Why do you need a cyber security audit checklist?

A cyber security audit checklist is a great way to help you start investigating and evaluating your business’s current position on cyber security. However, it can be difficult to know where to begin. But don’t worry, we have you covered. In this cyber security audit checklist we’re going to break down some simple questions that you can answer for your business.

When you decide to tackle cyber security, you might want to just pass the issue off to your IT department or a third-party security organisation. You may never really think about gaining an understanding of the whole process, especially when it seems to be a bunch of techno jargon. That’s why we’ve created this cyber security audit checklist to be easy to use and understand.

Want a more interactive experience? Try our free online cyber security assessment.

cyber security checklist


Do you still need a cyber security audit checklist even if you use an external IT team?

An IT security organisation is definitely a crucial part of the process. However, we also stress that every business needs to have a good understanding of cyber security in general. It’s important to grasp the fundamental essentials of cyber threats, cyber vulnerabilities, and cyber security controls that are available. It’s also important to educate your team, as often data-breach prevention comes down to simply recognising what an attack looks like. This could be as simple as teaching employees about how to identify a suspicious email or pop up and to never click the links.

We believe that if you have the basic fundamental knowledge of cyber security essentials you’re far more likely to recognise any threats or issues. When you have a good idea of what needs to be done before you pass it off to the specialists, you’re already a step ahead in terms of attacks or system compromises.

Using a specialist is what comes after you evaluate your current cyber security status. We advise you to run through this cyber security audit checklist to give you a basic idea of what’s in place and what you need to do. From there you can start to make plans for implementing a better cyber security framework.

cyber security team


Our top 15 cyber security audit checklist strategies

Our checklist will help you start understanding the considerations you need to make regarding your business’s cyber security. We cover this in more depth in our Cyber Security Guide for small to medium businesses. The following list is only an outline, but it’s the perfect first step to take before diving deeper into all the cyber security information out there. It will help you recognise what you need to focus on when doing your own research or when hiring a cyber security support team.

Ask yourself:

1. Does your organisation have cyber security policies and procedures in place?

Cyber Security Policies and Procedures Explained

Cyber security policies and procedures will help you outline:

  • What areas of your business need the most protection.
  • Which threats your business is most likely to face.
  • Specific ways to protect your business.

While you might feel like you have all these areas covered, other people in your business may not. So, cyber security policies and procedures are particularly useful if your business has other employees.

There are a number of cyber security policies and procedures that you can implement in your business. Here are a few:

  • Turn on automatic updates.
  • Set mandatory password requirements, including length and difficulty.
  • Lost and stolen device procedures and guidelines.

These policies do not need to be of an overwhelming length or complexity. Rather, they just need to effectively communicate key points to your team.

2. Does your organisation protect all sensitive information transmissions? (such as with encryption or SSL)?

Our ability to share information over the internet is easier than ever. But it does create a few issues. Most notably are the associated security issues. Data breaches are becoming increasingly common, so it’s important to protect your business from them.

Methods of protecting sensitive information transmissions vary. However, one of the most common is encryption. Encryption is used to protect sensitive business data that is stored on a computer or network. It’s especially useful if your business collects and stores personally identifiable information (PII), such as credit card numbers.

Another method for securing an internet connection SSL, short for Secure Sockets Layer. SSL will prevent criminals from being able to read personal information that has been shared on a website. Because SSL scrambles personal information, it is particularly useful for shopping websites. An updated version of SSL is TLS, or Transport Layer Security. TLS is more secure, however, SSL is still commonly used.

3. Are all devices protected from the internet by a firewall?

A firewall is an essential protection mechanism that helps safeguard your devices. When you connect to the internet, there is the chance that hackers will be able to access your network. Thus, the purpose of a firewall is to prevent this from happening. In essence, a firewall acts as a gatekeeper that only allows traffic which it has been told to accept.

How does it do this? A firewall will use predetermined rules to filter incoming traffic. For example, a firewall will only allow trusted traffic sources or IP addresses to access your network. Malicious sources will be rejected, so your network is protected.

4. Does your organisation have designated cyber security professional?

Having a designated cyber security professional will give your cyber defences an edge. These are the people in your business who know exactly what threats to anticipate, and how to respond to them. If you’re part of a smaller business, having a designated cyber security professional might be out of your budget. If that’s the case, you can always outsource your cyber security.

If this sounds like something you need, check out our cyber security services to see how we can protect your business.

5. Does your organisation have a cyber security user education and awareness program?

Cyber security education and awareness is a must have for all businesses. It’s relatively simple, cost effective and it actually works. If you know how to identify and respond to threats, then your business will be in a much stronger position to protect its data.

Cyber security awareness training has come a long way in recent years. No longer does it mean spending hours upon hours stuck in a room discussing complicated topics. Training is now more engaging and promotes real behavioural change.

If you want to read more about cyber security awareness check out our article.

6. Does your organisation perform annual cyber security audits?

A cyber security audit is a full-scale review of your IT network. It will assess your policies, procedures, and controls, and determine if they are working appropriately. A cyber security audit will identify weaknesses and opportunities for improvement to prevent a data breach from occurring. It’s important to note that a cyber security audit should be completed by an independent, certified third party.

