A cyber security audit is a structured review that measures your security posture against a recognised framework, usually the National Cyber Security Centre's Cyber Essentials, and produces a prioritised list of fixes. For a UK SME the process has six stages: define the scope and asset inventory, identify threats and vulnerabilities, evaluate your existing controls, score and prioritise the gaps, document a formal risk assessment, then remediate and re-test. A basic internal audit costs nothing but staff time. A formal external audit or Cyber Essentials Plus assessment typically runs £1,399 to £8,000 plus VAT. The Cyber Security Breaches Survey 2025 found 43% of UK businesses suffered a breach or attack in the previous 12 months, and Cyber Essentials controls stop roughly 80% of common attacks. Most businesses should audit at least annually; finance and healthcare every six months. This guide walks through every stage with a copy-paste checklist.
Last updated: June 2026
A cyber security audit is a systematic, evidence-based review of how well your organisation protects its data, systems and people against attack, measured against a defined standard rather than against gut feeling. The word "audit" matters. An assessment gives you a general health check; an audit checks specific controls against specific criteria and records pass or fail for each. That distinction is the whole point: an audit produces accountability and a paper trail, not just a worried conversation in a meeting room.
The case for doing one in 2026 is no longer theoretical. The government's Cyber Security Breaches Survey 2025 found that 43% of all UK businesses, and 30% of charities, experienced a breach or attack in the preceding 12 months. Among smaller firms the picture is sharper still: 50% of small businesses and 41% of micro businesses were hit. That works out to roughly 612,000 UK businesses dealing with an incident in a single year. The average cost of the most disruptive breach across all businesses was around £1,600, rising to about £3,550 once you strip out the zero-cost incidents, and the cost of the most serious breaches climbed roughly 19% year on year. Phishing remains the dominant vector by a wide margin.
Our view, after a decade building and securing systems for UK companies, is blunt: most small businesses are not breached because attackers are clever, they are breached because nobody ever checked the basics. An unpatched router, a shared admin password, a former employee's account still active, an old WordPress plugin. An audit exists to find those things before a criminal does.
There are three practical reasons the audit has moved from "nice to have" to "expected":
Put simply, an audit converts a vague sense of risk into a costed, prioritised, defensible plan. It is the difference between hoping you are secure and being able to show it.
Run an internal audit first to fix the obvious gaps cheaply, then bring in an external auditor when you need independent assurance, a certificate, or a sign-off that satisfies a client, insurer or regulator. The two are not rivals; they are stages. The honest rule is this: internal audits find the problems you already half-suspect, external audits find the problems you are blind to, and only an external audit carries weight with third parties because it is independent.
An internal audit is run by your own staff, an IT lead, an office manager, or a security-minded director, using a published checklist such as the Cyber Essentials self-assessment questionnaire. It costs nothing but time and is ideal for catching the unforced errors: missing multi-factor authentication, devices without disk encryption, software well past its patch window. The weakness is obvious. People rarely audit their own work objectively, and an internal reviewer may not know what a determined attacker would actually try.
An external audit is performed by a qualified third party, ranging from a Cyber Essentials certification body to a penetration testing firm or a CREST-accredited consultancy. It gives you independence, specialist tooling, and a credential you can show others. The trade-off is cost and the need to prepare your documentation in advance so you are not paying expert day rates for them to chase your asset list.
Use the matrix below to decide which fits your situation right now.
| Factor | Internal audit | External audit |
|---|---|---|
| Typical cost | £0 (staff time only) | £500 to £8,000+ VAT depending on scope |
| Independence | Low, conflict of interest | High, defensible to third parties |
| Best for | Quarterly hygiene checks, fixing the basics | Certification, tenders, insurance, post-incident assurance |
| Expertise needed | Moderate, follow a checklist | Specialist, often CREST or IASME assessors |
| Produces a certificate | No | Yes (Cyber Essentials, ISO 27001, etc.) |
| Catches sophisticated threats | Rarely | Yes, especially with penetration testing |
| Recommended frequency | Every 3 to 6 months | Annually, or before a contract requirement |
Be sceptical if a provider tells you a single penetration test makes you "secure". A pen test is a snapshot of one moment against one configuration. Real assurance comes from the cycle: internal hygiene checks running continuously, an external audit confirming it annually, and remediation closing the gaps in between. If your operations involve custom internal tools or a bespoke platform, an audit should also cover that codebase, which is where teams building secure web applications in London add value beyond a checklist tick.
