Cyber Security Audit Checklist (2026): 60+ Items

Posted: April 16, 2026 to Cybersecurity.

What Is a Cyber Security Audit and Who Needs One?

A cyber security audit is a structured review of your organization's security controls, policies, and configurations against a defined standard or baseline. It answers a simple but difficult question: do your actual defenses match what you think is in place?

Most organizations run one for at least one of these reasons: a compliance requirement (CMMC, HIPAA, SOC 2, PCI DSS), a cyber insurance renewal, a new contract with a security clause, a post-incident review, or a scheduled annual assessment. Some do them proactively before a breach happens.

The audience for this checklist is IT managers, MSPs, and business owners at companies with 10 to 500 employees -- organizations large enough to have real attack surface, small enough that they have not yet formalized their security program. You do not need a dedicated CISO to work through this list. You do need someone who can access your firewall, your AD or Azure AD, your endpoint management console, and your backup logs.

A cyber security audit is not the same as a penetration test. A pen test actively tries to break in. An audit verifies that controls are configured and documented correctly. Both have value. This checklist covers the audit side. If your audit turns up gaps, a pen test is often the next step to confirm whether those gaps are actually exploitable.

Scope Definition: What the Audit Covers

Before you start checking boxes, define what is in scope. An audit without a scope boundary produces incomplete results and false confidence.

Document your scope across four dimensions:

• Systems in scope: All systems that store, process, or transmit sensitive data. For most SMBs this includes domain controllers, file servers, workstations, cloud storage (SharePoint, Google Drive, S3), SaaS applications that hold customer or employee data, email, and backup infrastructure.
• Network segments in scope: Internal LAN, DMZ, cloud VPCs, VPN tunnels, wireless networks used by employees or guests.
• Data types in scope: PII, PHI, CUI (if you are a DoD contractor), financial records, intellectual property, authentication credentials.
• Frameworks or standards you are auditing against: NIST CSF, CIS Controls, CMMC 2.0, HIPAA Security Rule, SOC 2 Trust Services Criteria, or your own internal policy.

Write this scope statement down before the audit begins. Scope creep mid-audit creates inconsistent results and makes remediation tracking harder.

Pre-Audit Preparation

Three things to complete before you open the checklist:

Asset inventory: You cannot audit what you do not know exists. Pull a current list of all hardware (workstations, servers, printers, network gear, IoT devices) and all software (installed applications, SaaS subscriptions, cloud services). Your endpoint management or MDM platform should generate this automatically. If it does not, that is your first finding.

Access review preparation: Export a current user list from your identity provider -- Active Directory, Azure AD, Okta, Google Workspace -- with last login timestamps and group memberships. You will need this for the IAM section.

Policy document collection: Gather copies of your information security policy, acceptable use policy, incident response plan, and vendor management policy. If any of these do not exist, note it now. Missing documentation is a finding, not a reason to skip the section.

Checklist Section 1: Identity and Access Management

IAM failures are the leading initial access vector in breaches. This section verifies that only the right people can reach the right systems.

MFA on All Admin Accounts

Every account with elevated privileges -- domain admin, cloud console admin, Azure Global Admin, firewall admin -- must require multi-factor authentication. FIDO2 hardware keys or authenticator apps (not SMS) are required for high-value accounts. How to verify: Check your identity provider's sign-in logs and MFA enrollment report. Look for any admin account without an MFA method registered.

MFA on All Standard User Accounts

MFA is not just for admins. Any account with access to email, cloud storage, or business applications is a viable phishing target. How to verify: Pull MFA enrollment report. Flag all accounts with a last-login date in the past 90 days that lack MFA.

Password Policy

NIST SP 800-63B no longer recommends mandatory periodic rotation for most accounts -- complexity requirements are more useful. Minimum 12 characters, check against breached-password databases on set/change, lockout after failed attempts. How to verify: Review your password policy configuration in AD/Azure AD or your SSO provider.

Privileged Access Review Cadence

Someone should review who holds admin rights at least quarterly. Privilege creep -- where users accumulate access over time -- is nearly universal when there is no review process. How to verify: Check when the last formal access review occurred. If no record exists, it has not happened.

Service Account Audit

Service accounts are often over-privileged, rarely rotated, and sometimes used interactively in ways that bypass MFA. List all service accounts, confirm they have the minimum permissions required for their function, and verify they are not used for human login. How to verify: Pull service accounts from AD. Check interactive login flags and last password change dates.

