Cyber Security Checks

Icon Information Security, © NESEC GmbH

The ISACA Germany Chapter e.V. association and the German Federal Office for Information Security (BSI) published version 2 of the "Cyber Security Check Guide" in 2020. The Cyber Security Check Guide describes the principles and procedures for conducting an IT security check of a company and is based on various ISACA IT audit standards. The technical basis is formed by the "basic cyber security measures" defined in the Alliance for Cyber Security.

A cyber security check (CSC) is not a penetration test, i.e. no actual hacking attacks are carried out as part of the check. The cyber security check is more comparable to an information security audit, although the infrastructure to be checked is not primarily tested against a standard such as ISO 27001 or VdS 10000, but the actual risk to the confidentiality, integrity and availability of the IT infrastructure is assessed. A cyber security check therefore requires access to all relevant documents such as security concepts and operating manuals as well as to the configuration of the critical IT systems, e.g. firewall, virus protection, backup, etc.

Principles for the Assessment

To ensure an objective assessment, the ISACA guidelines require that the following requirements are met:

  • A formal engagement of the cyber security check
  • Organizational and personal independence
  • Integrity and confidentiality
  • Professional competence
  • Evidence and traceability
  • Objectivity and diligence
  • Factual presentation

Method of the Assessment

In addition to the principles of the assessment, the procedure is also defined in the guidelines.

  1. Placing the order
  2. Risk assessment
  3. Document review
  4. Preparation of the on-site assessment
  5. On-site assessment
  6. Follow-up/report preparation

Objectives

The Cyber Security Check guideline defines the action objectives A to N, which must be assessed during implementation:

  • A: Securing network transitions
  • B: Defense against malware
  • C: Inventory of the IT systems
  • D: Avoidance of exploitable security gaps
  • E: Secure interaction with the Internet
  • F: Log data collection and evaluation
  • G: Ensuring an up-to-date level of information
  • H: Managing security incidents/emergencies
  • I: Secure authentication
  • J: Ensuring the availability of necessary resources
  • K: Sensitization and training of employees
  • L: Secure use of social networks
  • M: Carrying out penetration tests
  • N: Secure use of cloud applications

Our Service

We carry out the cyber security check in accordance with the principles and specifications of the Cyber Security Check Guidelines, with special consideration of the ISACA audit standards. Of course, all our cyber security checks take place under the direction of an ISO 27001 Lead Auditor or a certified ISACA Cyber Security Practitioner.

Incidentally, we also offer a CyberRiskCheck in accordance with DIN SPEC 27076 for micro-enterprises and small businesses with up to 50 employees.