A cyber security audit follows six repeatable steps: define the scope and inventory your assets, identify threats and vulnerabilities, evaluate your existing controls, score and prioritise the gaps, document a formal risk assessment, then remediate and re-test. Skipping the early steps is the most common mistake. Teams jump straight to "scan for vulnerabilities" without knowing what they own, then miss the home-worker laptop or the cloud storage bucket nobody remembered. Scope first, always.
Here is each step in practical detail.
The checklist below is the working document we hand clients to run their own first-pass internal audit. Copy it, mark each row, and you have a defensible starting point.
| Audit area | Question to answer | Status |
|---|---|---|
| Asset inventory | Is every device, account and cloud service listed and owned? | Yes / Partial / No |
| Multi-factor auth | Is MFA enforced on email, cloud and admin accounts? | Yes / Partial / No |
| Patching | Are OS and apps patched within 14 days of release? | Yes / Partial / No |
| Access control | Are admin rights restricted and leavers' accounts disabled? | Yes / Partial / No |
| Backups | Are backups automated, offsite and tested for restore? | Yes / Partial / No |
| Malware protection | Is endpoint protection installed, current and centrally managed? | Yes / Partial / No |
| Firewalls | Are boundary and host firewalls enabled and configured? | Yes / Partial / No |
| Staff awareness | Have staff had phishing and password training in 12 months? | Yes / Partial / No |
| Incident plan | Is there a written, tested incident response plan? | Yes / Partial / No |
| Data mapping | Do you know what personal data you hold and where? | Yes / Partial / No |
Any row marked "No" on a system holding personal or financial data is your first remediation target. If many rows are "Partial", you have a documentation problem as much as a security one, and that is where automating evidence collection through your business process automation can keep an audit current rather than a once-a-year scramble.
The five Cyber Essentials technical controls are firewalls, secure configuration, user access control, malware protection and security update management, and together they are the backbone every UK audit should measure against because they stop roughly 80% of common internet-based attacks. Cyber Essentials is the National Cyber Security Centre's government-backed baseline, administered by IASME. It is deliberately not exhaustive; it targets the controls that block the attacks that actually happen to small businesses, not the exotic ones that make headlines.
The single most important thing to understand about Cyber Essentials is that there are no partial passes. Every control is assessed against every in-scope device, and any single "No" is a fail. That sounds harsh, but it is the point: an attacker only needs one unpatched laptop or one missing firewall to get in, so the standard refuses to average your way to a pass.
Here is what each control demands and how to audit it.
| Control | What it requires | How to audit it |
|---|---|---|
| Firewalls | Boundary and software firewalls enabled on every device, including home-worker routers | Confirm firewalls active, default admin passwords changed, no unnecessary open ports |
| Secure configuration | Remove or disable unused software, accounts and default settings | Audit each device for default passwords, unused apps and unnecessary user accounts |
| User access control | Least-privilege access, unique accounts, MFA, prompt removal of leavers | Review admin rights, check MFA coverage, verify leaver process works |
| Malware protection | Anti-malware, application allow-listing or sandboxing on all devices | Confirm endpoint protection installed, updating and centrally visible |
| Security update management | Apply critical and high-severity patches within 14 days | Check patch status of OS, browsers, plugins; flag end-of-life software |
The 14-day patching window catches more businesses out than any other requirement. It applies to operating systems, applications, browsers, and crucially the third-party plugins and frameworks on your website. End-of-life software that no longer receives updates is an automatic fail; if you are still running an unsupported Windows version or an abandoned CMS plugin, that is your priority remediation.
