How to Conduct a Cybersecurity Audit
Forty-two percent of Canadian organizations experienced a data breach in the past twelve months. The 2025 CIRA Cybersecurity Survey puts it plainly: knowing you have controls in place is not the same as knowing whether those controls work. A cybersecurity audit is how you find out.
An audit is a structured review of your security posture against a defined standard. For Canadian organizations, those standards include the CCCS ITSG-33 for government departments, the CCCS Baseline Cyber Security Controls for smaller organizations, and the recently launched Canadian Program for Cyber Security Certification (CPCSC) for defence suppliers. The process is the same regardless of which framework applies: you define scope, gather evidence, test controls, and report findings.
Step 1: Define Your Scope
Every audit starts with a boundary decision. You need to determine which systems, networks, data stores, and processes you are assessing. Trying to audit everything at once is a mistake. It creates scope creep, depletes resources, and produces findings too diffuse to act on.
Start by identifying your most critical assets. What holds sensitive data? What would stop operations if it failed? What connects your network to the outside world? Prioritize those. Document what is in scope, what is out, and why. The rationale protects you when stakeholders ask why certain systems were not reviewed.
Step 2: Build Your Asset Inventory
You cannot audit what you do not know exists. Before testing any control, produce a current inventory of every asset in scope — servers, endpoints, cloud instances, SaaS tools, network devices, and third-party integrations. Canada’s Office of the Auditor General flagged this exact problem in its October 2025 report on federal cyber security: Shared Services Canada still lacked a complete, up-to-date inventory of government IT assets despite starting the project in 2017. An incomplete inventory means controls go untested and gaps remain hidden.
Include ownership information for each asset. When a finding emerges, you need to know immediately who is accountable for remediation.
Step 3: Review Access Controls
Access control failures are consistently among the top causes of breaches. Your audit should examine who has access to what, whether access is appropriate, and whether it is being actively managed.
Check for overprivileged accounts — users with administrative rights who do not need them. Verify multi-factor authentication is enforced on all externally accessible systems. Confirm terminated employees and contractors no longer have active credentials. Review service accounts and check whether shared credentials are in use anywhere in your environment.
The CCCS Baseline Controls for SMOs specifically require organizations to manage privileged access and enforce least-privilege principles. For federal departments, ITSG-33 maps this to its Access Control family of security controls.
Step 4: Test Configuration and Patch Status
Misconfiguration is the single largest source of preventable exposure. During your audit, review the configuration of firewalls, routers, cloud storage buckets, and identity platforms against documented baselines. Common failures include open ports with no business justification, publicly accessible storage with no access policy, and default credentials left unchanged on network equipment.
Patch status requires its own review. Pull a report of all systems in scope and check for outstanding critical patches. Prioritize internet-facing systems and those holding sensitive data. A vulnerability left unpatched for ninety days is no longer a gap — it is a liability.
Step 5: Review Audit Logs and Monitoring Coverage
Your organization should be logging authentication events, privilege use, configuration changes, and remote access sessions. During the audit, verify logs exist for each in-scope system and confirm they are being retained for the required period. In Canada, many privacy and security frameworks require a minimum of twelve months of log retention.
Check whether anyone is reviewing those logs. Logging without review provides only forensic value after the fact. Your audit should confirm a monitoring process exists, whether through a SIEM, a managed service, or a manual review schedule.
Step 6: Assess Third-Party Risk
Your security posture depends on the vendors and partners connected to your systems. During the audit, identify all third parties with network access or data processing agreements. Review whether security requirements are embedded in the contracts. Confirm access is scoped to what each party needs and termination procedures are defined.
CPCSC Level 1, which became required in select defence contracts in 2026, includes supplier self-assessment requirements specifically because third-party risk in the defence supply chain is now a national security concern. The same logic applies to any organization operating in regulated sectors.
Step 7: Document Findings and Prioritize Remediation
Your audit report needs to communicate risk clearly to both technical and executive audiences. Structure findings by severity — critical, high, medium, low — and map each finding to the relevant control or framework requirement. Include the evidence you gathered, the business impact of the gap, and a recommended remediation action.
Assign an owner and a target remediation date to every finding. An audit with findings and no accountability attached does not improve security — it documents risk and leaves it in place.
Building the Skills to Run Effective Audits
A cybersecurity audit requires technical depth and governance knowledge in equal measure. You need to understand how controls are designed, how they fail, and how to evaluate evidence objectively. The Certified Information Security Risk Manager (CISRM) and Certified Information Systems Security Manager (CISSM) certifications are built around exactly this combination of skills.
Both programs develop the structured thinking you need to move from a checklist approach to a risk-based one. The distinction matters in practice. A checklist tells you whether a control exists. A risk-based audit tells you whether it is working, whether it is sufficient, and whether your organization is protected.
Audits are not a one-time exercise. Schedule them annually at minimum, and re-audit any system undergoing significant change. Organizations treating auditing as a continuous practice — not an annual fire drill — find and close gaps before attackers find them first.
