporting
• Vastly improve Incident Detection & Incident Response
• Contextualize event information with other business relevant information

Best Practices for Firing A Network Security Administrator

Want to know how to fire a Network Admin? Need to know what precautions to take? Firing any employee can be a stressful event. Firing one who has significant knowledge of and privileged access to your Information Technology/Security infrastructure is even more stressful, as the risks are so notable.

Free Download: A Best Practices Guide to Database Security

Because data is only as secure as the systems & processes it relies on – a holistic approach to data security is essential. This roadmap is not meant to be exhaustive but rather to stimulate the necessary thought process to put you on the path to good data security.

Free Download: ISO 27001 Implementation Roadmap

Have no fear – our “roadmap” will guide you, step by step, through the entire ISO 27001 process.

Getting to ISO 27001 certification is a process made up of things you already know – and things you may already be doing!

Free Whitepaper: Stop Wasting Money on Penetration Testing

Penetration Testing is most frequently performed to:

• Substantiate the net effectiveness of a mature control environment
• Prove to a third party that an environment is secure/trustworthy
• Quickly assess the security of a less mature control environment (in a sense a technical risk assessment)
• To validate that significant changes did not have unanticipated results