Cyber Security Audit Checklist for Australian Businesses (2026 Update)

Last updated: February 2026

Cyber security isn’t something you “set and forget.” Most Australian businesses only discover gaps after an incident, a client questionnaire, or an insurance renewal forces the issue.

This guide gives you a practical cyber security audit checklist you can run internally — and it also shows you what evidence an external auditor will typically ask for.

Want help turning this into a formal audit report and remediation plan? Our team runs structured cyber security audits for Australian businesses.

Executive summary
 Most cyber incidents exploit a small set of gaps: weak access controls, unpatched systems, limited monitoring, and untested backups. This checklist gives you a fast, practical way to benchmark your security posture, capture evidence, and create a prioritised 30–90 day remediation plan.

• 22 control checks across governance, identity, endpoints, network/cloud, and response/recovery
• Simple scoring (0–3): not in place → in place + tested + monitored
  
• Built to support internal reviews, client questionnaires, and insurance renewals

What is a cyber security audit (and what it isn’t)?

A cyber security audit is a structured review of your security controls, policies, and technical configurations to identify risk, gaps, and priorities.

It is not the same as:

• A vulnerability scan (finds known technical weaknesses)
• A penetration test (simulates real attack paths)
• A compliance audit (checks your organisation against a specific standard or contract)

A solid audit often includes elements of all three, but the end product should always be the same:

✅ a clear view of current risk
✅ evidence-backed findings (not opinions)
✅ a prioritised remediation plan

How to use this checklist (scoring + evidence)

Step A: Score each control

Use a simple 4-point rating:

• 0 = Not in place
  
• 1 = Partially in place
  
• 2 = In place
  
• 3 = In place + tested + monitored
  

Step B: Record evidence (this is the difference between “tips” and an audit)

When assessing controls, evidence quality matters. The ACSC Essential Eight assessment guidance describes evidence quality ranging from “policy statements” (weak) to “tested controls” (strong).

A practical way to apply that idea:

• Weak evidence: policy says it exists
• Better evidence: screenshots/reports show configuration
• Best evidence: you can demonstrate the control works (tests, simulations, logs)

Step C: Map to a framework (optional but powerful)

If you need something widely recognised:

• ACSC Essential Eight is a strong baseline for many Aussie organisations.
• For broader program structure, NIST CSF 2.0 organises outcomes under: Govern, Identify, Protect, Detect, Respond, Recover.

The 22-point cyber security audit checklist

Governance and scope

Define audit scope and “crown jewels”

Check:

• Have you listed your critical systems (email, finance, CRM, file storage, line-of-business apps)?
• Do you know which systems support revenue, operations, and compliance?

Evidence to capture:

• System list, business owners, and criticality rating
• Data flow / integration map (even simple)

Red flags:

• “Everything is critical” (usually means nothing is prioritised)

Maintain a complete asset inventory (devices + software + cloud)

Check:

• Do you have an up-to-date list of laptops/desktops/servers, mobile devices, and network gear?
• Do you know what SaaS apps are connected to your identity provider?

Evidence:

• Endpoint inventory export (MDM/RMM)
• SaaS/app inventory (SSO/IdP list)

Data classification and retention rules exist (and are used)

Check:

• Do you classify data (public / internal / confidential / highly confidential)?
• Are retention rules defined for sensitive records?

Evidence:

• Data classification policy
• Examples of labels / permissions in action

Security policies exist and are reviewed annually

Minimum set to audit:

• Acceptable use
• Access control and password/MFA rules
• Patch/update policy
• Backup + disaster recovery policy
• Incident response plan

Evidence:

• Version-controlled policies + review dates

Identity and access management (IAM)

Multi-factor authentication (MFA) is enabled everywhere it matters

The ACSC repeatedly highlights MFA as a key baseline measure (especially for small and medium business).

Check:

• MFA on email, VPN/remote access, admin portals, financial systems
• Stronger requirements for admins (conditional access / phishing-resistant options where possible)

Evidence:

• MFA policy screenshots
• Admin account list with MFA enforced

Admin privileges are restricted and monitored

This aligns directly with Essential Eight (“restrict administrative privileges”).

Check:

• Do users have local admin “because it’s easier”?
• Do you separate admin accounts from day-to-day accounts?

