We use cookies on this website.

By clicking "Accept," you agree to the storage of cookies on your device to improve your browsing experience, analyze site usage, and contribute to our marketing efforts. See our privacy policy for more information.

Cybersecurity

IT Security Audit for SMEs: The Approach That Reveals What Your IT Department Is Hiding

70% of cybersecurity audits commissioned by CIOs deliberately omit the vulnerabilities they themselves created. The proper 7-step external audit process, a downloadable checklist, and the 5 pitfalls that render 4 out of 5 audits invalid.

IT Security Audit for SMEs: The Approach That Reveals What Your IT Department Is Hiding

Why IT security audits have become essential in 2026

In 2024, ANSSI handled 4,386 security incidents, including 1,361 confirmed incidents, representing a 15% increase compared to 2023 (source: ANSSI, Panorama de la cybermenace 2024, published in March 2025). At the same time, the CNIL received 5,629 notifications of personal data breaches, an increase of 20% year-on-year, with a doubling of breaches affecting more than one million people.

In this context, IT security audits are no longer a luxury reserved for large corporations. They are an operational and regulatory necessity for any SME that wants to protect its data, meet the requirements of the NIS2 directive, and obtain or maintain cyber insurance coverage. This guide details the practical steps for conducting an effective audit.

Sources: ANSSI, Overview of cyber threats in 2024 (March 2025) — CNIL, Activity report for 2024

What is an IT security audit?

An IT security audit is a methodical assessment of a company's entire information system: workstations, servers, network, applications, security policies, and user practices. The goal is to identify vulnerabilities, measure the level of risk, and produce a plan of priority actions.

The audit can be technical (penetration testing, vulnerability scanning, configuration analysis), organizational (review of policies, access, awareness), or compliance-based (ISO 27001, NIS2, GDPR, PCI-DSS). Ideally, it combines all three dimensions. According to the Verizon DBIR 2025, 60% of breaches involve the human factor (malicious clicks, configuration errors, social engineering), which highlights the importance of an audit that is not limited to technical aspects.

Source: Verizon, Data Breach Investigations Report 2025

The 7 steps to a successful IT security audit

Step 1: Define the scope and objectives

Before any audit, it is necessary to define what is being evaluated: the entire IT system or a subset (workstations, cloud infrastructure, business applications). The objectives depend on the context: NIS2 preparation, cyber insurance renewal, post-incident, or inventory. This step determines the budget, duration, and skills required. For an SME with 50 to 200 workstations, a comprehensive scope (workstations + servers + network + policies) is recommended.

Step 2: Map assets and flows

A complete inventory of IT assets is the foundation of any audit. Number of workstations and OS versions, physical and virtual servers, network equipment, cloud services (Microsoft 365, Azure, AWS), business applications, remote VPN access, mobile workstations. Without accurate mapping, it is impossible to identify what is exposed. ANSSI notes that vulnerabilities affecting security equipment at the edge of IT systems (firewalls, VPNs) accounted for more than 50% of its cyberdefense operations in 2024.

Source: ANSSI, Overview of cyber threats in 2024

Step 3: Scan for vulnerabilities

Automated scanning tools (Nessus, Qualys, OpenVAS) identify known vulnerabilities: open ports, obsolete services, missing patches, dangerous default configurations. For workstations, a CIS-CAT scan assesses the level of hardening against CIS Benchmark standards. In our experience, an unhardened Windows fleet scores an average CIS score of 30 to 40%. For servers, an ANSSI or CIS compliance scan also assesses the security posture. According to the Verizon DBIR 2025, exploitation of vulnerabilities now accounts for 20% of initial access vectors, up 34% year-on-year.

Source: Verizon DBIR 2025

See also our article: "Workstation hardening: A practical guide to securing Windows without crippling production."

Step 4: Test resistance (intrusion tests)

Penetration tests (pentests) simulate a real attack to assess defense capabilities: external tests (from the Internet), internal tests (from the company network), phishing tests (user resistance). These tests reveal vulnerabilities that automated scans do not detect, including complex attack chains. According to the 2025 DBIR, compromised credentials remain the primary initial access vector (22% of breaches), followed by vulnerability exploitation (20%) and phishing (16%).

Step 5: Audit policies and access

The organizational audit checks password policies, administrator rights management, backup procedures, business continuity plans, and employee awareness. A perfectly hardened workstation is useless if an administrator uses the same password everywhere. According to Microsoft, more than 99% of identity attacks are password attacks (brute force, spray, phishing), which places password policy and MFA at the heart of the organizational audit.

Source: Microsoft Digital Defense Report 2024

Step 6: Analyze and prioritize risks

Each vulnerability identified is classified by criticality (potential impact × likelihood of exploitation). This risk matrix is used to define remediation priorities. High-impact, low-cost actions, such as hardening Windows workstations, are addressed first. The goal is to produce a costed action plan with realistic deadlines.

Step 7: Produce the report and action plan

The final deliverable includes the inventory, vulnerabilities discovered, risk matrix, and a prioritized action plan. This report serves as a roadmap for the IT department and as proof of due diligence for insurers and regulators. Under NIS2, it is a key element in demonstrating compliance.

Security Audit — IT Systems

Is your Windows environment hardened?
Here's how to find out.

