The 12-Step Checklist
- Define scope and objectives
- Inventory assets and sensitive data
- Review access controls and identity
- Audit network security
- Verify endpoint protection
- Assess email security
- Test backup and recovery
- Review patch and vulnerability management
- Evaluate security awareness training
- Check logging and monitoring
- Map compliance and written policy
- Document findings and a remediation plan
An IT security audit is how you find the holes before an attacker or an auditor does. It is a structured review of the controls that keep your business safe, measured against the frameworks that apply to you. This checklist walks through twelve stages, from setting scope to producing a remediation plan, with the cost and frequency you should expect. Use it to run your own review, or as a buyer's framework when evaluating an outside firm.
1. Define Scope and Objectives
Start by deciding what the audit covers and why. Name the systems, locations, cloud tenants, and data types in scope, and the frameworks you are measuring against (NIST CSF, CIS Controls, HIPAA, PCI-DSS, CMMC). A scoped audit produces findings that map to a decision. An unscoped one produces a list nobody can act on. Write the objective in one sentence: for example, "confirm we meet cyber-insurance renewal requirements" or "close CUI gaps before a CMMC assessment."
2. Inventory Assets and Sensitive Data
You cannot secure what you have not counted. Catalog every server, workstation, laptop, mobile device, network device, and cloud service, then map where sensitive or regulated data actually lives. Most organizations are wrong about their inventory by 15 to 30 percent on the first pass. Flag shadow IT and unsanctioned SaaS, since those are the assets nobody is patching or monitoring.
3. Review Access Controls and Identity
Identity is the most-abused attack path, so this is the highest-value step. Verify multi-factor authentication on every user, every cloud service, and every remote-access method. Review permissions against role expectations and remove standing privilege where it is not needed. Hunt for stale accounts, shared admin logins, and departed employees who still have access. For the principle behind minimizing always-on admin rights, see zero standing privilege.
4. Audit Network Security
Review the network layer everything depends on. Check firewall rules and remove any that are stale or overly permissive. Confirm segmentation separates guest, IoT and camera, employee, and server traffic, because a flat network lets one compromised device reach everything. Audit wireless coverage and security, and verify remote access uses MFA with no dormant VPN accounts.
5. Verify Endpoint Protection
Confirm endpoint detection and response (EDR) is deployed to every device, not just office desktops. Remote and mobile endpoints are the ones commonly missed. Just as important: confirm someone is actually watching the alerts. Raw EDR with nobody responding at 2 a.m. is a false sense of security. For the tooling-versus-service distinction, read EDR vs MDR vs XDR, and consider managed detection and response if you have no in-house SOC.
6. Assess Email Security
Email is still the number-one entry point for attackers. Audit anti-phishing and impersonation protection, and verify SPF, DKIM, and DMARC are configured and enforced on every domain you send from. Anti-spoofing on your domain protects your customers and partners as much as your own users. For the full setup, see our guide to SPF, DKIM, and DMARC email authentication.
7. Test Backup and Recovery
Backups that have never been tested are theoretical. Confirm the 3-2-1 rule (three copies, two media types, one offsite), then run an actual restore of one server, one critical file, and one Microsoft 365 mailbox. If you cannot restore inside your documented recovery time objective, the policy is fiction. Verify third-party backup for Microsoft 365, since Microsoft does not back up your tenant beyond limited retention.
8. Review Patch and Vulnerability Management
Unpatched systems are the most common breach cause. Verify patch cadence and coverage across operating systems, third-party applications, and network and IoT firmware. Run a vulnerability scan to find what the patch process missed, then prioritize by exploitability and business impact. For a repeatable program rather than a one-time scan, see vulnerability management for business.
9. Evaluate Security Awareness Training
People are the largest attack surface, and training is the cheapest control with real impact. Review how often training runs, the results of phishing simulations, and whether employees who fail get point-of-failure coaching. A program that runs once a year at onboarding is not a program. Track the click rate over time as a leading indicator.
10. Check Logging and Monitoring
Detection depends on visibility. Confirm centralized logging is turned on across endpoints, identity, network, and cloud, and that retention meets any compliance requirement. Then confirm someone or something is watching those logs 24/7, whether through a SIEM, a managed SOC, or managed detection and response. Logs nobody reviews are just storage. Our MDR vs SIEM breakdown covers the difference between detection and retention.
