Every organisation has processes, IT infrastructures and networks that are exposed to internal information security threats. This is because insecure systems and processes provide an ideal target for hackers and cyber criminals who can exploit your data for their own purposes.

To prevent vulnerabilities like these, an IT security audit is recommended. This involves testing IT systems in accordance with the BSI standard in order to identify existing vulnerabilities, misconfigurations and security gaps on the basis of an analysis. Based on the data and information from an IT system audit, you receive structural recommendations on how to organise your IT systems for greater IT security.

As the standard for IT security in Germany is very difficult to summarise, it is advisable for medium-sized organizations in particular to leave extensive IT system audits to the professionals. At Protektis, we have years of experience in implementing IT security audits according to our own standards and guidelines, such as BSI IT-Grundschutz and ISO 27001. Based on these, we work with our own questionnaire in the form of an IT audit, which covers all the basic topics of IT-Grundschutz and tests them according to standards. This includes topics such as information security, network security, user and rights management, securing rooms and physical systems through to administrative processes and routine tasks.

An IT audit is often seen as a time-consuming system check, which can mean possible restrictions in your work. However, we approach the process differently: instead of checking and inspecting all devices, software, networks and lines individually, we use our questionnaire for IT audits and conduct detailed interviews. The results of the examination are compared with our questionnaire. In doing so, we aim to find practical solutions that are suitable for SMEs. 

You can view your results in a detailed defect report, including graphs and percentages. We will inform you of all identified defects and possible risks. Based on this, you will receive recommendations such as measures, corrections and preventive processes to ensure maximum security.

WHY PROTEKTIS?

Comprehensive: We offer you a review of your entire systems in accordance with the usual standards and catalogues, such as the BSI basic protection. This means you can be sure that your IT security is fully guaranteed.

Prompt: Fast results - We carry out IT audits directly and without extensive preparation. To do this, we use our BSI audit catalogue, which contains 7 audit categories. These are handled manually on the basis of interviews with senior IT contacts so that you can receive your results after just 5 - 6 hours.

Documented: You receive all the results of your IT security audit in an audit report. This contains all the deficiencies that were identified during the IT system audit and recommendations for measures that define how to deal with these types of risks in the future.

Independent: We are a consulting company and not a system house. The measures that we recommend as part of our consulting services are not aimed at implementing a specific solution, but are vendor-independent. When customers commission us to support them in their search for suitable solutions, we sound out the market for offers and present several alternatives. We are happy to work with existing contacts, systems or partners in the areas of IT security, information security or data protection - whether internal or external.

SERVICE DESCRIPTION

• Review of the company's IT security based on BSI IT baseline protection and ISO 27001
• Detailed review of information security management, employee awareness, IT security management, user and rights management, documentation, emergency planning, infrastructure, power supply, network, WLAN, firewall, virus protection, data backup, patch management, monitoring including a remote inspection of the server rooms
• Evaluation of the environment found on the basis of a comprehensible percentage-based concept
• Creation of an audit report including a list of all deficiencies found
• Preparation of a brief summary for the management including the most important deficiencies, risks and recommended measures
• Handover and presentation of the results report
• Price valid for companies with up to 300 employees; price for larger companies on request.

FREQUENTLY ASKED QUESTIONS ABOUT THE IT SECURITY AUDIT

1. WHAT IS AN IT SECURITY AUDIT?
 

An IT security audit is the analysis of IT structures and the associated identification of security gaps. An audit report provides you with the results of the audit and thus an initial point of reference for planning further measures to improve IT security within your structures. These are based on the requirements of IT-Grundschutz BSI and ISO27001.

2. WHO CARRIES OUT THE AUDIT?

As a rule, our auditors carry out an IT security audit at your premises. They have a deep understanding of data processing and information transfer within organisations, companies and authorities. Our specialists carry out a review of your systems and can use the results to identify potential weaknesses and areas for improvement. The audit can be carried out using various test methods, such as question or observation criteria or documentation and checklists. At Protektis, we use a catalogue of questions based on laws and standards such as BSI IT-Grundschutz and ISO 27001 as a standard and guideline. Appropriate recommendations are made based on the results.

3. HOW LONG DOES IT TAKE TO CARRY OUT AN IT SECURITY AUDIT?

The time it takes to carry out an audit for your IT security depends on the scope of the audit. As a rule, we need one working day to a few days. For larger environments, we will consult with you to estimate the time and effort involved and also record other requirements, such as specifications from industry associations, which may also affect the duration of the audit.

4. CAN AN IT SECURITY AUDIT AFFECT YOUR INTERNAL OPERATIONS?

No, your IT systems will not be affected by our audit. Your IT systems are audited by means of a visual inspection. Unlike a penetration test, no systems are attacked in an IT security audit.

5. WHICH SYSTEMS AND APPLICATIONS CAN BE CHECKED AS PART OF AN AUDIT?

As part of an audit to increase your IT security, all devices that are accessible in the network are considered for an audit. This includes servers, clients, firewalls, switches, routers, UPS systems, video surveillance, OT systems and cloud systems.

6. HOW IS A SECURITY AUDIT FOLLOWED UP?

Following the implementation of the IT security audit, you will receive clear analysis results and recommendations for action in the form of an elaborated deficiency report. The deficiencies and recommendations described therein provide you with pragmatic and practicable measures to improve the IT security of your infrastructure.

7. HOW OFTEN SHOULD A SECURITY AUDIT BE CARRIED OUT?

Your IT security can be reviewed by means of an audit at regular intervals. It is particularly suitable to have a test carried out every time changes are made to your IT.

8. CAN AN IT AUDIT ALSO BE USEFUL IN THE CASE OF AN EXTERNAL IT PARTNER/DEPARTMENT?

Yes, an audit according to our specifications, based on IT baseline protection, is suitable regardless of the location or the person responsible for the IT system. In any case, we work together with those responsible in a trusting and targeted manner and ensure that your IT infrastructure becomes more secure. An IT security audit can be an opportunity for management to have the IT infrastructure checked by an expert third party and to identify potential weaknesses. At the same time, IT managers are given the opportunity to confirm to management the information security within their organisation based on the principles of the BSI and IT baseline protection.

9. CAN FURTHER MEASURES TO INCREASE SECURITY FOLLOW THE IT SECURITY AUDIT TO GUARANTEE EVEN MORE SECURITY?

Yes, an IT system check based on an IT audit is the perfect way to get a basic understanding of your current starting position in terms of information security. Using an audit catalogue based on BSI IT-Grundschutz and ISO 27001 standards, your existing IT infrastructure is checked using seven audit categories and over 400 questions. We focus on the following areas: Information security, compliance, infrastructure, systems, networks, security services and administration. You receive the results of the audit in the form of an audit report, which forms the basis for many of our other services. We therefore consider a security audit to be the starting point for further measures, such as risk analyses, phishing simulations or penetration tests.