A cyber security audit is a systematic evaluation of an organisation's information security posture against a defined set of controls, standards, or frameworks. It assesses the policies, procedures, and technical controls in place to protect digital assets, identifies gaps and weaknesses, and produces a prioritised plan for improvement. Unlike a penetration test, which simulates an attack to find exploitable vulnerabilities, a security audit evaluates the broader governance, policy, and control environment - though a comprehensive audit will typically incorporate or recommend technical testing as part of its scope.
Softomate Solutions is a London-based cyber security consultancy that conducts cyber security audits for UK businesses across professional services, financial services, healthcare, technology, and the third sector. Our cyber security consultancy approach combines technical expertise with regulatory knowledge, producing audit findings that are actionable, proportionate, and mapped to the specific regulatory obligations of your sector. For organisations that need ongoing security leadership following an audit, our vulnerability assessment and penetration testing services provide the technical depth to validate and maintain your security controls continuously.
UK businesses need cyber security audits for several reasons. Regulatory frameworks - UK GDPR, FCA operational resilience requirements, SRA standards, NHS data security requirements - mandate regular review of security controls. Clients and partners increasingly require evidence of security posture as a condition of contracts. Cyber insurers use security audits as part of the underwriting process. And independent audit is simply the most reliable way to understand your real security posture, rather than relying on assumptions or vendor marketing about the effectiveness of your controls.
Selecting the right framework for a cyber security audit depends on your sector, regulatory obligations, and the maturity of your existing security programme. The most commonly used frameworks for UK organisations include:
Cyber Essentials is the UK government-backed certification scheme administered by the NCSC. It defines five fundamental security controls - firewalls, secure configuration, user access control, malware protection, and patch management - and certifies that an organisation has implemented them. Cyber Essentials is appropriate as an audit starting point for organisations at the beginning of their security journey, and certification provides a recognised third-party assurance. Cyber Essentials Plus involves hands-on technical testing by an accredited assessor and provides stronger assurance. Many public sector contracts, insurance policies, and client agreements require Cyber Essentials certification as a minimum.
ISO 27001 is an international standard for information security management systems (ISMS). It provides a comprehensive framework covering risk management, security controls, governance, and continuous improvement. ISO 27001 certification requires an independent audit by an accredited certification body and involves ongoing surveillance audits. It is the most widely recognised international information security standard and provides assurance to clients, partners, and regulators globally. For UK organisations seeking to demonstrate security maturity beyond Cyber Essentials, ISO 27001 is the natural next step.
The NCSC's Cyber Assessment Framework is designed for organisations operating critical national infrastructure or delivering important public services. It covers four objectives: managing security risk, protecting against cyber attack, detecting cyber security events, and minimising the impact of incidents. The CAF is used by UK regulators including Ofcom, the Civil Aviation Authority, and the FCA as the basis for assessing the security of regulated entities. Organisations in regulated sectors should assess their posture against the CAF even where formal CAF assessment is not mandated.
The NIST Cybersecurity Framework, developed by the US National Institute of Standards and Technology, is widely used internationally and is referenced in the UK as a best practice framework. Its five functions - Identify, Protect, Detect, Respond, Recover - provide a useful structure for organising a security audit and communicating findings to senior management. Version 2.0, published in 2024, added a sixth function (Govern) reflecting the importance of governance and accountability in security programmes.
Effective audit planning determines the quality and usefulness of the output. Key planning decisions include:
The audit scope defines which systems, processes, locations, and business units will be covered. For a first audit, covering the whole organisation is valuable to establish a baseline. For repeat audits, focusing on areas of highest risk or those that have changed significantly since the last audit allows deeper examination. The scope should also define what is excluded and why - ensuring that exclusions do not create material gaps in the assurance picture.
Select the framework or frameworks against which the audit will assess your controls. Where regulatory frameworks apply to your sector, use those as the primary reference. Cyber Essentials is appropriate for most UK SMEs. ISO 27001 Annex A is appropriate for organisations seeking comprehensive coverage. Sector-specific frameworks (FCA operational resilience, NHS Data Security and Protection Toolkit, SRA guidance) should be included where applicable.
Decide whether the audit will be conducted internally, by an external specialist, or by a combination of both. Internal audits provide familiarity with the organisation's context but may lack independence and specialist technical expertise. External audits by firms like Softomate Solutions provide independence, broader benchmarking perspective, and specialist knowledge of current threats, regulatory expectations, and best practice. External audits are typically required for formal certification (ISO 27001, Cyber Essentials Plus) and are often required or preferred by regulators and insurers.