11. Map Compliance and Written Policy
Map your controls to the frameworks that apply to your business (the NIST Cybersecurity Framework, CIS Controls, HIPAA, PCI-DSS, or CMMC), and identify documentation gaps. Confirm the written artifacts exist and are current: an acceptable use policy, an incident response plan, a data retention policy, and access control standards. Insurers and auditors increasingly ask to see these documents, not just the technical controls.
12. Document Findings and a Remediation Plan
The deliverable that makes an audit worth anything is the report. Convert every finding into a prioritized remediation plan with severity, likelihood, business impact, a named owner, a timeline, and a dollar estimate. Split it into 30-day, 90-day, and 12-month actions. Without an executive-ready report and an owner on each item, the audit becomes shelfware and the same gaps show up next year.
What an IT Security Audit Costs and How Often to Run One
Pricing scales with scope and compliance requirements, with the overall range running $3,000 to $50,000. Here is a realistic 2026 orientation:
| Audit type | Typical cost | Recommended frequency |
|---|---|---|
| Small and mid-size business (SME) | $3,000 – $10,000 | Annually |
| Large enterprise | $10,000 – $30,000 | Annually |
| Multinational or complex compliance (HIPAA, PCI-DSS, CMMC) | $50,000+ | Annually, with quarterly reviews |
| Self-audit against this checklist | Staff time | Quarterly |
Most businesses benefit from a full audit at least once a year, with lighter quarterly reviews of high-risk areas (access, patching, backups) in between. Regulated businesses and those going through rapid change should move to quarterly. Trigger an off-cycle audit after a security incident, before a compliance deadline, ahead of a cyber-insurance renewal, or during a merger or acquisition.
Frequently Asked Questions
What is an IT security audit?
An IT security audit is a structured review of an organization's security controls (access, network, endpoints, email, backups, patching, monitoring, and compliance) measured against the frameworks that apply to the business. It produces a prioritized list of gaps and a remediation plan. Audits are typically run annually, before compliance deadlines, or after a security incident.
How much does an IT security audit cost?
A small or mid-size business IT security audit typically costs $3,000 to $10,000. Large-enterprise audits run $10,000 to $30,000, and multinational or complex-compliance audits (HIPAA, PCI-DSS, CMMC) reach $50,000 or more. Overall, expect $3,000 to $50,000 depending on size, scope, and compliance needs. Running a self-audit against a checklist costs only staff time and is a sensible quarterly practice between formal audits.
How often should a business do a security audit?
Most businesses should run a comprehensive IT security audit at least annually, with lighter quarterly reviews of high-risk areas such as access controls, patching, and backups. Regulated businesses or those undergoing rapid change should audit quarterly. Run an additional audit after any security incident, before a compliance deadline, or ahead of a cyber-insurance renewal.
What is the difference between an IT security audit and an IT assessment?
An IT security audit focuses specifically on security controls and compliance, producing a gap list and remediation plan. A broader IT infrastructure assessment covers hardware, network, storage, cloud, and support in addition to security. The security audit is effectively the security workstream of a full infrastructure assessment and can be run standalone.
Can I run an IT security audit myself?
Yes. A capable IT team can self-audit against this 12-step checklist quarterly to catch the obvious gaps. For findings that inform a funding decision, a compliance certification, or a cyber-insurance renewal, an external audit carries more weight and brings specialist depth. Many businesses use a hybrid: self-audit quarterly, external audit annually.
Sources & References
- NIST Cybersecurity Framework (CSF 2.0): NIST Cybersecurity Framework — the control taxonomy to map findings against.
- CIS Critical Security Controls: CIS Controls v8 — a prioritized baseline of practical safeguards.
- Breach cost data: IBM Cost of a Data Breach Report 2025 — global average $4.44M, US average $10.22M.
- Audit cost ranges: Astra, How Much Does an IT Security Audit Cost (2026).
Want the Audit Done for You?
Start free with our IT Security Assessment for an instant grade across 51 controls, or engage a full IT assessment with a prioritized roadmap, owners, and dollar estimates.
Request an IT Assessment