CIS-CAT score, SMBv1, admin rights, backups: We'll reveal your true security level in 30 minutes.

CIS-CAT Score Windows Hardening Critical Vulnerabilities
Assess My Security Level Free · 30 min · no obligation

IT Security Audit Checklist — 10 Essential Points

Inventory & Mapping

  • Comprehensive inventory of assets completed (workstations, servers, network, cloud, VPN)

Workstations & Servers

  • Windows workstations with a CIS-CAT score above 70%
  • SMBv1 disabled across the entire network

Access & Identities

  • MFA enabled on all administrator accounts
  • Documented and enforced password policy (minimum 12 characters)

Network & Scope

  • VPN and firewall up to date (patches applied within 30 days)

Backups & Business Continuity

  • Backups that have been tested and stored offline (3-2-1 rule)
  • Business Continuity Plan (BCP) drafted and tested

Awareness & Compliance

  • Phishing awareness training conducted in the past 12 months
  • Audit report issued within the last 12 months available

Download the complete checklist (35 items) — Free PDF

Hardening: the number one recommendation that emerges from every audit

In our experience, hardening workstations is consistently one of the top three audit recommendations. A default Windows workstation comes with more than 200 active services, SMBv1 often still enabled, unrestricted PowerShell, and the same local admin password across the entire fleet. According to the Semperis 2024 report, Active Directory is the target of 9 out of 10 ransomware attacks. Fixing configuration flaws costs little (no software purchases) and drastically reduces the attack surface. It's the best effort/security ratio available.

Source: Semperis, 2024 Ransomware Risk Report

Discover our solutions: Protection for workstations and mobile devices—EDR, hardening, and ASR

IT Security Audit for Small and Medium-Sized Businesses

Order an external audit:
—we won't hide anything from you.

Technical and organizational audit, 35-point checklist, and a costed and prioritized action plan. NIS2 compliance included in the report.

External Audit Action Plan NIS2 Compliance Report Delivered
Schedule My Security Audit Free · 30 min · no obligation

How much does an IT security audit cost?

The cost varies depending on the scope and depth. For an SME with 50 to 200 workstations, a full audit (technical + organizational) costs between $5,000 and $15,000. A targeted penetration test costs between $3,000 and $10,000. A CIS compliance scan of workstations is included in a hardening service. These investments should be compared to the global average cost of a data breach: $4.44 million in 2025 according to IBM, and $10.22 million for US companies. In France, a cyberattack costs an SME an average of €466,000 according to Orange Cyberdefense.

Sources: IBM, Cost of a Data Breach Report 2025 — Orange Cyberdefense

Want to know the actual security level of your IT system? Book an IT security audit with IT Systèmes →

FAQ – IT security audit

Answers to frequently asked questions about IT security audits.

What is an IT security audit?

An IT security audit is a methodical assessment of a company's information system: workstations, servers, network, applications, and security policies. The objective is to identify vulnerabilities, measure the level of risk, and produce a priority action plan with quantified recommendations.

How much does an IT security audit cost for an SME?

For an SME with 50 to 200 workstations, a comprehensive audit (technical and organizational) costs between 5,000 and 15,000 euros. A targeted penetration test costs between 3,000 and 10,000 euros. Compare this to the average cost of a cyberattack for a French SME: 466,000 euros, according to Orange Cyberdefense.

How often should an IT security audit be conducted?

The recommended frequency is at least once a year, and after every major change to the information system (cloud migration, deployment of a new application, security incident). Under NIS 2, regular and documented assessments are a legal requirement for the entities concerned.

What is the difference between a security audit and a penetration test?

The security audit provides an overall assessment of security posture (technical, organizational, compliance). The penetration test (pentest) simulates a real attack to exploit vulnerabilities under operational conditions. The two are complementary: the audit identifies gaps, while the pentest measures the actual risk of exploitation.

What are the steps involved in an IT security audit?

A security audit follows seven steps: defining the scope and objectives, mapping assets and flows, scanning for vulnerabilities, intrusion testing, auditing policies and access, analyzing and prioritizing risks, and producing a report and action plan. For an SME, allow two to four weeks depending on the scope.

Do you offer IT security audits in Paris and the Île-de-France region?

IT Systèmes is based in the Île-de-France region and conducts IT security audits on-site or remotely throughout France. Contact us for an initial consultation and a quote tailored to your location and scope.

Our latest articles

See more
software
Development & automation

"I'm afraid to install software"

In 1996, I took my first steps in computing on an Excel spreadsheet where I filed cheat codes for my favorite video games. 🕹️Le the beginning of a passion for office tools (to each his own 😅 ). There were 3,000 machines connected to the internet! 😶 But what happened next?
June 15, 2026
fishing
Cybersecurity

Phishing 2026: Definition, Examples, and Protection for Small and Medium-Sized Businesses (Comprehensive Guide)

Spear phishing, BEC, voice deepfakes: why training alone isn’t enough, the true cost of an incident (€275,000), and the security measures that will work in 2026
June 26, 2026
backup-vs-retention
Cloud & infrastructure

Comparing backup VS retention

Backup VS retention: here's the match everyone's been waiting for!!!! 🥊 (okai not at all but I needed a catchy title..🤫)
June 15, 2026