The document outlines a cybersecurity audit checklist designed for organizations to validate their security policies and ensure compliance with regulations. It covers security responsibilities across different entities including management, employees, IT staff, and physical security measures. The checklist aims to enhance security by identifying potential threats and encouraging best practices for information, network, and data security.

1. Copyright EC-Council 2020. All Rights Reserved.​
Cybersecurity Audit

2. What Is Cybersecurity Audit
Cybersecurity audits act as a checklist that organizations can use to
validate their security policies and procedures. Organizations that
conduct an audit will be able to assess whether or not they have the
proper security mechanisms in place while also making sure they are in
compliance with relevant regulations.

3. Best Practices Around
Cybersecurity Audit
Outline the
structure of
security teams,
personnel,
and their
responsibilities.
Review your
information
security policy.
Have
centralized
cybersecurity
policies.
Detail your
network
structure.
Review the
relevant
compliance
standards.

4. Cybersecurity Audit Checklist
For a conclusive checklist, a business needs to divide it into entities and
their subsequent cybersecurity issues and threats. Providing answers to
a series of questions from different entities is necessary for a checklist
in order to understand their role in cybersecurity issues and threats.

5. Security Questions for the
Management
What is the
established
chain of data
ownership?
What are the
security
policies the
business has
put in place?
What written
security
policies are
enforced
through
training?
What are the
business’
computer
software and
hardware
asset list?
Is data
classified by
usage and
sensitivity?

6. Security Questions for
Employees
 Are employees effectively trained to deal with phishing, handling suspicious
emails, or hacks through social engineering?
 Have employees undergone password training and enforcement?
 Do employees undergo training on carrying data on laptops and other devices to
ensure the security of the data?
 Is security awareness training imparted to all employees to understand the
importance of security and their role as active guardians for security?
 Has the business ensured that secure Bring Your Own Device (BYOD) plans have
been put in place for employees and other stakeholders?

7. Security Questions Regarding
Business Practice
 Are there emergency and cybersecurity response plans in place?
 Have all possible sources of business disruption and cybersecurity risk been determined?
 Are there plans in place to reduce security breaches and their subsequent business disruptions?
 Are there any redundancy and restoration paths for all critical business operations in place?
 Are the business’ restoration and redundancy plans tested?

8. Security Questions for the IT
Staff Are there system hardening plans?
 Are the automated systems hardening on all operating systems on servers, workstations,
gateways, and routers?
 Has the software patch management undergone automation?
 Are security mailing lists available?
 Are regular security audits and penetration testings done?
 Is antivirus software installed on all devices with auto-updates?
 Is there a systematic review of log files and backup logs to ensure there are no errors?
 What are the remote plans and policies on remote access in place?

9. Security Questions Regarding
Physical Security
 Are there lock servers and network equipment?
 Is a secure and remote backup solution available and working?
 Are the keys for the network in a secure location?
 Are locks used in computer cases?
 Are regular inspections performed?
 Is there a security camera monitoring system?
 Is there a keycard system for secure areas?
 Is a secure data policy available to ensure that users understand the policy through training?
 Are trash dumpsters and paper shredders secure to avoid dumpster diving?

10. Security Questions Regarding
Data Security
 Is encryption enabled wherever needed?
 Are laptops, storage, and mobile devices secure?
 Is automatic wiping of stolen or lost devices enabled?
 Is a secure sockets layer available when utilizing the internet to make sure that
data transfer is secure?
 Are email gateways secure enough for secure emailing of data?

11. Security Questions Regarding Active
Monitoring and Testing
 Is regular monitoring of all aspects of security done?
 Is regularly scheduled security testing done?
 Is external penetration testing for ensuring nothing is missed done?
 Is the scanning for data types for securing and properly storing data done?

12. Conclusion
This checklist covers all three levels of security in a business. This includes
information security, network security, and cybersecurity. This is important if a
conclusive secure framework is to be achieved in the business. This is because the
checklist helps businesses identify many, if not all, sophisticated threats that may
target it. It is in identifying them and minimizing their risk that the business’
infrastructure can be secured at all times while preventing a full-scale attack on its
network, which would end up not only risking its data but also its reputation.
Therefore, this checklist helps businesses undertake conclusive cybersecurity audit
management.

13. THANK YOU!