Cybersecurity Audit: Know Your Real Security Posture

A cybersecurity audit is a structured, independent assessment of an organisation's information security controls, policies, and technical measures against a defined framework — typically ISO 27001:2022, the Spanish National Security Framework (Esquema Nacional de Seguridad, ENS — RD 311/2022), or the NIS2 Directive (EU 2022/2555) requirements. In Spain, the ENS is mandatory for public sector entities and their technology providers; NIS2 imposes equivalent obligations on essential and important entities across critical sectors. A cybersecurity audit identifies the gap between current controls and required standards, enabling organisations to prioritise remediation and demonstrate compliance to regulators, clients, and insurers.

Our cybersecurity audit team combines deep regulatory knowledge (ENS, ISO 27001, NIS2, GDPR) with technical expertise in system assessment, network architecture, and identity management. We conduct audits that go beyond compliance checklists to assess the organisation’s real security posture.

The Perception-Reality Gap

One of the most striking constants in audit work is the distance between internal security perception and objective reality. Companies that believe they have a solid security posture discover internet-accessible legacy systems, inactive administrator accounts with known credentials, and critical processes with no continuity measures. The IT team, often close to the systems and the daily operational pressures, is rarely best placed to conduct this assessment independently. That independence is what makes an external audit valuable.

Scope and Methodology

Our audit methodology begins with precise scope definition: which systems, processes, and locations are included; which regulatory frameworks apply; and what level of technical depth is required. For organisations with ENS obligations — which apply to suppliers of the Spanish public administration handling categorised information — the audit includes assessment against the ENS categories and the security measures each category requires. This is increasingly relevant as ENS certification becomes a standard requirement in public tenders.

Third-Party Risk: The Hidden Attack Surface

Third-party risk assessment has moved from an optional audit component to an express NIS2 requirement. A payroll software provider with access to your HR systems, or a cloud provider hosting your critical applications, introduces risks that must be actively assessed and managed. The digital supply chain is today one of the principal attack surfaces, and the most damaging incidents of recent years have originated in compromised technology suppliers. Our third-party assessment process evaluates the security practices, contract protections, and access controls of critical suppliers — and produces actionable findings, not just questionnaire scores.

Cybersecurity Audits in M&A Due Diligence

Security audit coordination in the context of corporate due diligence is a frequent use case. A cybersecurity audit of the target company in an acquisition reveals security liabilities that the acquirer will inherit: unpatched systems, unreported incidents, or supplier contracts with inadequate security clauses. Quantifying these liabilities before closing allows them to be incorporated into price negotiations or purchase agreement warranties. We have conducted security due diligence audits for transactions ranging from SME acquisitions to significant infrastructure deals.

What Happens With Critical Findings

Critical findings do not wait for the final report. When we identify vulnerabilities representing immediate risk during the assessment — an internet-exposed system without authentication, active compromised credentials — we notify management immediately so emergency measures can be taken before the full report is available. This real-time escalation process is standard in all our audit engagements, regardless of scope.

The Regulatory Compliance Track

The audit’s regulatory compliance track assesses the organisation’s adherence to applicable frameworks in parallel with the technical security assessment. For NIS2 essential and important entities, this includes Article 21 security measures — risk management, supply chain security, encryption, multi-factor authentication, and access control — and the governance obligations that directors of in-scope entities must personally meet. For organisations pursuing or maintaining ISO 27001 certification, the audit can be designed to serve as an internal audit for the purposes of the management system. The regulatory compliance track output is a distinct deliverable from the technical security report — structured for a management and board audience.

Penetration Testing: Scope and Limitations

Penetration tests are a component of a mature security audit programme, not a substitute for it. A penetration test simulates an attacker’s approach to a defined set of systems within an agreed scope and methodology. The value of a penetration test is highest when it is conducted after the audit has addressed known configuration and process weaknesses: testing an environment that has obvious systematic gaps produces findings that obscure the deeper vulnerabilities a real attacker would exploit after gaining initial access. We help organisations sequence their security investment correctly: audit first, remediate known gaps, then penetration test to surface what remains.

Audit Frequency and the Security Maturity Journey

A single cybersecurity audit is a baseline, not a programme. We design multi-year audit schedules calibrated to the organisation’s security maturity level and regulatory requirements. More mature organisations with functioning ISO 27001 management systems may rotate between full audits and targeted component reviews. For organisations operating under NIS2 obligations, the audit schedule must also align with the directive’s requirement for regular testing and review of cybersecurity risk management measures.

Sectors Most Affected

Financial services and FinTech: DORA (Digital Operational Resilience Act) mandates regular ICT risk assessments and, for significant financial institutions, threat-led penetration tests (TIBER-EU or equivalent). Financial sector cybersecurity audits must satisfy both DORA ICT risk management requirements and CNMV/Banco de España supervisory expectations. The audit scope must cover third-party ICT providers, which is one of the primary channels for financial sector incidents.

