A cybersecurity audit is, put plainly, a professional, documented review of a company's security posture. An external team runs it, follows a recognised methodology, and ends with a report saying what fails, how serious it is and what needs to be touched to fix it. It isn't an automated scanner, it isn't a compliance questionnaire, and it isn't the same as pentesting: it's the umbrella covering several types of evaluation depending on the question the organisation needs answered.
This guide explains the three main types of audit that exist, when each one fits, what phases a serious project has, what deliverables you should demand, how it fits with NIS2, DORA, ENS and ISO 27001, what it costs and how long it lasts on average in the Spanish market and what signals separate a solid provider from one who'll sell an empty report.
What a cybersecurity audit actually is
A cybersecurity audit is a project bounded in time and scope that evaluates the real security level of an organisation, a specific system or a process. An external provider runs it (or an internal independent team with explicit authority), uses standard methodologies and produces auditable evidence.
There are three types based on what gets evaluated:
- Technical audit. Evaluates the actual security of technology assets: web and mobile applications, internal and external infrastructure, cloud environments, IoT/OT devices, wireless networks. The most common method here is pentesting.
- Organisational audit. Evaluates policies, procedures, training, governance, incident management and security programme maturity. Looks at people and processes, not just systems.
- Compliance audit. Verifies that an organisation meets the controls demanded by a specific standard: NIS2, DORA, ENS, ISO 27001, PCI DSS, SOC 2. Usually combines with the two above to have both technical and documentary evidence.
The question a well-framed cybersecurity audit answers is direct: what real risks does my organisation have right now and what do I need to do to reduce them?. The usual trap is answering it with a PDF full of charts but with no concrete actions, no prioritisation by impact and no deadlines. That audit isn't worth anything.
In a professional audit you should expect:
- Written scope: which assets are in, which assets stay out, which techniques get authorised, which time windows are respected.
- Formal authorisation by the asset owner (the rules of engagement).
- Identified team, with certifications (OSCP, OSEP, OSWE, CEH, CISA, CISM, CISSP depending on type) and documentable experience.
- Combination of manual technique and professional tools (Burp Suite, Nessus, Nmap, BloodHound, custom scripts, structured ISO/NIS2 questionnaires).
- Double deliverable: executive report for management and detailed technical report for the teams that have to fix things.
- Prioritised remediation plan with estimated effort and owners.
- Presentation session and retest after the most critical fixes have been applied.
Types of cybersecurity audit
| Type | What it evaluates | When to use it | Reference standards |
|---|---|---|---|
| Technical audit (pentesting) | Real vulnerabilities in applications, networks, cloud, mobile, IoT | Before a launch, periodically or after a major architecture change | OWASP Top 10, OWASP MASVS, PTES, OSSTMM |
| Organisational audit | Policies, processes, governance, training, incident response plan | To measure programme maturity or prioritise security investment | ISO 27001 Annex A, NIST CSF, ENS Annex II |
| Regulatory compliance audit | Adherence to a specific standard (NIS2, DORA, ENS, ISO 27001, PCI DSS) | To get certified, demonstrate compliance to a B2B client or avoid sanctions | The regulation itself plus Magerit, ISO 27002 |
| Risk analysis | Probability and impact of threats on key assets | As prior step to defining the security plan | Magerit, ISO 27005, FAIR |
| Post-incident forensics | Reconstructing what happened, how the attacker got in, what they took | Immediately after a detected security incident | NIST SP 800-86, RFC 3227 |
Most serious projects combine technical audit + organisational audit because measuring only the technical side leaves process gaps, and measuring only the organisational side doesn't detect real exploitable failures. Compliance audits (NIS2, DORA, ENS) usually require evidence of both.
Audit vs pentesting vs Red Team vs vulnerability analysis
These four terms get mixed in RFPs and proposals frequently, and they aren't the same. Each one answers a different question:
| Service | Question it answers | Depth | Typical duration |
|---|---|---|---|
| Vulnerability analysis | What known vulnerabilities does an automated tool detect? | Low, list of findings without deep prioritisation | 1 to 3 days |
| Pentesting | What flaws does this asset have and how serious are they if exploited? | Medium to high, manual with attack chains | 1 to 4 weeks |
| Cybersecurity audit | What's the global security posture of my organisation? | Variable, covers technical + processes + compliance | 4 weeks to 3 months |
| Red Team | Could we compromise the business without the SOC noticing? | Very high, realistic simulation with stealth and persistence | 6 weeks to 6 months |
A simple analogy: vulnerability analysis is the standard blood test, pentesting is the cardio stress test with a specialist, the cybersecurity audit is the complete review with several coordinated specialties, and the Red Team is a simulated exercise under extreme conditions with cardiologist, pneumologist and trauma specialist watching at the same time.
To go deeper: we've published specific guides on what pentesting is, what a Red Team is and the web security audit complete guide. If your need is a bounded technical test rather than a full audit, web application pentesting and infrastructure pentesting are the most direct entry points.
Phases of a cybersecurity audit
Although every provider has its own methodology, a serious audit always follows the same phases. If your proposal doesn't describe them explicitly, rigour is missing.
1. Scope definition and kick-off
Before touching anything, what's in and what's out gets fixed in writing. Which applications, which IP ranges, which accounts, which environments, which countries, which techniques get authorised (phishing yes or no, denial of service yes or no, social engineering yes or no), which time windows and which contacts receive the alerts. The phrase "the entire perimeter" isn't a scope, it's a recipe for misunderstandings.
2. Information gathering
The audit team collects data about the in-scope assets: architecture, technologies, test accesses, existing documentation, prior reports. In an organisational audit, security, IT, HR and management leads get interviewed. In a technical one, the attack surface gets enumerated with tools and OSINT.
3. Analysis and testing
The bulk of the project. In a technical audit, manual and automated tests get executed to identify real vulnerabilities. In an organisational audit, documentation, policies, incident records, continuity plans and training get reviewed. In a compliance audit, each control of the regulation gets mapped against documentary and technical evidence.
4. Validation and controlled exploitation (technical only)
For relevant technical findings, controlled exploitation gets attempted to confirm that the vulnerability is real, measure its impact and rule out false positives. This is where a serious provider differs from one who only hands over scanner results: the reproducible proof of concept.
5. Documentation
Each finding gets documented with CVSS severity or equivalent, evidence (screenshots, HTTP requests, logs), technical and business impact, and remediation recommendation. The findings get aggregated in two reports: executive (readable for management, 5 to 10 pages) and technical (detailed per finding, 40 to 200 pages depending on scope).
6. Results presentation and action plan
Closing session with the client team. Review of critical findings, joint prioritisation, definition of who fixes what and by when. This session is what turns a report into something actionable.
7. Retest
Weeks later (typically 4 to 8), the auditor returns to verify the corrections of critical and high findings. Without retest, an audit stays half-done: you have the findings, but no one confirms they're really fixed.
When you need a cybersecurity audit
Typical triggers in a Spanish company in 2026 are five:
- Legal or contractual obligation. NIS2 requires essential and important entities to conduct periodic testing. DORA requires financial entities to perform advanced resilience testing. ENS requires the public administration (and its providers) to undergo audits every two years. A B2B client may require an audit as a condition to sign a contract.
- Launch or major change. A new application, a cloud migration, an integration with a critical third party, an acquisition. Each one introduces new surface that wasn't in the previous audit.
- Recent security incident. After an incident, an audit serves to confirm that the attacker is no longer inside and that the paths they entered through are closed.
- Due diligence. A sale, an investment or an integration requires knowing the other party's security posture. An audit is the objective evidence.
- Cyclical renewal. The market standard for companies with critical assets is a full annual audit and specific pentests when major changes happen.
If your company falls into any NIS2 or DORA case and you haven't done an audit with documentary evidence in the last 12 months, the reasonable thing is to plan it before the next regulatory review. NIS2 fines reach €10 million or 2% of global annual turnover for essential entities.
