# IT security audit

**What is an IT security audit?**

An IT security audit reviews a company's IT security against a benchmark defined in advance. That benchmark can be a recognised standard, a set of legal requirements or the auditor's own checklist.

What separates an audit from a check is the benchmark and the evidence. An audit records for every requirement whether it is met, partly met or open. The result is an audit report you can put in front of a third party such as an insurer, a client or an authority.

Internal audits are run by the company itself, external audits by an independent party. A certification audit against ISO/IEC 27001 is different again: only an accredited certification body may carry it out.

## Related terms
- [IT security check](https://vetosec.at/en/it-security/it-sicherheitscheck/)
- [IT audit](https://vetosec.at/en/it-security/it-audit/)
- [Gap analysis](https://vetosec.at/en/it-security/gap-analyse/)
- [ISO/IEC 27001](https://vetosec.at/en/it-security/iso-27001/)

## Source
https://vetosec.at/en/it-security/it-sicherheitsaudit/ (vetosec, pruefung)
