Contact us: info@tenendo.com
Understanding a Security Audit: A Standards-Aligned Perspective
A security audit is a systematic, independent evaluation of an organisation’s information systems, designed to assess resilience against cybersecurity threats and vulnerabilities. Aligned with internationally recognised standards such as ISO/IEC 27001, GDPR, NIS2, and NIST CSF 2.0, a security audit integrates technical, procedural, and organisational assessments to determine the effectiveness of security controls, regulatory compliance, and risk posture.
Our Approach to Security Auditing
1. ISO/IEC 27001-Aligned Security Assessment
Purpose: Establish a structured foundation for security auditing using the ISO/IEC 27001 Information Security Management System (ISMS) framework.
Key Elements:
- International Standardisation: Align with a globally accepted framework for managing information security risks.
- Risk-Based Methodology: Identify, assess, and treat risks using a structured and repeatable process.
- Compliance Support: Meet cross-jurisdictional requirements, including GDPR (data protection), NIS2 (critical infrastructure), and sector-specific controls (NIST CSF).
- Continuous Improvement: Establish a lifecycle of monitoring, evaluation, and enhancement of controls through the PDCA (Plan-Do-Check-Act) cycle.
2. Penetration Testing and Technical Validation
Purpose: Validate the effectiveness of technical and organisational controls through simulated attack scenarios.
Alignment:
- ISO/IEC 27001 A.12.6 & A.18.2: Control testing and technical compliance review.
- NIST CSF Detect & Protect Functions: Use threat modelling and vulnerability management processes.
- NIS2 Article 21: Conduct regular testing and auditing of cybersecurity risk management measures.
Scope of Testing:
- Infrastructure and application testing (external and internal).
- Evaluation of endpoint security, access control, and response mechanisms.
- Verification of secure configuration baselines and patch management.
- Documentation and remediation planning based on exploitability and business impact.
3. Architecture & Infrastructure Security Assessment
Purpose: Assess the resilience and compliance of IT architecture and infrastructure.
Key Steps:
- Scope Definition: Identify critical systems, assets, locations, and communication flows.
- Review of Security Architecture: Evaluate network segmentation, encryption protocols, access policies, and identity management in line with NIST CSF and ISO 27001 Annex A.
- Vulnerability and Configuration Review: Analyze system configurations, firewall rules, and physical/logical security controls.
- Risk Evaluation: Quantify risks using likelihood-impact models and prioritize remediation using NIST 800-30 or ISO 27005 methods.
- Physical Security Assessment: Assess facility protection, environmental controls, and access restriction in compliance with NIS2 and ISO 27001 A.11.
Deliverables:
- Risk register with classification (Critical, High, Medium, Low).
- Mitigation strategy with control selection mapped to ISO 27001 Annex A and NIST CSF Subcategories.
- Alignment plan for regulatory obligations under GDPR (privacy-by-design), NIS2 (incident reporting and resilience), and sectoral mandates.
4. Documentation for Compliance and Certification
Objective: Build a comprehensive documentation set to demonstrate conformance to ISO 27001 and supporting frameworks (GDPR, NIST CSF, NIS2).
Core Documents:
- Information Security Policy: High-level governance statement aligned with ISO 27001 Clause 5 and GDPR Article 24.
- Risk Assessment and Treatment Plan: Developed under ISO 27005; includes threat modeling, risk ownership, and residual risk decisions.
- Statement of Applicability (SoA): Justifies control selection based on ISO 27001 Annex A, including GDPR Article 32 controls.
- Security Procedures Manual: Describes implementation of controls, including incident response, cryptography, physical security, and third-party governance.
- Document Control Policy: Ensures lifecycle management of ISMS documents (creation, review, revision).
- Incident Response Plan: Compliant with ISO 27035, NIST SP 800-61, and NIS2 incident notification requirements.
- Internal Audit Program: Covers audit planning, scope, execution, and corrective action tracking under ISO 19011.
- Management Review Minutes: Demonstrates continual top-management engagement, required by ISO 27001 Clause 9.
- Training & Awareness Program: Captures employee accountability and awareness in line with GDPR Article 39 and NIST PR.AT function.
- Third-Party Security Policy: Governs supplier relationships, aligned with ISO 27036 and NIS2 supply chain requirements.
- Corrective Actions Records: Documents improvements made following audits, incidents, or risk reassessments.
Continuous Improvement and Security Culture
Security audits are not isolated events but a foundational component of ongoing organizational resilience. By incorporating audit findings, penetration test results, and architectural reviews into a continuous improvement cycle, organizations can:
- Meet and exceed regulatory expectations.
- Proactively mitigate emerging threats.
- Maintain alignment with evolving frameworks such as NIST CSF 2.0 and updates to ISO 27001.
- Cultivate a robust security culture across business units and supply chains.