Our honest stance: even if you never intend to certify, audit against these five controls anyway. They are free to use as a yardstick, they are tuned to the real UK threat landscape, and a clean pass against them genuinely removes the vast majority of your risk. Certification then turns that work into a credential, and brings a useful perk, firms with a turnover under £20m that certify get up to £25,000 of free cyber insurance bundled with the certificate.
Audit against Cyber Essentials as your baseline, add ISO 27001 if you need a comprehensive management system for larger clients, map your data handling to UK GDPR in every case, and layer NIS Regulations, FCA rules or DORA only if your sector requires them. Choosing the right framework is about matching effort to obligation. A five-person consultancy does not need ISO 27001; a fintech handling payments cannot ignore FCA expectations. The mistake is either over-engineering, drowning a small firm in an enterprise standard, or under-doing it and failing a tender because you only ever did the bare minimum.
The honest hierarchy for most UK SMEs is: do Cyber Essentials first because it is cheap, fast and stops most attacks; treat UK GDPR compliance as non-negotiable because it is the law; and only reach for ISO 27001 when a client, investor or regulator explicitly asks for it. Adding frameworks you do not need buys you cost and bureaucracy, not security.
| Standard | Who needs it | Scope | Effort |
|---|---|---|---|
| Cyber Essentials | Almost every UK business | Five technical controls | Low, days to weeks |
| Cyber Essentials Plus | Firms needing verified assurance or higher-value tenders | Same controls, independently tested | Medium |
| ISO 27001 | Larger firms, those serving enterprise or international clients | Full information security management system | High, months |
| UK GDPR | Anyone handling personal data (all of you) | Lawful, secure data processing | Ongoing |
| NIS Regulations | Essential services and digital service providers | Operational resilience of critical services | High |
| FCA / DORA | Financial services and their critical IT suppliers | Operational and digital resilience | High |
UK GDPR deserves a special note because it threads through everything. The ICO does not prescribe a single checklist, it expects "appropriate technical and organisational measures", and a documented audit is your best evidence that you met that bar. When you map data flows during the audit, you are simultaneously building your record of processing activities, so the work pays off twice. For regulated sectors, the resilience rules under DORA from 2025 push security obligations down to third-party IT providers, which means your software and automation suppliers now sit inside your audit scope, not outside it. If you run bespoke client systems or a custom CRM, that platform must be auditable too, not a black box.
Audit at least annually as a baseline, move to every six months for finance, healthcare and high-risk sectors, run quarterly internal hygiene checks regardless, and re-audit immediately after any significant change or incident. Annual is the floor, not the target. Threats evolve weekly, your systems change monthly, and a certificate from twelve months ago tells an attacker nothing about today. The right cadence layers a cheap continuous check on top of a thorough periodic one.
Frequency should track risk. The more sensitive your data and the more regulated your sector, the shorter the gap between full audits. Cyber Essentials certification itself is valid for twelve months and must be renewed annually, which sets a natural rhythm for most businesses.
| Business type | Full audit frequency | Internal check frequency |
|---|---|---|
| Low-risk micro business | Annually | Every 6 months |
| General SME | Annually | Quarterly |
| Finance, legal, healthcare | Every 6 months | Quarterly or monthly |
| After a breach or major change | Immediately | Immediately |
On cost, here is the realistic 2026 picture. A self-assessed internal audit using the published checklist is free beyond staff time. Cyber Essentials Basic certification is tiered by headcount and costs from £320 plus VAT for a micro business up to around £440 plus VAT for a 10 to 49 staff band, with larger organisations paying more. Cyber Essentials Plus, which includes an independent technical assessment, ranges from roughly £1,399 to £8,000 plus VAT depending on the number of devices and locations. Consultant support to prepare your evidence and walk you through the process typically adds £500 to £2,500 plus VAT.
| Service | Typical 2026 cost (ex VAT) | What you get |
|---|---|---|
| Internal self-assessment | £0 | Checklist-based review, no certificate |
| Cyber Essentials Basic | £320 to £600+ | Self-assessed, verified certificate, 12 months |
| Consultant support | £500 to £2,500 | Evidence prep and guided submission |
| Cyber Essentials Plus | £1,399 to £8,000 | Independent technical audit and certificate |
| ISO 27001 implementation | £10,000 to £40,000+ | Full management system and external certification |
Set against an average breach cost of £1,600, rising sharply for serious incidents, the maths is uncomfortable to ignore. A few hundred pounds of certification and a day of internal review buys protection against an event that the survey data says hits roughly half of small businesses every year. That is not fear-selling, it is arithmetic.
