Day 2 of cyber security roadmap

As I continue through the Google Cybersecurity Professional Certificate, today's learning focused on security auditing, a critical yet often overlooked component of an organization’s defense strategy.

This blog captures what I’ve learned, in my own words, structured for anyone who’s just starting out or struggling to understand what security auditing really means.

What Is a Security Audit?

A security audit is a formal review of an organization’s internal frameworks, controls, policies, and compliance practices. Think of it as a thorough health check to ensure all security measures are effective and aligned with regulations and business objectives.

It evaluates whether the systems and teams are meeting expectations and whether there are gaps that might expose the organization to cyber threats.

Why Do Organizations Conduct Audits?

Security audits are important because they:

Evaluate the effectiveness of security measures

Identify vulnerabilities before attackers do

Ensure compliance with standards like GDPR, PCI-DSS, etc.

Help improve the organization’s overall security posture

Proactively manage data protection and privacy risks

In short, audits are not just formalities

They are strategies for survival.

Types of Security Audits

There are two main types of audits:

Internal Audits

Conducted by in-house teams (e.g., security managers, compliance officers)

Regular and proactive

Helps detect issues early and avoid fines

Gives a clear picture of what's working and what needs improvement

External Audits

Performed by third-party auditors

Often required for certifications or legal compliance

Provide independent verification of security posture

Key Components of Internal Security Audits

1. Identify Goals and Scope

Every audit starts by setting objectives and defining the scope.

Goals: What is the organization trying to achieve?

Scope: Which applications, departments, or systems are being audited?

This helps ensure the audit is focused and measurable.

2. Risk Assessment

This phase involves identifying and analyzing potential threats.

Pinpoint weak areas that could lead to data breaches or system failures

Evaluate the likelihood and impact of each risk

Plan corrective measures to strengthen overall security

Example: If a company disposes of physical laptops without securely wiping them, that becomes a serious data risk.

3. Control Assessment

Controls are security measures designed to manage and reduce risks. During this step, existing controls are reviewed and categorized:

Types of controls include:

Preventive controls: Aim to stop incidents before they happen

Example: Strong password policies

Corrective controls: Aim to restore systems post-incident

Example: Backup recovery systems

Detective controls: Aim to identify and report incidents

Example: Intrusion detection systems (IDS)

Deterrent controls: Aim to discourage threats

Example: Security awareness training

Controls also fall into three categories:

Administrative: Human processes like password policy enforcement

Technical: Software/hardware protections like encryption or firewalls

Physical: Surveillance cameras, locked server rooms, biometric access

Auditors often use a control map that lists:

Control name

Type and purpose

Implementation status

Priority for fixing

4. Compliance Assessment

This ensures that the organization is meeting external and internal compliance requirements such as:

GDPR (General Data Protection Regulation)

PCI-DSS (Payment Card Industry Data Security Standard)

Failing to meet these can lead to legal penalties, data breaches, and loss of reputation.

5. Communication of Results

The final audit results are compiled into a detailed report and shared with relevant stakeholders.

The report typically includes:

A list of discovered risks

Priority levels for fixing each issue

Recommendations for improvements

Compliance gaps and how to address

That's it for now !

Have a cyber cool day!^⁠_⁠^