Evidence:

• Privileged group membership export
• “Break glass” accounts documented + protected

Joiners / movers / leavers process is tight

Check:

• Same-day offboarding
• Role-based access (least privilege)
• Regular access reviews for key systems

Evidence:

• Offboarding checklist
• Quarterly access review records

Remote access is secured (VPN/Zero Trust + device checks)

Check:

• MFA on all remote access
• Device compliance checks for remote access (managed device, encryption, up-to-date)

Evidence:

• Remote access configuration
• Conditional access rules or VPN policy

Endpoint and application controls

Operating system patching is consistent and measurable

Essential Eight explicitly includes “patch operating systems.”

Check:

• Patch SLAs (e.g., critical within X days)
• Visibility: what % is compliant right now?

Evidence:

• Patch compliance report (last 30/60/90 days)

Application patching is consistent and measurable

Essential Eight explicitly includes “patch applications.”

Check:

• Browsers, PDF readers, office apps, VPN clients, remote tools
• Automated patching where possible

Evidence:

• App inventory + patch status

Application control and macro controls are enforced

Essential Eight includes “application control” and “restrict Microsoft Office macros.”

Check:

• Do you block unknown/unapproved executables?
• Are macros blocked from the internet by default?

Evidence:

• Application control rules / allowlist policy
• Macro policy settings

Endpoint security is deployed and centrally managed

Check:

• EDR/AV coverage across all endpoints
• Alerts are reviewed and triaged

Evidence:

• Coverage report
• Sample incident/alert workflow and resolution records

Network and cloud controls

Firewall rules are documented, reviewed, and minimised

Check:

• Inbound ports justified (especially RDP/remote admin)
• Outbound filtering where appropriate

Evidence:

• Firewall configuration export
• Quarterly firewall review records

Network segmentation exists (even basic)

Check:

• Guest Wi‑Fi separated
• IoT separated
• Server/admin networks protected

Evidence:

• VLAN/network diagram
• ACL rules

Wireless is secured (WPA3 where possible) + guest access is isolated

Check:

• No shared passwords for internal Wi‑Fi (or rotate frequently)
• Guest network isolated from internal systems

Evidence:

• Wireless controller configuration

Cloud and SaaS configuration is reviewed (shared responsibility is understood)

Check:

• Admin roles for Microsoft 365 / Google / key SaaS reviewed
• Logging enabled
• Security defaults or conditional access enabled

Evidence:

• Admin role assignments
• Security settings exports

Detection, response, and resilience

Centralised logging is enabled with sensible retention

Check:

• Logs from endpoints, identity, email, firewalls collected centrally (where feasible)
• Alerts for high-risk events (impossible travel, mass downloads, admin changes)

Evidence:

• Log sources list + retention settings
• Example alerts and response notes

Vulnerability management exists (scan → prioritise → remediate)

Check:

• Regular vulnerability scanning
• Remediation SLAs and tracking

Evidence:

• Last 2–3 scan reports
• Remediation tickets with closure dates

Incident response plan is documented and tested

Check:

• Who calls who, and when?
• Tabletop exercise done in the last 12 months?
• Your plan includes regulatory/customer notification steps

If the Privacy Act and the Notifiable Data Breaches (NDB) scheme applies to you, there are situations where you must notify affected individuals and the OAIC if serious harm is likely.

Evidence:

• IR plan + exercise notes
• Communications templates (internal, customers, regulators)

Backups are reliable, protected, and tested

Essential Eight includes “regular backups,” and the ACSC small business guidance also highlights backups as a key starting point.

Check:

• 3-2-1 approach (or equivalent)
• Immutable/offline copies where possible
• Restore tests performed and documented

Evidence:

• Backup reports
• Restore test results (date, RTO/RPO achieved)

Business continuity and disaster recovery is planned and rehearsed

Check:

• Critical systems have recovery priorities (RTO/RPO)
• Alternative communication channels exist
• The plan is tested (not just written)

Evidence:

• BCDR plan
• Test results and improvement actions

Third-party / supplier risk is assessed and contractualised

Check:

• Vendor list includes: what they access, what they store, and how critical they are
• Contracts include security expectations and breach notification requirements

Evidence:

• Supplier register
• Contract clauses / security addendums
• Annual vendor reviews for critical suppliers

What to do after the audit (so it turns into real risk reduction)

Turn findings into a 90-day remediation plan

Prioritise by:

1. Likelihood + impact
2. Exposure (internet-facing, admin accounts, sensitive data)
3. Fix effort (quick wins first)

Set an ongoing cadence

• Monthly: patching, endpoint coverage, backup health
• Quarterly: access reviews, firewall rule review, vulnerability scans
• Annually: incident response tabletop, full audit refresh