Turn findings into a remediation plan by ranking every gap on a likelihood-and-impact scale, assigning each a named owner and a deadline, fixing the critical items first, re-testing each fix, and recording residual risk in a living register that you review monthly. An audit that ends with a PDF of problems and no action is worse than no audit, because you now have documented evidence that you knew about a flaw and did nothing. The plan is where the value lives.
Prioritisation is the skill. Not every finding is urgent, and treating them all as equal guarantees the genuinely dangerous gaps wait behind cosmetic ones. We rank using a simple two-axis model: how likely is this to be exploited, and how badly would it hurt if it were. A critical, internet-facing, easily-exploited vulnerability on a system holding customer data is a "fix this week" item. A low-impact internal misconfiguration is a "schedule it" item.
| Priority | Example finding | Target fix time |
|---|---|---|
| Critical | No MFA on admin email; unpatched internet-facing server | Within 7 days |
| High | End-of-life software; leaver accounts still active | Within 30 days |
| Medium | Backups not tested; inconsistent patching | Within 90 days |
| Low | Minor configuration tidy-ups; documentation gaps | Next audit cycle |
Two parts of remediation get neglected and both matter enormously. The first is staff awareness. Phishing is the leading attack vector in the breaches survey, and no firewall stops an employee who clicks a convincing link and types in their password. Short, regular training and simulated phishing exercises do more for most small businesses than any single piece of software. The second is an incident response plan. Decide now, in calm conditions, who you call, how you isolate affected systems, who notifies the ICO (you have 72 hours to report a qualifying personal data breach), and how you communicate with customers. Rehearse it once and it stops being theory.
The smartest move is to make remediation continuous rather than annual. Automated patch deployment, automated alerts when a control drifts, automated offboarding that disables a leaver's accounts the moment HR marks them as departed: these remove the human forgetfulness that causes most failures. This is exactly where security and AI automation overlap, turning a once-a-year panic into a quietly self-maintaining posture.
Softomate runs a five-stage audit and remediation engagement that takes most SMEs from first call to a certifiable, documented security posture in four to eight weeks, on a fixed quote agreed before any work starts, with prices beginning at £2,500 plus VAT for a scoped internal audit. We are a London-based software and automation agency in Stanmore (HA7), and our angle is different from a pure pen-test firm: we do not just hand you a list of problems, we build the automation that keeps the fixes in place. The honest promise is no open-ended day rates and no surprise invoices, the scope and the price are fixed up front.
Here is how an engagement runs.
| Stage | Typical duration | Output |
|---|---|---|
| 1. Discovery and scoping | 3 to 5 days | Asset map and fixed quote |
| 2. Audit and risk assessment | 1 to 2 weeks | Scored risk register |
| 3. Remediation plan | 3 to 5 days | Prioritised action plan |
| 4. Implementation and automation | 1 to 3 weeks | Closed gaps, automated controls |
| 5. Re-test, certify and monitor | 1 week | Verified posture, certification support |
Indicative pricing: a scoped internal audit and risk assessment starts at £2,500 plus VAT; a full audit with remediation and Cyber Essentials support typically runs £2,500 to £6,000 plus VAT depending on size and complexity; ongoing automated monitoring and patch management is available on a monthly retainer. Because we build software, the automation work, from GoHighLevel automation for client communications to bespoke offboarding workflows, is delivered by the same team that found the gaps, so nothing falls between consultant and developer. If you want to discuss scope, our contact page is the fastest route to a no-obligation scoping call.
