Security Auditing

Fresh eyes when reviewing documentation and ways of working can highlight issues that have been missed previously, often they have been there since the document’s inception. Our Professional Services experts have over 15 years auditing experience and our commitment to you is that the feedback we give will not be filled with technical jargon - you will be able to understand it and it will offer you real ways to improve your company’s security.

Auditing Standards

We recognise two major standards for measuring security maturity and either can be used to audit your current posture and highlight areas that could be improved. Both security audit approaches involve a 3-day onsite visit.

1. The National Institute of Standards and Technology Special Publication (SP 800-53)

The Information Technology Laboratory (ITL) within the National Institute of Standards and Technology (NIST) is a research facility dedicated to formulating tests, test methods, reference data, proof of concept implementations, and technical analyses to advance the development and productive use of information technology. The Special Report 800-53 details a process for selecting controls to protect organisational operations (including mission, functions, image, and reputation), organisational assets, individuals, other organisation, and the nation from a diverse set of threats including hostile cyber-attacks, natural disasters, structural failures, and human errors. It is these guidelines that our consultants use to determine where issues may lie within your organisations security. The typical audit points are:

Physical Security

Logic Security

Incident Management

Policies, Standards and Procedures

For further reading around the NIST Security Standards.

2. The SANS Institute Centre for Internet Security Critical Controls

The Centre for Internet Security (CIS) is an organisation dedicated to enhancing the cybersecurity readiness and response for public and private sector companies. The approach that our security consultants adopt during their audit is based around identifying, developing, validating, promoting and sustaining the best practices in cybersecurity. The aim is to ultimately supply world-class security solutions to prevent and rapidly respond to cyber incidents. The typical audit points our consultants would look at are:

Inventory

Software

User Access

Logging Capability

Data Protection

Wireless Controls

Incident Management

For further reading about the CIS Security Standards.