Cybersecurity

IT Security Audit Checklist: 12 Steps Before Your Next Assessment

A practical, step-by-step IT security audit checklist for business. Twelve stages from scope to remediation, with cost ranges, how often to audit, and a free starting point.

Quick Answer

An IT security audit is a structured, twelve-step review of your access controls, network, endpoints, email, backups, patching, monitoring, and compliance against the frameworks that apply to your business.

A small or mid-size business audit typically runs $3,000 to $10,000, with the overall range spanning $3,000 to $50,000 depending on size, scope, and compliance needs. Most businesses should audit at least annually, and quarterly if they are regulated or changing fast. Use the free 12-step checklist below, or take our free IT Security Assessment for an instant grade across 51 controls.

Last updated: July 10, 2026  ·  Author: Ryan Gyure, Managing Partner & Co-Founder, Unió Digital

Why audit before an assessment?

A self-audit against this checklist finds and fixes the obvious gaps before an external assessor, cyber-insurance underwriter, or compliance auditor does it for you. With the global average data breach at $4.44 million in 2025 (and a record $10.22 million in the US), the audit is cheap insurance. This checklist covers the security portion of a broader IT infrastructure assessment; use it standalone for a security review or as the security workstream of a full assessment.

An IT security audit is how you find the holes before an attacker or an auditor does. It is a structured review of the controls that keep your business safe, measured against the frameworks that apply to you. This checklist walks through twelve stages, from setting scope to producing a remediation plan, with the cost and frequency you should expect. Use it to run your own review, or as a buyer's framework when evaluating an outside firm.

1. Define Scope and Objectives

Start by deciding what the audit covers and why. Name the systems, locations, cloud tenants, and data types in scope, and the frameworks you are measuring against (NIST CSF, CIS Controls, HIPAA, PCI-DSS, CMMC). A scoped audit produces findings that map to a decision. An unscoped one produces a list nobody can act on. Write the objective in one sentence: for example, "confirm we meet cyber-insurance renewal requirements" or "close CUI gaps before a CMMC assessment."

2. Inventory Assets and Sensitive Data

You cannot secure what you have not counted. Catalog every server, workstation, laptop, mobile device, network device, and cloud service, then map where sensitive or regulated data actually lives. Most organizations are wrong about their inventory by 15 to 30 percent on the first pass. Flag shadow IT and unsanctioned SaaS, since those are the assets nobody is patching or monitoring.

3. Review Access Controls and Identity

Identity is the most-abused attack path, so this is the highest-value step. Verify multi-factor authentication on every user, every cloud service, and every remote-access method. Review permissions against role expectations and remove standing privilege where it is not needed. Hunt for stale accounts, shared admin logins, and departed employees who still have access. For the principle behind minimizing always-on admin rights, see zero standing privilege.

4. Audit Network Security

Review the network layer everything depends on. Check firewall rules and remove any that are stale or overly permissive. Confirm segmentation separates guest, IoT and camera, employee, and server traffic, because a flat network lets one compromised device reach everything. Audit wireless coverage and security, and verify remote access uses MFA with no dormant VPN accounts.

5. Verify Endpoint Protection

Confirm endpoint detection and response (EDR) is deployed to every device, not just office desktops. Remote and mobile endpoints are the ones commonly missed. Just as important: confirm someone is actually watching the alerts. Raw EDR with nobody responding at 2 a.m. is a false sense of security. For the tooling-versus-service distinction, read EDR vs MDR vs XDR, and consider managed detection and response if you have no in-house SOC.

6. Assess Email Security

Email is still the number-one entry point for attackers. Audit anti-phishing and impersonation protection, and verify SPF, DKIM, and DMARC are configured and enforced on every domain you send from. Anti-spoofing on your domain protects your customers and partners as much as your own users. For the full setup, see our guide to SPF, DKIM, and DMARC email authentication.

7. Test Backup and Recovery

Backups that have never been tested are theoretical. Confirm the 3-2-1 rule (three copies, two media types, one offsite), then run an actual restore of one server, one critical file, and one Microsoft 365 mailbox. If you cannot restore inside your documented recovery time objective, the policy is fiction. Verify third-party backup for Microsoft 365, since Microsoft does not back up your tenant beyond limited retention.

8. Review Patch and Vulnerability Management

Unpatched systems are the most common breach cause. Verify patch cadence and coverage across operating systems, third-party applications, and network and IoT firmware. Run a vulnerability scan to find what the patch process missed, then prioritize by exploitability and business impact. For a repeatable program rather than a one-time scan, see vulnerability management for business.