The audit report should be structured to serve different audiences. Executive management needs a summary of key findings, risk ratings, and prioritised remediation actions. Technical teams need detailed findings with specific remediation steps. Regulators may require evidence that the audit was conducted and that findings are being addressed. Agreeing the report format in advance ensures the audit collects the right information to produce the required outputs.
A comprehensive cyber security audit covers the following domains:
Reviewing whether the organisation has a defined information security policy; whether security risk is formally assessed and managed; whether there is clear ownership and accountability for security; whether security is integrated into business processes and decision-making; and whether board and senior management receive appropriate security reporting. Weak governance is frequently the root cause of security failures - technical controls cannot compensate for an organisation that does not understand its risk or treat security as a business function rather than an IT concern.
An inventory of assets - hardware, software, data, and cloud services - is a prerequisite for effective security. The audit should assess whether the organisation knows what assets it has, where they are located, who owns them, and what data they process. Without an asset inventory, it is impossible to ensure that security controls are applied consistently or to understand the scope of a security incident.
Reviewing how access to systems and data is granted, maintained, and revoked. Key questions include: Is multi-factor authentication in use for all internet-facing systems? Is access granted on the principle of least privilege? Are access rights reviewed regularly and revoked promptly when employees leave? Are privileged accounts separately managed and monitored? Weaknesses in access control are implicated in the majority of significant breaches.
Assessing how the organisation identifies, prioritises, and remediates software vulnerabilities. The audit should examine the patch management process, average time to patch for critical vulnerabilities, the vulnerability scanning schedule and coverage, and how vulnerabilities in unsupported or legacy software are managed. The NCSC's guidance and Cyber Essentials both specify that critical patches must be applied within 14 days of release.
Reviewing the configuration of firewalls, network segmentation, wireless security, and remote access controls. The audit should assess whether internet-facing services are minimised, whether network traffic is monitored for anomalous behaviour, and whether remote access (VPN, RDP, cloud management consoles) is appropriately secured. Many breaches begin with exploitation of internet-facing services or poorly configured remote access.
Assessing whether the organisation has a documented incident response plan, whether it has been tested, and whether the organisation has the detection capability (logging, monitoring, SIEM) to identify incidents promptly. The audit should examine how past incidents have been managed and whether lessons have been incorporated into improved processes. An untested incident response plan is of limited value - organisations discover its gaps at the worst possible moment.
Reviewing backup processes, recovery time objectives, and business continuity plans. The audit should verify that backups are taken regularly, stored securely (including offline or immutable copies for ransomware resilience), tested for recovery, and can restore systems within the organisation's required timeframe. UK GDPR specifically requires the ability to restore personal data after an incident.
Assessing whether employees understand security policies and their individual responsibilities, whether phishing awareness training is conducted regularly, and whether there are clear procedures for reporting incidents and suspicious activity. Human behaviour is a primary attack vector - security awareness training reduces the probability that technical attacks will succeed and increases the speed of detection when they do.
Reviewing how supplier security is assessed, what contractual security obligations suppliers are subject to, and how supplier access to systems and data is controlled. As discussed in the supply chain attack context, third-party risk is one of the most significant and frequently underestimated components of an organisation's overall security posture.
A comprehensive security audit will identify multiple findings across different domains and severity levels. Prioritising remediation is essential - attempting to fix everything simultaneously is rarely practical, and organisations need to direct resources where they will have the greatest security impact.
A risk-based prioritisation approach considers:
The standard output of a Softomate Solutions cyber security audit is a risk register of findings prioritised by a combination of these factors, with a remediation plan that distinguishes quick wins (typically achievable within 30 days), medium-term improvements (30 to 90 days), and strategic initiatives (90 days or longer). This structure enables organisations to demonstrate immediate progress on the highest-risk findings while managing the longer-term improvement programme systematically.
Annual cyber security audits are standard practice for most UK organisations, with the timing aligned to the annual review of the information security policy and risk register. More frequent audits may be warranted following significant changes to the organisation's technology environment, following a security incident, when entering a new regulatory environment, or when preparing for a major client or partner security assessment.
