IT security audit: method, steps, and checklist for SMEs

Why IT security audits have become essential in 2026

In 2024, ANSSI handled 4,386 security incidents, including 1,361 confirmed incidents, representing a 15% increase compared to 2023 (source: ANSSI, Panorama de la cybermenace 2024, published in March 2025). At the same time, the CNIL received 5,629 notifications of personal data breaches, an increase of 20% year-on-year, with a doubling of breaches affecting more than one million people.

In this context, IT security audits are no longer a luxury reserved for large corporations. They are an operational and regulatory necessity for any SME that wants to protect its data, meet the requirements of the NIS2 directive, and obtain or maintain cyber insurance coverage. This guide details the practical steps for conducting an effective audit.

Sources: ANSSI, Overview of cyber threats in 2024 (March 2025) — CNIL, Activity report for 2024

What is an IT security audit?

An IT security audit is a methodical assessment of a company's entire information system: workstations, servers, network, applications, security policies, and user practices. The goal is to identify vulnerabilities, measure the level of risk, and produce a plan of priority actions.

The audit can be technical (penetration testing, vulnerability scanning, configuration analysis), organizational (review of policies, access, awareness), or compliance-based (ISO 27001, NIS2, GDPR, PCI-DSS). Ideally, it combines all three dimensions. According to the Verizon DBIR 2025, 60% of breaches involve the human factor (malicious clicks, configuration errors, social engineering), which highlights the importance of an audit that is not limited to technical aspects.

Source: Verizon, Data Breach Investigations Report 2025

The 7 steps to a successful IT security audit

Step 1: Define the scope and objectives

Before any audit, it is necessary to define what is being evaluated: the entire IT system or a subset (workstations, cloud infrastructure, business applications). The objectives depend on the context: NIS2 preparation, cyber insurance renewal, post-incident, or inventory. This step determines the budget, duration, and skills required. For an SME with 50 to 200 workstations, a comprehensive scope (workstations + servers + network + policies) is recommended.

Step 2: Map assets and flows

A complete inventory of IT assets is the foundation of any audit. Number of workstations and OS versions, physical and virtual servers, network equipment, cloud services (Microsoft 365, Azure, AWS), business applications, remote VPN access, mobile workstations. Without accurate mapping, it is impossible to identify what is exposed. ANSSI notes that vulnerabilities affecting security equipment at the edge of IT systems (firewalls, VPNs) accounted for more than 50% of its cyberdefense operations in 2024.

Source: ANSSI, Overview of cyber threats in 2024

Step 3: Scan for vulnerabilities

Automated scanning tools (Nessus, Qualys, OpenVAS) identify known vulnerabilities: open ports, obsolete services, missing patches, dangerous default configurations. For workstations, a CIS-CAT scan assesses the level of hardening against CIS Benchmark standards. In our experience, an unhardened Windows fleet scores an average CIS score of 30 to 40%. For servers, an ANSSI or CIS compliance scan also assesses the security posture. According to the Verizon DBIR 2025, exploitation of vulnerabilities now accounts for 20% of initial access vectors, up 34% year-on-year.

Source: Verizon DBIR 2025

See also our article: "Workstation hardening: A practical guide to securing Windows without crippling production."

Step 4: Test resistance (intrusion tests)

Penetration tests (pentests) simulate a real attack to assess defense capabilities: external tests (from the Internet), internal tests (from the company network), phishing tests (user resistance). These tests reveal vulnerabilities that automated scans do not detect, including complex attack chains. According to the 2025 DBIR, compromised credentials remain the primary initial access vector (22% of breaches), followed by vulnerability exploitation (20%) and phishing (16%).

Step 5: Audit policies and access

The organizational audit checks password policies, administrator rights management, backup procedures, business continuity plans, and employee awareness. A perfectly hardened workstation is useless if an administrator uses the same password everywhere. According to Microsoft, more than 99% of identity attacks are password attacks (brute force, spray, phishing), which places password policy and MFA at the heart of the organizational audit.

Source: Microsoft Digital Defense Report 2024

Step 6: Analyze and prioritize risks

Each vulnerability identified is classified by criticality (potential impact × likelihood of exploitation). This risk matrix is used to define remediation priorities. High-impact, low-cost actions, such as hardening Windows workstations, are addressed first. The goal is to produce a costed action plan with realistic deadlines.

Step 7: Produce the report and action plan

The final deliverable includes the inventory, vulnerabilities discovered, risk matrix, and a prioritized action plan. This report serves as a roadmap for the IT department and as proof of due diligence for insurers and regulators. Under NIS2, it is a key element in demonstrating compliance.

Hardening: the number one recommendation that emerges from every audit

In our experience, hardening workstations is consistently one of the top three audit recommendations. A default Windows workstation comes with more than 200 active services, SMBv1 often still enabled, unrestricted PowerShell, and the same local admin password across the entire fleet. According to the Semperis 2024 report, Active Directory is the target of 9 out of 10 ransomware attacks. Fixing configuration flaws costs little (no software purchases) and drastically reduces the attack surface. It's the best effort/security ratio available.

Source: Semperis, 2024 Ransomware Risk Report

Discover our solutions: Protection for workstations and mobile devices—EDR, hardening, and ASR

How much does an IT security audit cost?

The cost varies depending on the scope and depth. For an SME with 50 to 200 workstations, a full audit (technical + organizational) costs between $5,000 and $15,000. A targeted penetration test costs between $3,000 and $10,000. A CIS compliance scan of workstations is included in a hardening service. These investments should be compared to the global average cost of a data breach: $4.44 million in 2025 according to IBM, and $10.22 million for US companies. In France, a cyberattack costs an SME an average of €466,000 according to Orange Cyberdefense.

Sources: IBM, Cost of a Data Breach Report 2025 — Orange Cyberdefense

‍

‍

Want to know the actual security level of your IT system? Book an IT security audit with IT Systèmes →