A security audit will measure a company’s current performance by comparing it to a set of established criteria from a variety of sources. For example, during a security audit, consultants will utilise tools such as the best practice
ISO/IEC 27000 information security standards set by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), or the
NIST Cybersecurity Framework that provides a guide for private sector organisations to assess and improve their cyber capabilities in terms of prevention, detection and response. Other standards that are widely used during a security audit include the government Protective Security Policy Framework (
PSPF) and the
Identity and Access Management Standards.