Guest and External Account Review

Guest users in Azure AD or Google Workspace can accumulate access after a project ends. Review all external/guest accounts and confirm they still need access. How to verify: Pull guest user list from your identity provider. Contact the business owner for each account and confirm need.

SSO Coverage

Every SaaS application that supports SSO should be connected to your identity provider. Applications that authenticate independently create shadow credential stores that are hard to manage and impossible to centrally revoke. How to verify: Cross-reference your SaaS inventory against your SSO provider's application list.

Offboarding Workflow

When an employee leaves, all accounts should be disabled within 24 hours of termination. Review your offboarding procedure and check recent terminations against your user list. How to verify: Pull HR termination records from the last 90 days. Cross-reference against enabled AD/Azure AD accounts.

Shared Credential Audit

Shared passwords for systems or applications -- a shared IT admin account, a shared monitoring login -- prevent accountability and make rotation painful. Document all known shared credentials and plan for individual accountability. How to verify: Interview IT staff. Check for generic usernames like "admin," "shared," or "it" in your user directory.

API Key Inventory

API keys are credentials. Untracked API keys are credentials no one is rotating. Maintain an inventory of all API keys, who owns them, what they access, and when they last rotated. How to verify: Pull API key lists from cloud platforms (AWS IAM, Azure, GCP), source code repositories, and SaaS admin consoles. Flag keys older than 90 days without rotation.

Checklist Section 2: Endpoint Security

Endpoints are where breaches begin and where ransomware executes. This section verifies your visibility and control at the device level.

EDR / Antivirus Coverage

Every managed endpoint -- workstations, laptops, servers -- should have endpoint detection and response software installed and reporting to a central console. Coverage gaps (devices in the inventory that are not reporting) are a priority finding. How to verify: Compare your asset inventory against your EDR console's device list. Calculate coverage percentage.

Patch Management: OS

Operating system patches should be applied within 30 days of release for standard patches, within 72 hours for critical or actively exploited vulnerabilities. How to verify: Pull patch compliance report from your patch management tool (WSUS, Intune, Jamf). Flag endpoints more than 30 days behind.

Patch Management: Applications and Firmware

Third-party applications -- browsers, Office, Adobe, VPN clients -- are a primary exploit vector. Firmware on servers and network gear is equally important. How to verify: Check your patch tool for third-party app patching coverage. Check firmware versions on servers, firewalls, and switches against vendor current releases.

Disk Encryption

Every laptop and workstation should have full-disk encryption enabled (BitLocker on Windows, FileVault on macOS). Without it, a stolen device is a data breach. How to verify: Pull encryption status report from Intune or your MDM. Any unencrypted portable device is a critical finding.

Mobile Device Enrollment

Corporate email and data accessed from mobile devices should require MDM enrollment, a PIN, and remote wipe capability. How to verify: Check your MDM or Exchange ActiveSync for device enrollment status. Identify devices accessing corporate mail without enrollment.

Removable Media Policy

USB drives are an exfiltration vector and a malware delivery mechanism. Your policy should either prohibit them or restrict their use to encrypted, company-issued drives. How to verify: Review written policy. Check Group Policy or endpoint management for USB restrictions configuration.

Local Administrator Rights

Standard users should not have local administrator rights on their workstations. Local admin access allows malware to install, persist, and elevate privileges far more easily. How to verify: Pull local group membership report from your endpoint tool. Flag any non-IT account in the local Administrators group.

Checklist Section 3: Network Security

The network is the connective tissue between your endpoints and your data. Weak segmentation means a compromised endpoint can reach everything.

Firewall Rule Review

Firewall rulesets accumulate over years. Rules added for a specific project or vendor often stay long after their purpose expires. Review all inbound allow rules against a documented business need. Remove any rule that cannot be justified. How to verify: Export firewall ruleset. For each allow rule, confirm business owner, purpose, and last review date.

VLAN Segmentation

Critical systems -- servers, payment systems, industrial control systems -- should be on separate network segments with firewall controls between them, not on the same flat network as employee workstations. How to verify: Review network diagram. Confirm servers are on a dedicated VLAN with access controls between user and server segments.

