Configuration / conformity audits

What is a compliance (configuration) audit:

The security of an information system is closely related to the quality of the configuration of the elements belonging to this information system. This is the reason why we propose compliance audits (also called configuration audits), that allow to estimate the level of security of your information system based on the configuration of your technical components.

Those latters can be operating systems, middlewares, application servers or framworks. During those audits, our experts examine those elements in order to pinpoint any potential security flaws that misconfiguration could lead to.

How do we conduct compliance audit?


As opposed to pentests, during compliance audits, our auditors will have access to all the necessary information: administrator account, detailled infrastructure map, as well as all the necessary technical details/documentations. The audit can be decomposed into 4 main phases:

  1. a preparation meeting where will be set the scope of the audit and collected the necessary documents/information.
  2. the operation officer and the auditor agree then on the best way to conduct the audit
  3. the system administrators and the auditor run the various scripts that will extract all needed security configuration data
  4. the auditor checks then the compliance against the reference framework, and generate her/his report

The important components of an audit report:

  • the report must clear state the reference framework used (ex: CIS)
  • a high-level summary
  • the good practices revealed by the audit
  • the compliance rate of each of the audited element (according to the reference framework used)
  • the most critical aspects that need immediate attention and swift correction
  • a comprehensive list of the conducted tests

We can realize compliance audits with respect to following reference frameworks:

  • CIS (Center of Internet Security)
  • SOC2 (Service Organization Control)
  • PCI DSS (Payment Card Industry Data Security Standard)
  • SWIFT CSP (Society for Worldwide Interbank Financial Telecommunication)
  • ANSSI (Agence Nationale de la Sécurité des Sytèmes d'Information)

Other pages that might interest you :

Risk analysis

We help you evaluate the risks that are cast on your systems, and establish a plan in order to deal with these risks.

ISO 27001 certification

We accompany you towards ISO 27001 certification, from the faisability study to the exam, and then to its maintenance.

Organizational IT security audit

We perform organizational audits to ensure that security measures are in place.

You've enabled "Do Not Track" in your browser, we respect that choice and don't track your visit on our website.