Healthcare: hospitals, clinical laboratories, and health technology companies hold special-category personal data under strict processing conditions and operate systems where availability is a patient safety concern. Ransomware in healthcare is not just a business continuity incident — it is a patient safety emergency. Audits in the healthcare sector must address both the IT/ISMS dimension and the operational technology (medical devices, clinical systems) dimension.

Public sector and critical infrastructure: ENS certification is mandatory for public entities and their technology providers. The audit scope for ENS must cover all information systems handling categorised information and produce evidence that the security measures required for the applicable ENS category (BASIC, MEDIUM, HIGH) are implemented and functioning.

Manufacturing with OT systems: factories and utilities with operational technology — SCADA systems, PLCs, industrial control systems — face a cyber risk profile fundamentally different from IT-only organisations. IT/OT convergence creates new attack surfaces, and ransomware that propagates from IT to OT networks can halt production entirely. Cybersecurity audits in this sector must include OT-specific assessment (IEC 62443 framework) alongside the IT ISMS audit.

Company Size Segmentation

SMEs (fewer than 250 employees) benefit from a focused audit covering the highest-risk areas: identity and access management, remote access security, endpoint protection, backup integrity, and phishing resilience. The output is a prioritised remediation plan with a realistic implementation timeline that the internal IT team can execute or manage with external support.

Medium companies (250-1,000 employees) require a more comprehensive scope: internal network architecture, application security, supply chain risk (third-party provider assessment), incident response capability testing, and governance framework assessment. For NIS2-obligated companies in this size range, the audit must explicitly address Art. 21 requirements and produce documentation suitable for supervisory inspection.

Large companies and corporate groups require structured audit programmes coordinated across multiple entities, sites, and IT environments. For corporate groups subject to DORA, the audit programme must also cover the ICT services provided by material third parties. We design group-level audit programmes with standardised methodology and consolidated reporting to the group board.

Worked Example: ENS Category MEDIUM Compliance Audit for a Public Sector IT Provider

A Spanish IT services company (180 employees, EUR 22 million revenue) providing cloud infrastructure services to multiple regional government clients was required to obtain ENS Category MEDIUM certification as a condition of its public sector contracts.

BMC’s cybersecurity audit managed:

• Gap analysis against the 75 security measures in ENS Category MEDIUM (RD 311/2022).
• Critical findings: absence of a formal security plan, insufficient access logging and monitoring, missing continuity procedures for critical services, and non-compliant incident handling procedure.
• Remediation programme: security plan design, logging infrastructure deployment, business continuity procedure development, and incident response protocol implementation over 14 weeks.
• ENS certification audit preparation: documentation package for the independent auditor appointed by the National Cryptologic Centre (CCN), covering all 75 required measures with evidence of implementation.
• Certification obtained; all public sector contracts renewed.

Common Mistakes We Fix

1. Treating a penetration test as a substitute for a comprehensive security audit. A penetration test assesses whether a skilled attacker can breach a defined perimeter or access a specific system. It does not assess governance, policy compliance, supply chain risk, or the full breadth of organisational security controls. Companies that have annual penetration tests but no structured security audit often have significant compliance gaps that the penetration test never examines.

2. Not reviewing third-party access after the initial contract. Technology providers that have been granted remote access to critical systems during implementation are frequently left with standing access that is never reviewed or revoked. A legacy remote access account with default credentials from a systems integrator who worked on a project two years ago is one of the most common critical findings in our audits.

3. Assuming ISO 27001 certification means NIS2 compliance. ISO 27001 certification demonstrates ISMS maturity, but NIS2 has specific requirements — particularly around incident notification timelines, board-level governance accountability, and supply chain contractual provisions — that ISO 27001 does not cover. Companies that assume certification satisfies the directive may discover material NIS2 gaps during their first supervisory inspection.

4. Not backing up the backup system. Backup integrity is one of the most common audit findings. Companies that have backup systems but have never tested restoration from backup in a realistic disaster recovery scenario do not know whether their backups actually work. We test backup integrity and restoration procedures in every engagement where business continuity is in scope.

5. Ignoring the human element. Technical controls — firewalls, endpoint protection, MFA — are necessary but insufficient. Social engineering (phishing, pretexting, vishing) is the primary initial access vector in the majority of significant incidents. Phishing simulation and awareness training, integrated into the audit programme, addresses the human element that technical controls cannot.

Geographic Coverage

We conduct cybersecurity audits across Spain, with technical teams based in Madrid and Barcelona. Remote assessment capability covers all national and international locations. For organisations with ENS obligations, we coordinate with CCN-accredited auditors for the certification component. For multinational organisations, we coordinate cross-border audits in partnership with cybersecurity audit firms in other EU Member States.

The Regulatory Compliance Track

The audit’s regulatory compliance track assesses the organisation’s adherence to applicable frameworks in parallel with the technical security assessment. For NIS2 essential and important entities, this includes Article 21 security measures — risk management, supply chain security, encryption, multi-factor authentication, and access control — and the governance obligations that directors of in-scope entities must personally meet. For organisations pursuing or maintaining ISO 27001 certification, the audit can be designed to serve as an internal audit for the purposes of the management system. The regulatory compliance track output is a distinct deliverable from the technical security report — structured for a management and board audience.