VPN Access Review

Who has VPN access? Does everyone with VPN access still need it? VPN credentials are a common target because they provide direct network access. How to verify: Pull VPN user list. Cross-reference against active employees. Review VPN logs for anomalous access patterns (off-hours, unusual source countries).

Intrusion Detection and Prevention

IDS/IPS systems monitor for known attack patterns in network traffic. They will not catch everything, but they catch a lot of commodity malware and lateral movement. How to verify: Confirm IDS/IPS is enabled and logging. Check that alerts are being reviewed -- a system that fires alerts no one reads provides no value.

DNS Filtering

DNS filtering blocks connections to known malicious domains before any malware can phone home or a user can reach a phishing site. It is one of the highest-value-per-dollar security controls available. How to verify: Confirm a DNS filtering service is configured as the resolver for all devices (Cisco Umbrella, Cloudflare Gateway, NextDNS for business, etc.). Test that category blocking is active.

Wireless Security

Corporate wireless should use WPA3 or WPA2-Enterprise (802.1x authentication), not a shared PSK. Guest wireless should be isolated from the corporate network with no access to internal resources. How to verify: Check wireless controller configuration. Verify guest network VLAN isolation. Confirm no weak authentication protocol (WEP, WPA-TKIP) is in use.

Public IP and Exposed Service Audit

What does your organization expose to the internet? Run a scan of your public IP space and compare results against what you expect to be public. Unexpected open ports -- RDP, SMB, Telnet -- are immediate findings. How to verify: Use Shodan, your firewall's public-facing config, or a port scanner against your public IPs. Close or VPN-restrict anything that does not need to be directly internet-accessible.

Checklist Section 4: Data Protection

A breach that destroys your data or holds it hostage ends businesses. This section verifies your backup posture and data handling practices.

Backup Frequency and Coverage

Critical data should be backed up at minimum daily. Confirm that all systems containing important data are covered by your backup solution -- not just your primary file server. How to verify: Review backup job configuration. Confirm every critical system appears in the backup schedule.

Backup Restore Test

A backup you have never tested is not a backup -- it is a theory. Perform a restore test at least quarterly for critical systems. Document the test date, what was restored, and how long recovery took. How to verify: Review restore test logs. If no test has occurred in the past 90 days, schedule one before the audit closes.

Backup Encryption

Backup data should be encrypted both in transit and at rest. Unencrypted backups stored offsite or in cloud storage are a data exposure risk. How to verify: Check backup software encryption settings. Verify that cloud backup buckets are not publicly accessible.

Immutable or Air-Gapped Backup Copy

Ransomware increasingly targets and destroys online backups before encrypting production systems. An immutable backup -- one that cannot be deleted or modified for a defined retention period -- is your last line of defense. How to verify: Confirm at least one backup copy is stored in an immutable format (AWS S3 Object Lock, Azure Immutable Blob Storage, Veeam immutable repository, or air-gapped media).

Data Classification

You cannot protect data you have not labeled. A data classification policy defines categories (public, internal, confidential, restricted) and the handling requirements for each. Without classification, everything gets treated the same -- which usually means nothing is adequately protected. How to verify: Review your data classification policy. Confirm that sensitive data stores (file shares, databases, cloud storage) have ownership and classification labels.

Retention and Destruction Policy

Keeping data indefinitely is not free -- it increases your breach liability. A retention policy defines how long each data type is kept and how it is destroyed when it is no longer needed. How to verify: Review your data retention policy. Confirm that media destruction and data deletion procedures exist and are being followed.

Checklist Section 5: Email Security

Email is the number one initial access vector for phishing, BEC, and malware delivery. These controls are not optional.

SPF, DKIM, and DMARC

SPF tells receiving mail servers which IPs are authorized to send mail for your domain. DKIM adds a cryptographic signature to outbound mail. DMARC tells receiving servers what to do with mail that fails SPF or DKIM checks -- and sends you a report when that happens. All three should be configured, and DMARC should be at policy=reject or quarantine, not p=none. How to verify: Use MXToolbox or Google Admin Toolbox to check your DNS records. Review DMARC aggregate reports for unauthorized sending sources.

Email Filtering and Phishing Protection

Your email platform (Microsoft 365 or Google Workspace) has built-in anti-phishing controls. Confirm they are enabled at the correct enforcement level -- many organizations leave them at default settings that miss a significant portion of social engineering attempts. Third-party email security gateways provide additional layers. How to verify: Review your email security settings. Check quarantine logs for volume and disposition of flagged messages.

