Cybersecurity
Audit App

ISO 27001/27002 for security management, NIST Cybersecurity Framework (CSF) for a risk-based approach, CIS Controls for priority technical measures, and ANSSI (42-measure IT hygiene guide) for the French context. The choice depends on the sector: NIS2 for essential operators, HDS for health data, PCI-DSS for banking data.

Vulnerability scanning (Nessus, Qualys), external and internal penetration testing (pentest), network equipment and server configuration review, Active Directory analysis, access rights review, social engineering phishing tests, security log analysis (SIEM), and network segmentation verification.

European directive (EU 2022/2555) that came into effect in October 2024. It expands the scope of NIS1 to 18 sectors (energy, transport, health, digital, water, food, etc.). Essential and important entities must implement proportionate cybersecurity measures and report significant incidents within 24 hours.

A document that defines: roles and responsibilities (internal or external CSIRT), incident classification (severity levels), detection and alerting procedures, containment and eradication steps, crisis communication (internal, authorities, affected persons if personal data), forensic evidence collection, and return to normal operations.

A comprehensive annual audit is the minimum recommendation. Penetration tests at least annually (required by PCI-DSS, recommended by ANSSI). Monthly vulnerability scans or after each major infrastructure change. Quarterly access rights reviews. In the event of a security incident, a post-incident audit is essential.