Benefits of a cyber security audit:

  • Identify weaknesses, gaps and opportunities for improvement.
  • Comply with government and industry laws and regulations.
  • Increase employee cyber security awareness.

7. Are all users with access to devices containing sensitive sensitive information using a unique username and complex passwords to access these systems?


We often neglect the importance of a unique username. But we really shouldn’t. One of the main concerns with a username is that, unlike a password, it’s public information. This obviously makes it easy for malicious actors to find your username. But it also makes guessing your username easy too. For example, if you use your email as a username on another site it can be easily guessed. Why? Because your email is one of the most public pieces of information about you. Ultimately, creating a unique username is just as important as creating a complex password.


Using a strong password can often make the difference between getting hacked and being secure. Hackers use automated technology to guess passwords. These types of software take common words, phrases, numbers and symbol combinations and make hundreds or thousands of guesses in a short time span. So, if your password isn’t very strong, they can pretty easily discover it.

A complex password will comprise of numbers and special characters mixed in common phrases. For example, i7ovemydog!!. An even stronger password will not even use a common phrase, such as ~p%O^{Y+apP=ehei.

Keeping track of all your different passwords can be a challenge. To help with this, there are some great password managers available, such as LastPass.

8. Do all devices with access to sensitive information have access control configured?

Access control is a security protocol that gives businesses the ability to manage who is authorised to access certain data and resources. Using an authentication and authorisation process, access control ensures that users only have access to company data that they have approval to use. The use of access control is recommended as a crucial factor in minimising business risk and keeping confidential information such as customer data from falling into the wrong hands.

As a general rule, it is recommended that you only give users access to data that is critical to their role.

9. Are all devices with access to sensitive information scanned for vulnerabilities on a regular basis?

Vulnerability scanning is a proactive process of identifying weaknesses in your business devices and associated software. In doing so, you are also able to close gaps in your security system before they can be exploited.

10. Do you use a risk-based priority to address vulnerabilities?

Vulnerability scanning alone is not sufficient to address security weaknesses. This is because you need to address any identified vulnerabilities using risk-based prioritisation. Using risk-based prioritisation, you prioritise the remediation of threats based on their urgency in regard to business operations.

11. Do all mobile devices that access sensitive information have SCM with the ability to remotely wipe the device?

SCM, or Security Configuration Management is a process that promotes security and manages risk by securely controlling information system configurations. In many cases, routers or operating systems have default configurations. These default configurations make it relatively easy for hackers to gain access to organisation’s data because they are well-known, and exploitable. By using SCM, you are able to patch known security weaknesses and reduce your likelihood of an attack occurring.

12. Does your organisation require two-factor authentication for remote access?

Two-Factor Authentication (2FA) requires users to provide two different types of authentication to verify their identity. Usually, these two factors are something the user knows, such as a password, and something the user has, such as temporary login code. This is an added layer of security that protects your business data even if passwords are compromised.

See below for an example of how 2FA works.

13. Does your organisation have a BCP, and, if so, does it include backup and recovery procedures for all virtual systems?

A BCP, or Business Continuity Plan is the process of implementing prevention and recovery systems to handle cyber attacks. The purpose of a BCP is to ensure businesses can continue to operate after a cyber attack has occurred. Generally, a BCP should include:

  • Designated crisis management roles and responsibilities.
  • Incident specific response guides.
  • Clear communication guidelines, with secondary communication methods in place.
  • A plan to review and update the BCP on an annual basis, when essential systems change, or when you introduce new systems.

14. Are all administrative accounts only permitted to perform administrator activities (with no access to internet or external email)?

Administrator accounts are able to take actions that will affect other users, such as critical server changes, altering security settings, and installing new software. Hackers try to use administrator privileges to get around critical security settings and access sensitive business information. By restricting administrator privileges, you make it harder for hackers who have accessed your system to engage in malicious activity.

15. Are all operating systems and applications up to date and do they have a patch management system?

We’re all guilty of clicking ‘skip’ when a software update message pops up. However, these updates are one of the easiest ways you can protect your business. This is because hackers often target known application, operating system and browser security vulnerabilities in their attacks. One of the key reasons for software updates is to address these security vulnerabilities, so your devices and applications are more secure.

A patch management system is a process that helps obtain, test, and install multiple patches on existing software and applications. This enables systems to remain up-to-date and also determine what patches are appropriate.

Cyber Security Audit Checklist


What steps should you take once you’ve gone through the cyber security audit checklist?

Self-evaluation is great, and we feel that this cyber security audit checklist is an excellent starting point to help you determine your business’s cyber readiness. If you’ve run through this cyber security audit checklist and determined you’ve covered it all, great! But there’s always more you can do. These are just the essentials. From this point on, you need to be vigilant with regular analysis and cyber auditing.

Cyber security can seem tedious, but protecting your business and integrity with something so simple and fundamental is really a no-brainer. Read through the cyber security audit checklist and make sure you’re able to tick everything off. After that, take it to the next level by following the steps in our Cyber Security Guide. Do this and you’ll be on your way to ensure your business is safe and secure from cyber attacks.