Security Awareness Training Cadence

Technical controls catch what they know to look for. Trained employees catch what technical controls miss. Security awareness training should occur at minimum annually, with phishing simulations at least quarterly. How to verify: Pull training completion records. Review phishing simulation results. If click rates are above 5%, the training program needs adjustment.

Incident Reporting Pathway

Employees need to know how and where to report a suspicious email, a failed phishing simulation click, or a suspected compromise. If the process is unclear, incidents go unreported. How to verify: Confirm a clearly communicated reporting mechanism exists (a dedicated email address, a phone number, a button in the email client). Test that reports actually reach someone who acts on them.

Attachment and Link Sandboxing

Malicious attachments and links should be detonated in a sandbox before reaching the recipient's inbox. Microsoft Defender for Office 365 Safe Attachments and Safe Links provide this. Google Workspace has similar capabilities. How to verify: Confirm sandbox capabilities are enabled and at the correct policy level.

Checklist Section 6: Application Security

Shadow IT and over-privileged SaaS applications create risk that is easy to overlook because it happens outside your network perimeter.

SaaS Application Inventory

Do you know every SaaS application your employees are using to process business data? Most organizations that conduct this exercise find 30 to 50 percent more applications than they were tracking. How to verify: Pull browser history exports, check SSO application lists, review corporate credit card charges for software subscriptions.

SaaS Access Review

For each SaaS application in your inventory, confirm that users with access still need it and that their permission level is appropriate. Former employees with active SaaS logins are a common finding. How to verify: For each critical SaaS app, pull the user list from the admin console and cross-reference against your active employee list.

Third-Party Vendor Risk Assessment

Your vendors have access to your data or systems. Their security posture affects your risk. Critical vendors -- cloud providers, managed service providers, payroll processors -- should have completed a security questionnaire or provided a SOC 2 report. How to verify: Identify vendors with privileged access to your systems. Confirm that a security review has been completed for each within the past 12 months. For CMMC contractors, this requirement is explicit in the CMMC assessment process. For HIPAA entities, business associate agreements are required.

Code Repository Access Review

If your organization maintains software in GitHub, GitLab, or Bitbucket, treat it like any other sensitive system. Review who has access, confirm that no secrets (API keys, passwords, certificates) are stored in the repository, and confirm that branch protection rules require review before merge to main. How to verify: Pull member list from your repository host. Run a secrets scanning tool (GitLeaks, truffleHog) against your repositories.

Web Application Vulnerability Scan

If you operate a customer-facing web application, it should be scanned for common vulnerabilities (OWASP Top 10) at minimum annually, and after significant code changes. How to verify: Review the date of the most recent web application scan or penetration test.

Checklist Section 7: Compliance and Governance

Controls without documentation are unverifiable. This section checks the paper trail that supports everything above.

Information Security Policy

A written, approved, and current information security policy is the foundation of a security program. It should define roles and responsibilities, the acceptable use of company assets, data classification, and the consequences of policy violations. How to verify: Locate the current policy. Check the last review and approval date. If it has not been reviewed in more than 12 months, it is out of date.

Incident Response Plan

Your IR plan defines what happens when a security incident occurs: who is notified, who makes decisions, what actions are taken, and how evidence is preserved. Without a documented plan, incident response is improvised -- and improvised IR is expensive. How to verify: Locate the current IR plan. Confirm it includes breach notification requirements specific to your regulated data types (HIPAA breach notification, state breach notification laws, CMMC reporting).

Acceptable Use Policy

Employees should have signed an acceptable use policy that defines what they can and cannot do with company systems, networks, and data. How to verify: Confirm the AUP exists, is current, and that signed copies or electronic acknowledgments exist for all current employees.

Asset Inventory Currency

The asset inventory you prepared before the audit should be a living document, not a one-time exercise. Confirm that a process exists to add new assets, remove retired assets, and review the inventory at a defined interval. How to verify: Check the last update date of your asset inventory. Verify that asset management is assigned to a named owner.

Risk Register

A risk register documents identified risks, their likelihood and impact, mitigation status, and residual risk acceptance decisions. It makes your security posture visible to leadership and defensible to auditors. How to verify: Locate the risk register. Check that identified risks from previous audits appear with their current remediation status.