An internal self-assessment costs nothing beyond staff time. Cyber Essentials Basic certification runs £320 to £600 plus VAT, Cyber Essentials Plus £1,399 to £8,000 plus VAT, and consultant support adds £500 to £2,500 plus VAT. A full external audit with remediation typically costs £2,500 to £6,000 plus VAT for an SME.
At least once a year as a minimum, with quarterly internal hygiene checks in between. Finance, legal and healthcare firms should run a full audit every six months. You should also audit immediately after any significant system change, a breach, or onboarding a major new client with security requirements.
Yes, for a first-pass internal audit. Use the NCSC Cyber Essentials self-assessment questionnaire and a structured checklist to catch the obvious gaps such as missing MFA, unpatched software and active leaver accounts. For certification, insurance evidence or independent assurance you will need an external, accredited auditor.
An audit reviews your controls, policies and documentation against a framework and produces a prioritised risk register. A penetration test actively attempts to exploit your systems to prove what an attacker could achieve. They are complementary: the audit tells you what should be in place, the pen test confirms whether it actually holds.
Firewalls, secure configuration, user access control, malware protection, and security update management. Together they block around 80% of common internet-based attacks. Cyber Essentials has no partial passes, so any single failing control across any in-scope device fails the whole assessment, which is why thorough auditing matters.
It is not a general legal requirement, but it is mandatory for many central government contracts that handle personal or sensitive data, and is increasingly required in private-sector supply chains and by insurers. UK GDPR separately requires appropriate security measures, and Cyber Essentials is strong evidence you have met that obligation.
A small business internal audit can be completed in a day or two. A full external audit with discovery, risk assessment, remediation and certification support typically runs four to eight weeks. Cyber Essentials Plus on-site testing itself is usually completed within one to two days once your evidence is ready.
You receive a report listing the failing controls. There are no partial passes, so any single failure means the certificate is not issued until you remediate. Most certification bodies allow you to fix the gaps and resubmit, often within a grace period, without paying the full fee again.
Yes. Cyber Essentials explicitly brings home-worker routers and any device that accesses company data into scope. That includes personal laptops and phones used for work. A common audit failure is forgetting remote and hybrid staff, so your asset inventory must capture every device that touches business systems.
If a personal data breach poses a risk to individuals' rights and freedoms, you must report it to the Information Commissioner's Office within 72 hours of becoming aware of it. High-risk breaches also require you to inform affected individuals. Your incident response plan should set out exactly who handles this notification.
A cyber security audit is not a one-off project, it is a cycle: scope your assets, identify threats, evaluate controls against the five Cyber Essentials baselines, prioritise gaps by likelihood and impact, document the risk, then remediate and re-test. With 43% of UK businesses breached last year and average serious-incident costs climbing 19%, the case for at least an annual audit, backed by quarterly internal checks, is now plainly commercial as much as technical. Start free with an internal self-assessment, certify with Cyber Essentials from £320 plus VAT to unlock up to £25,000 of free cyber insurance, and step up to Cyber Essentials Plus or ISO 27001 only when a client, insurer or regulator demands it. The businesses that fare best are not the ones with the biggest security budget, they are the ones who turned the audit findings into automated, self-maintaining controls and kept the cycle running.
Ready to move from worrying about your security posture to documenting it? Explore our business process automation services in London to see how we turn audit findings into controls that maintain themselves, or book a no-obligation scoping call.
Written by Deen Dayal Yadav, Founder of Softomate Solutions, a London-based software development and AI automation agency in Stanmore (HA7). With over 12 years building software, CRM and automation systems for UK businesses, he has helped SMEs secure their platforms, pass Cyber Essentials and automate the controls that keep them compliant. Softomate Solutions is a registered company at Companies House. Learn more on our about page.
We protect the real names of all clients featured in examples and case studies. Every testimonial is from a real client.
More from the blog
Work with us
Book a free 30-minute discovery call with DD and get a personalised automation roadmap.
Softomate Solutions Limited
Deen Dayal Yadav
Online
We use essential cookies to keep the site running. With your permission, we also use analytics cookies to understand how visitors use our site so we can improve it. No data is sold. Privacy Policy