How We Work

Our cybersecurity audit practice follows a structured five-phase methodology:

Phase 1 — Scope definition (1 week): agree the audit scope, regulatory frameworks applicable, systems and processes in scope, and the specific deliverables required (technical report, board summary, NIS2 compliance documentation, ENS gap analysis).

Phase 2 — Documentation and interview review (1-2 weeks): review of security policies, procedures, and governance documentation; structured interviews with IT, security, operations, and management stakeholders.

Phase 3 — Technical assessment (2-4 weeks): vulnerability assessment of in-scope systems, configuration review, network architecture assessment, identity and access management review, and supply chain risk sampling.

Phase 4 — Findings analysis and report drafting (1-2 weeks): findings classification by severity (Critical, High, Medium, Low), root cause analysis, regulatory mapping, and remediation recommendations prioritised by risk.

Phase 5 — Debrief and roadmap (1 week): management presentation, technical team debrief, and remediation roadmap development with the client’s IT team.

Standard audit turnaround: 6-10 weeks from scope agreement to final report delivery. Priority assessments for urgent situations (insurance underwriting, contract due diligence, incident follow-up) can be delivered in 3-4 weeks at accelerated pace.

Post-audit remediation support is available as a separate engagement, providing hands-on guidance for the implementation of critical findings — particularly useful for SMEs without dedicated security engineering resource.

Company Size Segmentation

Microenterprises and SMEs (fewer than 50 employees): a focused 3-week audit covering identity and access management, remote access, endpoint protection, backup integrity, phishing resilience, and basic network segmentation. Output: a prioritised 10-15 item remediation plan. Fixed fee. This scope is designed to be implemented by a small IT team in 2-3 months.

Medium companies (50-250 employees): a comprehensive 6-8 week audit covering the full technology environment, including application security, supply chain risk, internal network architecture, incident response capability, and governance documentation. Regulatory compliance track included (NIS2, GDPR, ISO 27001 gap analysis as applicable). Output: technical report + board summary + remediation roadmap.

Large companies and corporate groups: structured audit programmes with standardised methodology across entities, consolidated group-level reporting, DORA ICT risk assessment integration (for financial groups), and ENS certification coordination. Timescales and scope defined per project.

Integration with the Virtual CISO Service

For organisations without an internal CISO or security function, the cybersecurity audit is most effectively followed by a virtual CISO engagement that provides ongoing security leadership — turning the audit findings into a continuously improving security programme rather than a one-time remediation project. The virtual CISO oversees the implementation of the audit recommendations, manages the ongoing vulnerability assessment programme, and provides board-level security reporting. This integrated audit + vCISO model is the most cost-effective security investment for medium-sized companies that cannot justify a full-time CISO salary.

Interaction with Cyber Insurance

Cyber insurance underwriters have increasingly sophisticated requirements for minimum security controls. The cybersecurity audit produces exactly the evidence that underwriters request to confirm that minimum security standards are met — and the pre-renewal security roadmap aligns the remediation priorities with the controls that most impact insurance premium and coverage capacity. We coordinate the audit output with the cyber insurance advisory to maximise the insurance efficiency of the security investments the audit recommends.

Regulatory Framework: ENS, NIS2, ISO 27001, and DORA

Spain’s cybersecurity audit market operates across four primary regulatory frameworks:

ENS (Esquema Nacional de Seguridad, RD 311/2022): mandatory for public administrations and their technology providers. Establishes three categories (BASIC, MEDIUM, HIGH) with specific security measures required for each. ENS certification is required for technology suppliers to the public sector and is increasingly requested in public tender specifications. The CCN (Centro Criptológico Nacional) oversees ENS compliance and publishes authoritative technical guidance.

NIS2 Directive (EU 2022/2555): mandatory for essential and important entities across 18 critical sectors. Art. 21 requires a formally documented risk management framework, supply chain security controls, incident notification procedures, and board-level governance accountability. Spain’s transposition is expected by June 2026.

ISO 27001:2022: the international standard for Information Security Management Systems (ISMS). Certification is a market requirement for many B2B technology suppliers and is widely used as evidence of security maturity in due diligence contexts. The 2022 revision introduced new controls covering cloud security, threat intelligence, physical security monitoring, and ICT supply chain security.

DORA (Regulation 2022/2554): mandatory for financial entities (banks, insurance companies, investment firms, payment institutions, FinTechs). Requires a documented ICT risk management framework, regular ICT risk assessments (equivalent to a cybersecurity audit), and — for significant financial institutions — annual threat-led penetration testing (TIBER-EU or equivalent). The cybersecurity audit framework under DORA is more prescriptive than ISO 27001 and has specific ICT third-party risk management requirements that do not map directly to ISO controls.

We design audit programmes that satisfy multiple frameworks simultaneously — a common requirement for organisations subject to both NIS2 and ISO 27001, or to both DORA and NIS2 — avoiding duplicative effort and producing a unified compliance evidence base.