Risk assessment and information security audit

Answer: The information security risk assessment is about how to identify, analyse and evaluate risks, while the information security audit is about evaluation by which degree requirements are being fulfilled.

The information security audit is one of the means to assess if the information security risk assessment and risk treatment were performed as required (considering the ISO 27001 standard and other non-standard related requirements), and if its results (prioritized risks and implemented treatments) are achieving the expected results regarding the information security and business objectives.

For more information, please read: Risk assessment vs. internal audit in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/12/08/risk-assessment-vs-internal-audit-in-iso-27001-and-iso-22301/

2. What are an advantage and a disadvantage of an external as compared to an internal audit?

Answer: Second party audits (audits performed by ext ernal personnel with non certification purposes) can bring more expertise and unbiased view for the audit process than internal audits, but on the other hand they are more expensive and the lack of internal specific knowledge may let the external auditors miss situations that are clear for internal auditors.

Third party audits (audits performed by certification bodies with certification purposes) can bring independent and word wide recognized confidence that organization fulfils the standard requirements (through certification issuing), which internal audits cannot provide, but it involves costs for certification maintenance.

These articles will provide you further explanation about types of audits:
- First-, Second- & Third-Party Audits, what are the differences? https://advisera.com/9001academy/blog/2015/02/24/first-second-third-party-audits-differences/
- Dilemmas with ISO 27001 & BS 25999-2 internal auditors https://advisera.com/27001academy/blog/2010/03/22/dilemmas-with-iso-27001-bs-25999-2-internal-auditors/