There is a long list of reasons why a company would want to do periodic security assessments. An increasing number of businesses are bound by governmental regulations that dictate what security measures should be in place and how the process of auditing should take place. HIPAA, PCI, FISMA, Sarbanes-Oxley, and Gramm-Leach-Bliley all dictate how to secure different types of data and the systems that allow access to that data. They also require regular security posture assessments, though they vary on specific requirements and time frames.
If the company is not actually bound by any of these governmental regulations, you still might want to use them as resources to help guide security practices. ISO 27002 is a good generic security standard code of practice that can be used as a guide for the development of “organizational security standards and effective security management practices and to help build confidence in inter-organizational activities”.
There are many benefits to doing periodic assessments beyond simply complying with government regulations. Undertaking regular assessments can help businesses to: