This project simulates a limited-scope cybersecurity process audit for a fictional technology-driven organization. The objective is to provide risk-based assurance over whether selected cybersecurity processes are appropriately designed, consistently executed, and sufficiently evidenced to reduce cybersecurity risk across core IT and digital operations.
- User and Access Management
- Vulnerability and Patch Management
- Incident Handling and Response
- Control Design Effectiveness
- Control Operating Effectiveness
- Core IT environment
- Cloud services environment
- Business-critical application environment
This is an evidence-led portfolio audit for a fictional organization and intentionally does not include fabricated operational metrics (for example, sample sizes, counts, or percentages). Where evidence is not available, this is explicitly stated to reflect real-world audit constraints.
- Defined the audit objective, scope boundaries, and audit methodology aligned to a structured cybersecurity assurance lifecycle.
- Identified in-scope assets and mapped cybersecurity process coverage across IT and digital operations.
- Identified cybersecurity risks and prioritized them using a likelihood × impact risk assessment model.
- Assessed key controls for both design effectiveness and operating effectiveness.
- Documented the basis for operating effectiveness conclusions using available evidence.
- Performed evidence-based audit testing without assuming direct access to production systems.
- Consolidated audit observations into clear findings using criteria, condition, cause, impact, and recommendation logic.
- Conducted root cause analysis to identify systemic issues driving control weaknesses.
- Developed a corrective action plan with defined ownership, priorities, dependencies, and closure validation approach.
- Produced a management-ready cybersecurity process audit report with a formal audit opinion and residual risk outlook.
- Delivered an overall assurance conclusion of Partially Effective (Medium Assurance) for the audited cybersecurity processes.
- Identified high-priority risks related to:
- Patch verification and rework-to-closure gaps
- Missing periodic access reviews
- Incomplete cloud administrative logging
- Lack of post-incident review and corrective action tracking
- Translated technical control gaps into clear, management-relevant risk statements.
- Defined pragmatic corrective actions designed to improve governance, evidence retention, and sustained operating effectiveness.
- Problem Statement:
Problem_Statement.pdf - Final Cybersecurity Process Audit Report:
Final_Audit_Report.pdf
- Cybersecurity Governance, Risk, and Compliance (GRC)
- Cybersecurity process auditing and assurance
- Risk-based audit methodology
- Control design and operating effectiveness assessment
- Evidence-based audit testing and documentation
- Risk identification, scoring, and prioritization
- Root cause analysis and corrective action planning
- Executive-level audit reporting and communication
This repository is a portfolio sample created for demonstration purposes using a fictional organization scenario. No real organization data is included. The audit is evidence-led and avoids fabricated operational metrics; conclusions are based solely on the completeness and quality of available artefacts, consistent with professional cybersecurity audit practices.