Security Audit Compliance Does Not Equate to Low Security Risk

Terry Slattery
Principal Architect

Your organization has passed a security audit by a reputable auditing team. Is your IT infrastructure safe? Not necessarily.

Compliance Standards vs. Current Best Practices

IT infrastructure security recommendations are checked frequently for compliance with definitions such as NIST 800-53 [1] and the Center for Internet Security Controls (often called CIS-20 [2] because it covers twenty control groups). These compliance checks are a good start at verifying the state of your organization’s security systems and are therefore frequently used by auditors.

However, if you look more closely at basing your IT security systems on compliance audits, you’ll find some gaps. There’s always a delay between the periodic publication of security documents and the current best practice. For example, NIST 800-53 version 5 was published in 2020, seven years after version 4. You should keep in mind that IT security threats are morphing faster than ever, making published standards obsolete by the time they are published. New countermeasures need to be employed on a regular basis to adapt to the changes in security threats.

Risk Analysis Options Beyond Compliance

Next, ask your security team, “Does compliance with IT security standards mean that you’re free of risk?” While compliance tests may help, they aren’t the complete answer. You’ll want to use new systems and employ new approaches to help mitigate risk. For example, take a close look at zero trust architecture [3] (ZTA), in which all IT systems use authentication and authorization verification in their normal course of use. Related to ZTA is SASE (Secure Access Service Edge) for remote access to corporate resources, regardless of location.

Continuing your security analysis journey, you’ll want to examine the requirements to achieve Cybersecurity Maturity Model Certification [4] (CMMC). If your business works with the U.S. Federal Government, then acquiring this certification will likely become a critical objective. Even if you don’t do federal work, this is a useful certification program to improve cybersecurity and reduce risk.

Security is a Continuous Process

Good IT security is a continuous process, changing to adapt to new threats and to implement new countermeasures. This is an environment in which the network lifecycle helps your organization structure the efforts. There are several definitions of lifecycles, such as the Cisco lifecycle process: Prepare, Plan, Design, Implement, Operate, Optimize (PPDIOO) [5] or the IT Information Library (ITIL) process: Strategy, Design, Service Transition, Operations, and Continuous Improvement [6].  Adopting one of these lifecycle processes allows your organization to iterate a cycle as fast as the IT security landscape changes. Keep in mind that a compliance and risk assessment may need to be conducted when seemingly external changes occur, such as the change of a vendor with whom you have interconnected your network.

Coordination Across Departments is Key

Even with lifecycle structure, one of the challenges is that compliance, risk, and cybersecurity are frequently funded from different budgets. The CFO may fund compliance audits and certification while the network security team under the CIO or CISO is tasked with daily security operations. IT security training might be within the HR budget. Clearly, coordination between these groups is required for a good comprehensive security implementation.

The end result? Conduct risk analysis along with your compliance audits. The two processes complement each other instead of one replacing the other.

1 NIST 800-53:

2 CIS-20:

3 Zero Trust Architecture:


5 Cisco PPDIOO model:

6 ITIL lifecycle model: