Send an email to the author
Table of contents

Cybersecurity audit - a case study for SME

Last modified: 2019/09/12 | Approximate reading time 5 mins

We need to be flexible in the definition of a Cybersecurity Audit, especially when the mandate is for a “Small and Medium-sized Enterprise” (SME)! Our multidisciplinary team has been involved in security and information technology for more than 25 years. We advise our clients to take advantage of new technologies to maintain their strategic positioning.

Our cybersecurity audit mandate with an SME aims at evaluating and proposing recommendations on the state of the network and cybersecurity; guide and advise our client on industry best practices, and to propose a plan of action to correct weaknesses and vulnerabilities identified and thus reduce the risks related to cybersecurity. Being a member of the ISACA (Information Systems Audit and Control Association) - Montreal Chapter, I seek to provide leverage and added value by presenting a coherent report to the client with technical recommendations supported by standards of good practice. This will help the SMB business leaders understand the action plan, which is not always easy!

When such is the case, we will use best practice guides developed by ISACA to address the particulars of SME’s in conjunction with the National Institute of Standards and Technology (NIST)¹ Cybersecurity programs which promote the development and application of innovative and practical technologies and methodologies for security and improvement of critical cybersecurity infrastructures.

First part – use of cybersecurity guides

The cybersecurity guides for SMEs² proposed by ISACA are essential resources. Aligned with the COBIT5 standard, these guides address the needs of the SME whose technical resources and budgets are often limited.

The "Cybersecurity Guidance for Small and Medium-sized Entreprises" guide first defines the different categories of SMEs and then proposes 8 principles and 55 guidance clauses (requirements/controls). Each clause receives a "Critical" "Severe" or "Important" audit rating, identifying a cybersecurity risk level for an SME, see Table 1.

Audit Rating Explanation

Audit Rating Explanation
Critical Major impact or risk to the enterprise, potentially endangering the existence of the enterprise. Impacts and risk may be financial, operational, reputational, legal or of any other kind.
Significant Significant impact or risk to the enterprise, with potentially wide-ranging consequences within the business year.
Important Impact or risk to the enterprise that goes beyond the tolerated levels of impact and risk, as defined by senior management


Table 1- Audit Rating Explanation

Each requirement is assigned with one of the audit ratings. Table 2 presents an example of some of the requirements that emerged while on assignment.

Auditable Cybersecurity Requirements

Cybersecurity Guidance Clause (CGC) Requirements/Controls Audit Rating
1 Documented cybersecurity governance rules Critical
4 Documented cybersecurity strategy Significant
11 Documented procedures and management practices for cybersecurity Important
21 Documented information asset classification, cybersecurity risk and threats Significant


Table 2 - Auditable Cybersecurity Requirements

Once our tests and analyzes are completed, we develop recommendations for the identified gaps, weaknesses, or vulnerabilities and prioritize them from 1 to 3. By matching each of our recommendations to one or more of the guide's clauses - see some examples in Table 3 - Mapping of the requirements and the recommendations, we add consistency to the report.


C.G.C. Requirements/Controls Audit Rating Recommendations Priority
1 Documented cybersecurity governance rules Critical R1 2
34 Secure configuration of logical points of entry Critical R5-R6-R9 1
37 Malware defense mechanisms Critical R7 3
38 Boundary defense mechanisms Critical R3-R4-R5-R6-R9 1
44 “Need to know” and “Least privilege” principles documented and in evidence Critical R8 3
4 Documented cybersecurity strategy Significant R1 1
21 Documented information asset inventory/ Documented information asset classification, cybersecurity risk and threats Significant R2 1
23 Identified critical IT services and applications, critical IT infrastructures and third party products and services Significant R2 2
24 Adequate extent and detail of cybersecurity architecture, size and complexity Important R3 2
25 Adequate skills and competencies of cybersecurity staff Significant R2 1


Table 3 - Mapping of the requirements and the recommendations

Finally, we will map the proposed recommendations and controls-oriented clauses, which are the minimum requirement criteria for SMEs.  Table 4 – Summary of recommendations by priority and rating, is an example of the result obtained.


Priority Audit Rating No recommendations Recommendations Requirements/Controls C.G.C.
1 Critical R5 Refresh and review the routers configuration Secure configuration of logical points of entry 34
R6 Firewalls
R9 Protect against malware softwares
R3 Complexity of network Boundary defense mechanisms 38
R4 Wi-Fi Network
R5-R6-R9 Refresh and review the routers configuration /firewalls / Protect against malware softwares
2 Critical R5-R6-R9 Secure configuration mechanisms for hardware/ applications and software 31
2 Significant R4-R5-R6-R9   Secure configuration mechanisms for network devices including third party devices 33
2 Significant R4-R5-R6-R7-R9   Identified vulnerabilities 35
1 Significant R1 No formal documentation regarding security policies and principles Documented cybersecurity strategy 4
2 Critical Documented cybersecurity governance rules 1
2 Important Documented procedures and management practices for cybersecurity 11


Table 4 – Summary of recommendations by priority and rating

Table 4 serves as a basis for facilitating discussion and decision-making on the action plan for implementation of proposed recommendations and corrective actions to be taken to internal controls.

Part Two – Implementation of recommendations and maintenance of critical Cybersecurity infrastructures

The proposed action plan will maintain the confidentiality, integrity and availability of the systems, considering three major axes: 1- good governance, by aligning IT objectives with business goals, 2- risk management deemed acceptable in the achievement of established objectives and 3- the proper use of company resources.

To achieve this, our methodology will build on the NIST model for improving critical infrastructure of cybersecurity.  This model is adaptive and integrates with the COBIT 5 framework for its implementation. As a Risk-based approach, it is used with a wide range of processes that integrate day-to-day operations by grouping them into 5 major functions as illustrated in Figure 1- Functions of the NIST CSF Framework Core.

Cybersecurity image


Figure 1- Functions of the NIST CSF Framework Core

 At a high level, these functions allow:

  • Identification of critical assets of the company;
  • Protection of the data they hold;
  • Detecting anomalies and incidents in systems;
  • The response to ongoing actions, monitoring and improvements to systems and processes when threats or vulnerabilities have been identified;
  • Recovery and restore any capabilities or services impaired during a cybersecurity event, follow-ups and actions to be taken for improvement and feedback.

In light of this, the preferred strategy for securing information systems will include measures to protect critical assets at a reasonable cost for the company.

This methodology, which incorporates practices widely used in the industry, is the essence of our professional practice because it allows us to better serve our customers and to enhance the security level of their critical cyber infrastructure.

For more information regarding the cybersecurity audit, visit our website 


1) NIST, Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity V1.1, USA 2017

2) ISACA, Cybersecurity Guidance for Small and Medium-sized Enterprises, USA, 2015

ISACA, Implementing Cybersecurity Guidance for Small and Medium-sized Enterprises, USA 2015

ISACA, Transforming Cybersecurity, USA, 2013

Pascal Dominique

Auteure : Pascale Dominique, 

Co-founder and Vice-President Finances of ConnecTalk.

In addition to her duties within her company, she also acts as an analyst and a project manager in information technology.

Academic diploma:

  • Bachelor of Business Administration, University of Quebec in Montreal, 1984

Assocations and Certifications

  • Member of CPA Canada since 1986 she is a CPA-CA
  • Member of Information Systems Audit and Control Association (ISACA) since 2002
    • CISA Certification (Certified Information Systems Auditor) since 2006
    • CRISC Certification (Certified in Risk and Information Systems Controls) since 2011
  • Member of the Board of Directors at ISACA-Montreal Chapter as Vice-présidente Training and Certification since 2016

Looking for something else?


You have a project? Let us help you!

Obtain 3 free quotes for your cybersecurity needs
Attach a file

Projects submitted

Last 30 days


Service providers

In our network

32 606 425 $

In project value

Last 12 months