Between annual audits, continuous monitoring and periodic vulnerability scanning maintain visibility of the security posture. The combination of annual comprehensive audit and continuous technical monitoring provides the most complete and current picture of organisational security health. ISO 27001 certification requires annual internal audits and periodic external surveillance audits as part of the ongoing certification cycle.
The NCSC recommends that organisations treat cyber security as an ongoing discipline rather than an annual compliance exercise. Security posture degrades continuously as new threats emerge, software becomes outdated, staff join and leave, and technology changes. An annual audit that is filed and forgotten achieves little; an audit that drives a continuous improvement programme achieves sustained security improvement.
A cyber security audit is a broad assessment of an organisation's security governance, policies, and controls, evaluating whether the right measures are in place and operating effectively. A penetration test is a targeted technical exercise in which security professionals actively attempt to exploit vulnerabilities in specific systems, simulating what a real attacker would do. Audits assess the landscape; penetration tests probe specific attack surfaces. Both are valuable and complementary - audits identify gaps in governance and control coverage; penetration tests validate whether technical controls actually work under attack conditions. A comprehensive security programme includes both.
The duration of a cyber security audit depends on the scope, the size of the organisation, and the depth of assessment. A Cyber Essentials self-assessment can be completed in a few days. A comprehensive ISO 27001-aligned audit of a mid-sized organisation typically takes two to four weeks, including documentation review, interviews with key personnel, and technical testing of controls. The audit report and remediation planning require an additional week or two. Internal audits are often more efficient but may lack the depth and benchmarking perspective of an external audit. Planning a full annual audit over a six-week engagement from scoping to report delivery is a reasonable expectation for most UK SMEs.
Self-assessment against Cyber Essentials provides a useful internal benchmark but does not carry the assurance of certification. Cyber Essentials certification (which involves a verified self-assessment questionnaire reviewed by an accredited certification body) or Cyber Essentials Plus (which adds hands-on technical testing) provides recognised third-party assurance that you have met the required controls. Certification is mandatory for UK government contracts above a certain value and is increasingly required by insurance companies, major enterprise clients, and public sector frameworks. If you need to demonstrate your security posture to external parties, certification is significantly more credible than self-assessment alone.
Audit findings should be assigned to owners, prioritised by risk, and tracked through a remediation plan with defined timelines and accountability. The board or senior management should receive a summary of findings and the remediation plan, and should receive regular updates on progress. Findings should be reviewed at the next audit to verify that remediation has been completed and controls are operating effectively. Audit findings that are accepted rather than remediated (because the risk is deemed acceptable or remediation is impractical) should be formally documented with a clear rationale and reviewed regularly. Never file an audit report without actioning the findings - regulators and insurers will want to see evidence that findings were addressed.
The ICO expects organisations to maintain records of security assessments, including the date and scope of assessments, the findings, and the remediation actions taken. Audit reports, risk registers, and remediation tracking documentation are the primary evidence. External audit reports carry more weight than internal self-assessments because they provide independent verification. Cyber Essentials or ISO 27001 certification provides strong third-party attestation. When responding to an ICO investigation, organisations that can produce a clear timeline of security assessments and evidence of systematic remediation are significantly better positioned than those that cannot demonstrate a structured security programme.
Reputable cyber security auditors hold qualifications from recognised bodies. For governance and management audits, look for CISM (Certified Information Security Manager), CISSP (Certified Information Systems Security Professional), or ISO 27001 Lead Auditor certification. For technical assessments and penetration testing, CHECK Team Leader or Team Member status (accredited by NCSC) and CREST certification are the UK standards. For Cyber Essentials assessments, auditors must be accredited by a Cyber Essentials certifying body approved by the NCSC. Always verify that the firm and individual auditors hold current, relevant credentials before commissioning a security audit.
No, but they overlap significantly. A data protection audit focuses on compliance with UK GDPR and the Data Protection Act 2018, assessing lawful bases for processing, data subject rights procedures, privacy notices, data retention, and the governance of personal data. A cyber security audit focuses on the technical and organisational controls that protect systems and data from unauthorised access, loss, or damage. The two audits share the domain of data security - both will examine access controls, encryption, and incident response as they relate to personal data. Running both in tandem is the most efficient approach, and Softomate Solutions often conducts combined cyber security and data protection assessments for UK clients.
More from the blog
Let us help
Talk to our London-based team about how we can build the AI software, automation, or bespoke development tailored to your needs.
Softomate Solutions Limited
Deen Dayal Yadav
Online
