How cyber security audits can protect your business: Optimising IT expert insight

Issues with IT systems need to be identified before they can be addressed, so to prevent any vulnerabilities from being exploited, security audits are the place to start, according to Optimising IT.

While the threat of data breaches and hackers is concerning for your business, knowing you’ve done everything in your power to secure your systems is key to greater peace of mind.

SoGlos spoke to award-winning provider of cyber focussed IT support and consultancy, Optimising IT, about cyber security audits and why putting the right measures in place can avoid hefty repair and recovery costs.

About the expert – Todd Gifford, chief technical officer at Optimising IT

Todd Gifford, chief technical officer at Optimising IT

Specialising in all things cyber, Todd Gifford is an ISO27001 lead auditor with CISSP (Certified Information Systems Security Professional) certification and over 20 years’ experience in IT – including seven at Optimising IT.

Through his blogs, he is regularly invited to join in panel discussions on the latest cyber security trends so is ideally placed to advise businesses on best practice.

For more information, visit

What does a security audit involve?

Security audits can focus on a single website or e-commerce provider, or be more wide-ranging, encompassing all things IT and data.

One or more common standards may be used for comparison with your organisation’s current approach, such as Cyber Essentials or ISO27001.

They can also be 100 per cent bespoke and include technical security testing, if required – it all depends on the context and risk level of your organisation.

As a construction firm or a distribution company for example, your information security risk profile will be very different to a government contractor or an organisation that holds medical records.

Why is auditing important?

Year on year, we see the scale and impact of cyber-attacks increasing. Whilst most attacks are financially motivated, how cyber criminals extract money from your organisation can have a devastating effect on operations and potentially lead to a loss of reputation, as well as regulatory fines.

Many organisations have had their operations impacted for months on end and some have failed as a direct result of a cyber-attack.

As with many things, prevention is better than cure.

Who should be implementing them?

Any organisation that uses computers and data to operate would benefit from a detailed understanding of its current cyber approach; that is most organisations.

The critical outputs from any security audits are:

• A clear, business-focused overview that enables the top-level management to make informed decisions about improvements,

• A detailed report indicating the areas reviewed and their status,

• Clear, easy to follow actions to improve the organisation’s cyber security.

How long does an audit take?

Depending on the scope of the audit and the size and complexity of the organisation being audited, it can take between two days and two weeks.

Typically, most audits we carry out for mid-sized organisations take five days, with additional time for any technical or penetration testing activity.

What does a good audit look like, in terms of findings?

A good audit identifies information that wasn’t previously known. In turn, this enables organisations to make informed decisions about making improvements to mitigate risk.

Audits often get a bad rep, but they are simply a structured way to identify facts that are used to inform the decision-making process.

How often should you have a cyber security audit?

The world of cyber security moves quickly and organisations evolve with new systems, suppliers and business operations.

The audit frequency depends on your organisation’s requirements, but we would recommend at least an annual review to ensure everything is on track.

Do these audits need to be outsourced, or can they be done in-house? Who is qualified to conduct them?

A competent and experienced auditor should always complete audits. An external auditor ensures a quality outcome with up-to-date advice; it also helps to ensure impartiality.

If you have a large enough team with the right skills, a mix of internal review and use of an external consultant offers a good mix of value and impartiality.

How do you go about organising an audit and what needs to be done in preparation?

If you haven’t carried out a cyber security audit before, here are the key steps we recommend:

• Find a partner that you can work with,

• Work with your internal teams and your chosen partner to identify the scope of the planned audit,

• Schedule the audit. Typically, at least the IT team or IT provider will have a large amount of input into the process, but other departments and key staff will also likely need to be involved,

• If the agreed audit scope follows a well-known standard, such as Cyber Essentials or ISO27001, typically, an audit questionnaire can be shared ahead of the audit to enable information gathering and preparation.

Your chosen audit partner should provide you with an easy-to-follow guide about the steps any audit will take and what is needed from you to make it a success.

For more information about Optimising IT, visit

© SoGlos
Friday 21 January 2022

More interviews you might like...

Over 100 tree species that live and thrive at Westonbirt, the National Arboretum near Tetbury are facing extinction in their natural habitats.

How Gloucestershire conservation projects are helping to protect trees from extinction: Friends of Westonbirt Arboretum expert insight

With one in three tree species threatened with extinction in the wild, Westonbirt, the National Arboretum is playing an important...

Many Gloucestershire drivers never look back after trying an electric vehicle and feeling the benefits in their driving experience and in their pockets, says Cleevely EV owner Matt Cleevely.

How electric vehicles could save you money: Cleevely EV expert insight

One customer spent just £63 charging his car in one year, according to Gloucestershire electric vehicle specialist Cleevely...

Bredon School is an independent day and boarding school for boys and girls aged seven to 18, sat in acres of countryside near Tewkesbury.

‘Our pupils embark on pathways that suit their particular strengths’: Meet the headmaster of Bredon School

With specialist support for children with dyslexia, a vast outdoor education offering and a thriving Combined Cadet Force,...

Matching candidates to the right roles is a major challenge in the Gloucestershire jobs market right now, as Mike Goode from recruitment specialist, GB Solutions, explains.

How to hire the right people or land that dream interview: GB Solutions expert insight

Gloucestershire businesses and job hunters are up against one of the most challenging jobs markets in recent years. SoGlos...

There is no silver bullet to resolve the cyber security threats to businesses, but simple, targeted, regular staff training is a pretty good place to start, according to Cheltenham firm ReformIT.

Business advice: The importance of staff training to combat cyber threats

In the first of a new advice series delivering clarity for businesses on the subject of all things IT, ReformIT looks at how...

Don’t miss

Unmissable highlights