Regulatory framework: NIS2, DORA, ENS and ISO 27001
Almost every cybersecurity audit in Spain is motivated, to a greater or lesser extent, by a regulation. The quick relation:
| Regulation | Who it applies to | What it requires in audit |
|---|---|---|
| NIS2 | Essential and important entities (energy, health, transport, banking, water, administrations, digital infrastructure and 11 other sectors) | Periodic technical testing, risk assessment, incident management, supply chain |
| DORA | Financial entities and their critical ICT providers | TLPT (Threat-Led Penetration Testing) under TIBER-EU, ICT risk management, operational resilience |
| ENS | Spanish public administrations and their providers | Categorisation, statement of applicability, mandatory biennial audit |
| ISO 27001 | Voluntary, certifiable, demanded by B2B clients | Annual internal audit + external certification audit |
| PCI DSS | Any organisation that stores, processes or transmits card data | Quarterly ASV scan + annual pentest |
To understand each regulation better: NIS2 step by step for Spanish companies, DORA compliance for financial entities, ENS Spain certification guide, ISO 27001 explained.
Market cost and duration
The ranges seen in the Spanish 2026 market for cybersecurity audits vary a lot depending on scope and depth. Indicative figures (industry-wide, not a Secra proposal):
| Audit type | Market cost range | Typical duration |
|---|---|---|
| Technical audit web/mobile app (medium scope) | €4,000 to €15,000 | 1 to 3 weeks |
| Internal and external infrastructure audit | €8,000 to €30,000 | 2 to 5 weeks |
| Cloud audit (AWS, Azure, GCP) | €6,000 to €25,000 | 2 to 4 weeks |
| ISO 27001 / NIS2 organisational audit | €10,000 to €40,000 | 4 to 10 weeks |
| ENS compliance audit | €8,000 to €25,000 | 4 to 8 weeks |
| Full-scope Red Team | €30,000 to €150,000 | 6 weeks to 6 months |
| TLPT under TIBER-EU (DORA) | €80,000 to €300,000 | 3 to 6 months |
If you get offered a complete "all-inclusive" audit below €2,500, it isn't an audit: it's an automated scanner with a PDF on top.
How to choose a cybersecurity audit provider
Five criteria separate a solid provider from one selling smoke:
- Real technical team. Ask for CVs of the people doing the work (not the sales rep). Look for current technical certifications: OSCP, OSEP, OSWE, OSCE3, GPEN, eCPPT. For compliance audits, CISA, CISM, ISO 27001 LA.
- Documented methodology. If the proposal doesn't explicitly mention OWASP Top 10, OWASP MASVS, PTES, OSSTMM, NIST or the corresponding regulatory body, it's a bad signal. Methodology isn't marketing, it's the framework guaranteeing nothing gets left untested.
- Sanitised report sample. Ask to see a real report (with clients hidden). If they only show a template with fictitious data, they haven't done many.
- Independence. The auditor shouldn't be the one who implemented the solution they audit. It's the basic audit rule that keeps getting forgotten in security.
- Remediation plan and retest included. A provider that hands over the report and disappears isn't selling an audit, they're selling a PDF. The difference shows up when it's time to fix.
We've gone deeper on this topic in how to choose a penetration testing company and Cybersecurity companies in Spain: how to choose.
What deliverables to demand
A serious audit project delivers, at minimum:
- Executive report (5 to 10 pages): context, scope, summary of findings by severity, key risks, prioritised recommendations. Readable by management without technical knowledge.
- Technical report (40 to 200 pages): one chapter per finding with title, description, impact, CVSS severity, evidence, remediation recommendation, OWASP/CWE references.
- Annexes: inventory of audited assets, tools used, project timeline, activity logs.
- Remediation plan: table with each finding, estimated effort, proposed owner and recommended deadline.
- Results presentation session with management and technical team.
- Documented retest of critical and high findings after remediation.
If the proposal doesn't include a remediation plan and retest, half of the project is missing.
Common cybersecurity audit mistakes
Five mistakes we keep seeing year after year in projects that reach us after a previous audit that didn't work:
- Scope too broad without depth. "Audit our whole perimeter" without prioritisation produces a long, superficial report. Better a focused, deep scope and iterate.
