Audit

A security audit is a systematic evaluation of an organization's security program, policies, and controls against established criteria. Audits can be internal (conducted by your own team) or external (conducted by independent auditors), and they evaluate whether your security program meets specific standards and is operating effectively.

Audits examine documentation, processes, and technical implementations. Unlike assessments that may be collaborative, audits are typically more formal and produce findings that require documented corrective actions. Regular internal audits help you identify and fix issues before external auditors or assessors find them.

Why It Matters

Regular security audits are part of CMMC's ongoing assessment requirements. Conducting internal audits between official assessments helps you maintain continuous compliance and catch drift before it becomes a significant gap.

Related Resources

CMMC: AU.L2-3.3.1
CMMC: AU.L2-3.3.2
CMMC: AU.L2-3.3.3
CMMC: AU.L2-3.3.4
CMMC: AU.L1-3.3.5
CMMC: AU.L2-3.3.6
CMMC: AU.L2-3.3.7
CMMC: AU.L2-3.3.8