9. Evaluate Security Awareness Training

People are the largest attack surface, and training is the cheapest control with real impact. Review how often training runs, the results of phishing simulations, and whether employees who fail get point-of-failure coaching. A program that runs once a year at onboarding is not a program. Track the click rate over time as a leading indicator.

10. Check Logging and Monitoring

Detection depends on visibility. Confirm centralized logging is turned on across endpoints, identity, network, and cloud, and that retention meets any compliance requirement. Then confirm someone or something is watching those logs 24/7, whether through a SIEM, a managed SOC, or managed detection and response. Logs nobody reviews are just storage. Our MDR vs SIEM breakdown covers the difference between detection and retention.

11. Map Compliance and Written Policy

Map your controls to the frameworks that apply to your business (the NIST Cybersecurity Framework, CIS Controls, HIPAA, PCI-DSS, or CMMC), and identify documentation gaps. Confirm the written artifacts exist and are current: an acceptable use policy, an incident response plan, a data retention policy, and access control standards. Insurers and auditors increasingly ask to see these documents, not just the technical controls.

12. Document Findings and a Remediation Plan

The deliverable that makes an audit worth anything is the report. Convert every finding into a prioritized remediation plan with severity, likelihood, business impact, a named owner, a timeline, and a dollar estimate. Split it into 30-day, 90-day, and 12-month actions. Without an executive-ready report and an owner on each item, the audit becomes shelfware and the same gaps show up next year.

What an IT Security Audit Costs and How Often to Run One

Pricing scales with scope and compliance requirements, with the overall range running $3,000 to $50,000. Here is a realistic 2026 orientation:

Audit type Typical cost Recommended frequency
Small and mid-size business (SME)$3,000 – $10,000Annually
Large enterprise$10,000 – $30,000Annually
Multinational or complex compliance (HIPAA, PCI-DSS, CMMC)$50,000+Annually, with quarterly reviews
Self-audit against this checklistStaff timeQuarterly

Most businesses benefit from a full audit at least once a year, with lighter quarterly reviews of high-risk areas (access, patching, backups) in between. Regulated businesses and those going through rapid change should move to quarterly. Trigger an off-cycle audit after a security incident, before a compliance deadline, ahead of a cyber-insurance renewal, or during a merger or acquisition.

Frequently Asked Questions

What is an IT security audit?

An IT security audit is a structured review of an organization's security controls (access, network, endpoints, email, backups, patching, monitoring, and compliance) measured against the frameworks that apply to the business. It produces a prioritized list of gaps and a remediation plan. Audits are typically run annually, before compliance deadlines, or after a security incident.

How much does an IT security audit cost?

A small or mid-size business IT security audit typically costs $3,000 to $10,000. Large-enterprise audits run $10,000 to $30,000, and multinational or complex-compliance audits (HIPAA, PCI-DSS, CMMC) reach $50,000 or more. Overall, expect $3,000 to $50,000 depending on size, scope, and compliance needs. Running a self-audit against a checklist costs only staff time and is a sensible quarterly practice between formal audits.

How often should a business do a security audit?

Most businesses should run a comprehensive IT security audit at least annually, with lighter quarterly reviews of high-risk areas such as access controls, patching, and backups. Regulated businesses or those undergoing rapid change should audit quarterly. Run an additional audit after any security incident, before a compliance deadline, or ahead of a cyber-insurance renewal.

What is the difference between an IT security audit and an IT assessment?

An IT security audit focuses specifically on security controls and compliance, producing a gap list and remediation plan. A broader IT infrastructure assessment covers hardware, network, storage, cloud, and support in addition to security. The security audit is effectively the security workstream of a full infrastructure assessment and can be run standalone.

Can I run an IT security audit myself?

Yes. A capable IT team can self-audit against this 12-step checklist quarterly to catch the obvious gaps. For findings that inform a funding decision, a compliance certification, or a cyber-insurance renewal, an external audit carries more weight and brings specialist depth. Many businesses use a hybrid: self-audit quarterly, external audit annually.

Sources & References

Want the Audit Done for You?

Start free with our IT Security Assessment for an instant grade across 51 controls, or engage a full IT assessment with a prioritized roadmap, owners, and dollar estimates.

Request an IT Assessment
Ryan Gyure

Ryan Gyure

Co-Founder and Managing Partner

Ryan Gyure is the Co-Founder and Managing Partner at Unio Digital. With extensive experience in IT infrastructure and cybersecurity, he helps businesses build secure, efficient technology environments.

Unió Digital is an Arizona ROC-licensed contractor (ROC 327245, ROC 333580) and licensed alarm business (25254-0), serving Southern Arizona since 2016.

Connect on LinkedIn