- No equivalence with business reality. The auditor finds an IDOR in an internal API and marks it as critical without knowing that API is only reachable from the development team's VPN. Without business context, prioritisation is wrong.
- Report without retest. The effort to fix dilutes if no one validates that the fixes work.
- Auditor without recognised technical certifications. An "audit" done with a Nessus and an auto-generated PDF isn't an audit.
- Zero coordination with the defensive team. If your SOC doesn't know there's an audit happening, either it spends its time responding to the auditor as if it were a real attacker, or it detects nothing and nobody learns that its detection capability has flaws.
Frequently asked questions
How often should a cybersecurity audit be done?
The market standard is annual for companies with critical assets, complemented with specific pentests when major changes happen (new product, cloud migration, critical integration). NIS2 requires periodic testing without setting an exact frequency. DORA requires TLPT at least every three years for large entities. ENS requires biennial audit.
Internal audit or external audit?
An external audit brings independence, comparison with other organisations and, in many cases, regulatory validity the internal one doesn't have. The internal serves as preparation or follow-up, but doesn't replace it. To evidence compliance (ISO 27001, ENS) you need an external auditor.
What's the difference between audit and compliance check?
An audit evaluates the real state with technical and documentary evidence. A compliance check fills out a questionnaire without verifying evidence. The latter doesn't survive a serious regulatory inspection.
Do you need to shut down systems during an audit?
In most cases no. A professional technical audit runs on production systems with non-intrusive techniques, and the more aggressive tests get coordinated with your team in agreed time windows. In OT/industrial environments, replicas or scheduled maintenance windows get used.
Does the audit include fixing vulnerabilities?
Not by default. The audit identifies and documents. The fix is done by your team (internal or external). Some providers offer remediation as a separate project, but keeping the same team in audit and remediation is problematic for independence.
Can cloud environments be audited without full permissions?
For a professional cloud audit, read access to cloud resources (IAM, configurations, logs) is needed. Tests don't require write permissions or production changes. Access gets granted temporarily and with dedicated auditable accounts.
How long does the report take to be ready?
The draft is usually delivered 1 to 2 weeks after the close of the testing phase. The final version after incorporating client comments comes out 1 to 2 weeks later. Providers that hand over the report the same day they finish testing usually deliver weak reports.
Does an audit help me renew my cyber insurance?
Yes. Most cyber risk insurers in Spain require recent technical evidence (audit or pentest from the last 12 to 24 months) to maintain coverage or reduce premium. Without this evidence, policies become more expensive or get cancelled after an incident.
Where to start
If your company needs a cybersecurity audit and doesn't know where to start, the reasonable order is:
- Identify the real motive: compliance, launch, incident, due diligence, cyclical renewal. The motive defines the audit type.
- Define the priority scope: most exposed applications, most critical infrastructures, most urgent regulation.
- Request three proposals from providers with a real technical team (not pure sales).
- Compare methodology, team and deliverables, not just price. The difference between the cheap audit and the expensive one isn't cost, it's what you receive.
- Plan the retest from the start, not as an add-on.
At Secra we offer the following technical audit lines:
- Web and mobile application audit (OWASP Top 10, MASVS, APIs)
- Internal and external infrastructure audit (perimeter, Active Directory, hardening)
- Cloud audit for AWS, Azure and GCP (IAM, S3/Blob/GCS, CIS Benchmarks)
- Wireless network audit (WPA2/WPA3, rogue APs, segmentation)
- IoT and OT audit (firmware, Modbus/DNP3, IT/OT segmentation)
- Red Team exercises (simulated APT, evasion, detection)
In parallel we accompany on GRC consulting for NIS2, DORA, ENS and ISO 27001 when the audit is motivated by compliance.
If you want to review your case, you can contact us and we'll tell you which type of audit fits before talking about a proposal.
About the author
Secra Solutions team
Ethical hackers with OSCP, OSEP, OSWE, CRTO, CRTL and CARTE certifications, 7+ years of experience in offensive cybersecurity, and authors of CVE-2025-40652 and CVE-2023-3512.