What is a security audit and how does it differ from a security assessment?

A security audit is a formal, systematic evaluation of an organization's security posture against a specific standard, regulation, or set of criteria, conducted by independent auditors who produce a pass or fail determination. Examples include SOC 2 audits, ISO 27001 certification audits, and PCI DSS assessments. A security assessment is a broader, more flexible evaluation that identifies risks and recommends improvements without necessarily measuring against a fixed standard. Audits are typically required by regulators or customers and result in certification or attestation.