Security Audits Aligned with ISO 27001, GDPR, NIS2 & NIST CSF 2.0

Understanding a Security Audit: A Standards-Aligned Perspective

A security audit is a systematic, independent evaluation of an organisation’s information systems, designed to assess resilience against cybersecurity threats and vulnerabilities. Aligned with internationally recognised standards such as ISO/IEC 27001, GDPR, NIS2, and NIST CSF 2.0, a security audit integrates technical, procedural, and organisational assessments to determine the effectiveness of security controls, regulatory compliance, and risk posture.

Our Approach to Security Auditing

1. ISO/IEC 27001-Aligned Security Assessment

Purpose: Establish a structured foundation for security auditing using the ISO/IEC 27001 Information Security Management System (ISMS) framework.

Key Elements:

International Standardisation: Align with a globally accepted framework for managing information security risks.
Risk-Based Methodology: Identify, assess, and treat risks using a structured and repeatable process.
Compliance Support: Meet cross-jurisdictional requirements, including GDPR (data protection), NIS2 (critical infrastructure), and sector-specific controls (NIST CSF).
Continuous Improvement: Establish a lifecycle of monitoring, evaluation, and enhancement of controls through the PDCA (Plan-Do-Check-Act) cycle.

2. Penetration Testing and Technical Validation

Purpose: Validate the effectiveness of technical and organisational controls through simulated attack scenarios.

Alignment:

ISO/IEC 27001 A.12.6 & A.18.2: Control testing and technical compliance review.
NIST CSF Detect & Protect Functions: Use threat modelling and vulnerability management processes.
NIS2 Article 21: Conduct regular testing and auditing of cybersecurity risk management measures.

Scope of Testing:

Infrastructure and application testing (external and internal).
Evaluation of endpoint security, access control, and response mechanisms.
Verification of secure configuration baselines and patch management.
Documentation and remediation planning based on exploitability and business impact.

3. Architecture & Infrastructure Security Assessment

Purpose: Assess the resilience and compliance of IT architecture and infrastructure.

Key Steps:

Scope Definition: Identify critical systems, assets, locations, and communication flows.
Review of Security Architecture: Evaluate network segmentation, encryption protocols, access policies, and identity management in line with NIST CSF and ISO 27001 Annex A.
Vulnerability and Configuration Review: Analyze system configurations, firewall rules, and physical/logical security controls.
Risk Evaluation: Quantify risks using likelihood-impact models and prioritize remediation using NIST 800-30 or ISO 27005 methods.
Physical Security Assessment: Assess facility protection, environmental controls, and access restriction in compliance with NIS2 and ISO 27001 A.11.

Deliverables:

Risk register with classification (Critical, High, Medium, Low).
Mitigation strategy with control selection mapped to ISO 27001 Annex A and NIST CSF Subcategories.
Alignment plan for regulatory obligations under GDPR (privacy-by-design), NIS2 (incident reporting and resilience), and sectoral mandates.

4. Documentation for Compliance and Certification

Objective: Build a comprehensive documentation set to demonstrate conformance to ISO 27001 and supporting frameworks (GDPR, NIST CSF, NIS2).

Core Documents:

Information Security Policy: High-level governance statement aligned with ISO 27001 Clause 5 and GDPR Article 24.
Risk Assessment and Treatment Plan: Developed under ISO 27005; includes threat modeling, risk ownership, and residual risk decisions.
Statement of Applicability (SoA): Justifies control selection based on ISO 27001 Annex A, including GDPR Article 32 controls.
Security Procedures Manual: Describes implementation of controls, including incident response, cryptography, physical security, and third-party governance.
Document Control Policy: Ensures lifecycle management of ISMS documents (creation, review, revision).
Incident Response Plan: Compliant with ISO 27035, NIST SP 800-61, and NIS2 incident notification requirements.
Internal Audit Program: Covers audit planning, scope, execution, and corrective action tracking under ISO 19011.
Management Review Minutes: Demonstrates continual top-management engagement, required by ISO 27001 Clause 9.
Training & Awareness Program: Captures employee accountability and awareness in line with GDPR Article 39 and NIST PR.AT function.
Third-Party Security Policy: Governs supplier relationships, aligned with ISO 27036 and NIS2 supply chain requirements.
Corrective Actions Records: Documents improvements made following audits, incidents, or risk reassessments.

Continuous Improvement and Security Culture

Security audits are not isolated events but a foundational component of ongoing organizational resilience. By incorporating audit findings, penetration test results, and architectural reviews into a continuous improvement cycle, organizations can:

Meet and exceed regulatory expectations.
Proactively mitigate emerging threats.
Maintain alignment with evolving frameworks such as NIST CSF 2.0 and updates to ISO 27001.
Cultivate a robust security culture across business units and supply chains.

Application Penetration Testing

Infrastructure Assessment

Cloud Infrastructure

Performance and scalability assessment

Cybersecurity assessment

Threat Intelligence

Red Teaming

Compliance Readiness Services

Purple Teaming

Training

Due Diligence

Insides

Case Studies

Contact Us

About Tenendo

Contact us: