Key Takeaways
- A cybersecurity audit is a structured evaluation of controls, evidence and governance against a defined scope.
- It is not the same as a penetration test or a vulnerability scan: those are technical inputs, not the whole assurance process.
- ISO 19011 provides general guidance for auditing management systems, while ISO/IEC 27001 defines ISMS requirements.
- NIS 2 and ACN baseline readiness require evidence that policies, procedures, roles and technical controls work in practice.
- The strongest audit preparation starts before the auditor arrives: scope, document register, evidence matrix and owner interviews.
- A vCISO service can accelerate remediation because it turns findings into owners, deadlines and board-ready governance.
Scope of This Article
This article explains what a cybersecurity audit is, which audit types organizations encounter, how an engagement normally runs and how Italian organizations should prepare for NIS 2, ISO 27001, DORA or ACN baseline reviews.
What Is a Cybersecurity Audit
A cybersecurity audit is a structured assessment of security governance, controls, evidence and operating practices against a defined framework or set of requirements. It checks not only whether a policy exists, but whether the organization can prove that the process is assigned, implemented, monitored and improved.
ISO 19011 describes auditing management systems as a discipline with principles, audit-program management and methods for conducting audits (ISO 19011:2018). ISO/IEC 27001 defines requirements for an information security management system and can be certified by third parties (ISO/IEC 27001:2022).
A penetration test looks for exploitable technical weaknesses. A vulnerability scan identifies known weaknesses. A gap assessment compares current maturity with a target. A cybersecurity audit may include all three, but it also evaluates governance, evidence and management accountability.
Main Types of Cybersecurity Audit
| Audit type | Reference | Typical focus | Who conducts it |
|---|---|---|---|
| NIS 2 readiness audit | Directive (EU) 2022/2555, D.Lgs. 138/2024, ACN measures | Governance, risk measures, incident handling, evidence | Internal team, consultant or regulator-driven review |
| ISO 27001 audit | ISO/IEC 27001:2022 | ISMS clauses, Annex A controls, continual improvement | Internal auditor or certification body |
| DORA gap assessment | Regulation (EU) 2022/2554 | ICT risk, incident reporting, resilience testing, third parties | Financial entity, advisor or supervisory context |
| ACN baseline audit | ACN baseline documentation | Base security measures and documentary evidence | Compliance, cyber team or external advisor |
| Supply-chain audit | Contractual and regulatory obligations | Supplier controls, assurance and contractual evidence | Customer, auditor or procurement risk team |
| Technical audit | Configuration standards or secure baselines | Hardening, logging, IAM, network exposure | Security engineer or specialist team |
Internal vs External Audit
An internal audit is performed for management assurance. Its goal is to find gaps early, before certification, supervisory review or customer due diligence. An external audit is performed by an independent party, such as a certification body, customer auditor, regulator or specialist consultant.
The two should not compete. A good internal audit creates the evidence discipline that makes external review faster and less disruptive. It also gives management a realistic view of risk before findings become contractual or regulatory problems.
The Phases of a Cybersecurity Audit
- Scoping: define entities, systems, processes, legal obligations and excluded areas.
- Document review: collect policies, procedures, registers, risk assessments and board approvals.
- Interviews: test whether owners understand responsibilities and escalation paths.
- Technical evidence: review logs, configurations, backup results, access records and vulnerability outputs.
- Gap matrix: map each requirement to evidence, score and finding.
- Draft findings: separate critical gaps from cosmetic weaknesses.
- Management response: assign owners, deadlines and acceptance criteria.
- Closing meeting: confirm facts, risk ranking and remediation path.
- Audit report: preserve the evidence trail and remediation commitments.
How to Prepare for a Cybersecurity Audit
Preparation should start with a document and evidence map. For NIS 2 and ACN baseline readiness, organizations should connect policy statements to concrete registers, logs, risk decisions and approvals.
- define the audit perimeter and business processes in scope;
- map process owners, system owners and governance roles;
- collect policies, procedures, registers and inventory files;
- organize evidence for logs, training, tests, backups and incident exercises;
- review incident-management documentation and escalation contacts;
- prepare interview notes for board, IT, compliance and business owners;
- simulate a short internal audit before the formal review.
Aegister has already published operational deep dives on audit interviews and evidence collection, documentary evidence readiness and the evidence matrix for board approval.
Common Failure Patterns
- Stale documents: policies are approved but no longer match systems or roles.
- Role ambiguity: the procedure names a role, but nobody can explain who performs it.
- Missing evidence: controls are claimed, but logs, registers or test records are absent.
- Template copying: documents contain generic language that is not connected to the organization.
- Retention gaps: logs exist but retention, integrity and access rules are unclear.
- Board disconnect: cyber risk is handled technically but not translated into management decisions.
What Happens After the Audit
The audit report should produce a remediation queue, not just a list of observations. Each finding needs severity, evidence, affected requirement, owner, due date and closure criterion. High-risk gaps should be closed through management review, not hidden in a technical backlog.
For a practical remediation model, see Aegister's articles on prioritizing audit findings, documentation audit checklists and cross-document coherence checks.
When a vCISO Service Accelerates Audit Readiness
A vCISO service is useful when the organization has controls but lacks governance continuity. It can maintain the ISMS calendar, coordinate evidence, review supplier risk, prepare management reporting and keep remediation moving after the audit.
Aegister supports this through Virtual CISO services and evidence workflow tracking in the Cyber Console. The goal is not to make an audit look clean; it is to make the underlying operating model auditable.
NIS 2 Audit Specifics for Italian Organizations
For Italian NIS subjects, audit readiness must align legal scope, ACN baseline measures, incident-notification procedures and management-body accountability. Start from Aegister's NIS 2 impact guide and the operational article on ACN baseline measures.
The Evidence Matrix
The evidence matrix is the practical bridge between requirements and proof. It prevents the audit from becoming a document dump and helps management see which gaps are formal, operational or technical.
| Column | Purpose | Example |
|---|---|---|
| Requirement | Identifies the legal, contractual or framework clause | Incident response procedure approved and tested |
| Evidence | Shows what proves implementation | Procedure, exercise report, incident register |
| Owner | Assigns accountability | CISO, IT manager, process owner |
| Status | Pass, partial, fail or not applicable | Partial because exercise was not repeated |
| Risk | Explains business impact | Delayed notification and poor containment |
| Action | Turns the finding into remediation | Run tabletop exercise by a fixed date |
This structure also reduces audit fatigue. Instead of asking every function for every document, the team asks for targeted evidence tied to known requirements.
How to Classify Findings
Findings should be ranked by risk and by effort. A missing board approval for a critical policy is not the same as a typo in a procedure. A stale access review for privileged accounts is usually more serious than a formatting mismatch in a register.
- Critical: missing control, legal exposure or incident-response failure.
- High: control exists but is materially incomplete or not evidenced.
- Medium: process works but lacks consistency, ownership or repeatability.
- Low: documentation improvement with limited risk impact.
The remediation plan should focus first on critical and high findings that block compliance, resilience or customer assurance. Low findings should be grouped and fixed without distracting the leadership team.
Roles and Accountability During the Audit
A cybersecurity audit needs named owners. Compliance can coordinate, but it cannot answer for firewall rules, backup tests, supplier clauses or incident escalation. Each domain must own the evidence connected to its responsibility.
A practical RACI usually includes management body, CISO or vCISO, IT operations, legal, HR, procurement, process owners and supplier managers. If these owners are not aligned before interviews, the audit will expose governance gaps even when technical controls are present.
Suggested Preparation Timeline
| When | Work package | Expected output |
|---|---|---|
| 6-8 weeks before | Define scope and framework | Audit charter and perimeter map |
| 4-6 weeks before | Collect policies, procedures and registers | Controlled document inventory |
| 3-4 weeks before | Collect technical evidence | Logs, screenshots, reports and configuration exports |
| 2 weeks before | Run internal interviews | Validated role and process notes |
| 1 week before | Review contradictions and missing evidence | Pre-audit remediation list |
| After audit | Approve remediation and assign owners | Finding closure plan |
Technical Evidence That Auditors Commonly Request
Technical evidence should be recent, attributable and reproducible. Screenshots without date, owner or system context are weak. Better evidence includes exported configuration, logs with timestamps, ticket history, scan results, backup test reports and access-review records.
For NIS 2, the evidence should connect to business services. An auditor should be able to understand which system supports which service, which owner is accountable and which control reduces which risk.
How to Keep the Audit File Alive
The audit file should not be archived and forgotten. It should become the operating baseline for the next quarter. Findings become actions; actions become evidence; evidence becomes the next management review. This is the difference between audit theatre and continuous assurance.
Sample Audit Questions
A useful preparation exercise is to answer the questions the auditor is likely to ask. Can management explain the current cyber risk posture? Can IT show which assets are critical? Can HR prove security training and joiner-mover-leaver controls? Can procurement show supplier cybersecurity clauses and assurance checks? Can the incident owner reconstruct the last test or real event?
If the organization cannot answer these questions without improvising, the audit is not ready. The issue is usually not lack of documents; it is lack of connection between documents, owners and operating evidence.
Outputs a Good Audit Should Produce
- a clear scope statement with assumptions and exclusions;
- a requirement-by-requirement evidence matrix;
- a finding register with severity, rationale and owner;
- a remediation roadmap split between quick fixes and structural work;
- a management summary suitable for board review;
- a reusable evidence folder for the next audit cycle.
These outputs make the audit useful even when the result is uncomfortable. A weak audit report only says that something is missing. A strong audit report explains risk, priority and the next operational step.
When to Repeat the Audit
An audit should be repeated after major changes: new cloud architecture, acquisition, incident, certification target, regulatory scope change or critical supplier onboarding. For stable environments, an annual internal audit and quarterly evidence review usually provide enough rhythm to keep the assurance file current.
FAQ
What is a cybersecurity audit?
It is a structured assessment of governance, technical controls and evidence against a defined cybersecurity framework or requirement set.
Is a cybersecurity audit the same as a penetration test?
No. A penetration test checks exploitable technical weaknesses. An audit also checks governance, evidence, accountability and process execution.
How long does an audit take?
Duration depends on scope, evidence quality and interview availability. Poor evidence preparation usually extends the audit more than technical complexity.
Is a NIS 2 audit mandatory?
NIS 2 imposes governance and security obligations. Whether and how an audit is required depends on supervisory activity, contractual needs and the organization's assurance model.