Annual Penetration Test

Many compliance frameworks require an annual penetration test. Beyond compliance, a pen test validates whether the controls you have documented actually work. How to verify: Confirm a penetration test has been conducted within the past 12 months by a qualified external firm. Review the findings report and confirm that critical findings have remediation plans.

Checklist Section 8: Incident Response Readiness

The question is not whether an incident will happen. It is whether your organization is prepared to respond when it does.

IR Plan Documentation

Covered in Section 7, but worth restating: the plan must be written down, accessible to the people who need it during an incident (including when your primary systems are down), and reviewed at least annually. How to verify: Confirm the IR plan is stored in a location accessible offline or outside your primary network (printed copies, a separately hosted document).

Tabletop Exercise

A tabletop exercise walks your response team through a simulated incident scenario to identify gaps before a real event. It should happen at minimum once per year, with different scenarios each time. How to verify: Review tabletop exercise records. If no exercise has occurred in the past 12 months, schedule one. Petronella Technology Group facilitates these exercises for clients -- they surface gaps that documentation reviews alone miss.

Breach Notification Workflow

Know your notification obligations before an incident. If you hold PHI, HIPAA breach notification requires specific timelines. If you hold consumer data, your state's breach notification law applies. If you are a DoD contractor under CMMC, you have a 72-hour reporting obligation for CUI incidents. How to verify: Document the specific notification timelines and recipients for each regulatory framework that applies to your organization.

Cyber Insurance Review

Review your cyber insurance policy. Confirm coverage limits are appropriate for your data volume and revenue, that the policy covers ransomware extortion and business interruption, and that you understand what is required to make a claim (including documentation requirements that must be prepared before an incident). How to verify: Pull your current policy. Review exclusions carefully. Confirm MFA is in place -- many carriers now deny claims when MFA was not enabled on critical accounts.

Legal and PR Contacts

Have the names and after-hours numbers for your breach counsel and PR firm written down and accessible before you need them. The time to find a breach attorney is not the night you discover ransomware. How to verify: Confirm these contacts are documented in your IR plan or a separately maintained contact list.

How to Use This Checklist

Work through each section with a named reviewer for each item. Use a simple status: Pass, Fail, or Not Applicable. For every Fail, document the finding with enough detail to drive remediation: what is wrong, what system it affects, what the risk is, and who owns the fix.

Do not treat this as a pass/fail exercise for the whole organization. A single Pass on MFA does not cancel a Fail on backup restore testing. Each item stands on its own.

Prioritize findings by impact. Exposed RDP to the internet is more urgent than a stale acceptable use policy. Remediate in risk order, not checklist order.

Common gaps SMBs find during a first self-audit:

• MFA deployed only for Microsoft 365 but not for the VPN, firewall admin, or cloud console
• Backups configured but never tested -- the restore fails when tried
• Offboarding missed for contractor accounts, which often stay active indefinitely
• No asset inventory, or an inventory last updated 18+ months ago
• DMARC configured at p=none -- which means receiving servers report problems but still deliver the email
• Firewall rules permitting RDP (3389) or SMB (445) inbound from the internet
• Service accounts with domain admin rights that have not had their password changed in years

When to Bring In an External Firm

A self-audit is a starting point. It surfaces what your own team can see. An external audit brings an independent perspective -- the controls that seem fine internally often look different to someone who is not used to working around them.

Consider an external assessment when:

• You are preparing for a CMMC assessment or a HIPAA audit from OCR
• Your self-audit surfaces findings that require independent verification
• Your cyber insurance carrier is asking about your security posture at renewal
• You are onboarding a new enterprise client who requires a security review as a condition of the contract
• Your last external assessment was more than 12 months ago

External firms bring tools and techniques that catch what internal reviews miss: configuration analysis at the technical level, comparison against current threat intelligence, and validation that your documented controls match your actual implementation. That gap -- between policy and reality -- is where most breaches start.

Petronella Technology Group provides independent cyber security assessments for businesses across North Carolina, including gap assessments tied to CMMC compliance and HIPAA. Organizations that want a senior-level security advisor embedded without a full-time hire can explore our virtual CISO program. For a scoped quote, call Petronella Technology Group at (919) 348-4912.

Related reading: Network Security Assessment Checklist for Small Businesses (2026) | HIPAA Audit Checklist: Prepare Before OCR Comes Calling | CMMC Compliance Checklist: 110-Control Guide 2026