Challenges
The audit was conducted in accordance with ISO/IEC 27001:2022, the global standard for information security. Using interviews, document analysis, and process observations, CyberGlobal assessed the company’s risk management and data protection practices.
The audit offered valuable insight into how the organization could improve its overall cyber resilience in an industry that handles large volumes of sensitive customer and operational data.
The audit revealed:
- 0 major non-conformities, indicating a generally sound security posture
- 1 minor non-conformity
- 6 opportunities for improvement.
The most significant issue was the lack of software restrictions on user endpoint devices, which increased risks such as:
- Possible malware infections introduced through unauthorized applications
- Unapproved software installations, creating new vulnerabilities or licensing risks
- An expanded attack surface and potential policy violations
The team also noted that while the organization’s threat intelligence and project security management processes existed, they lacked consistent documentation and structured oversight, limiting their effectiveness.
Solutions
After the audit was completed, CyberGlobal proposed several actions to strengthen the company’s defenses and improve compliance, as follows:
| Standardize Threat Intelligence Process | Establish consistent procedures for collecting, analyzing, and sharing threat data across teams. |
| Join Industry Intelligence Communities | Engage with external cybersecurity networks to stay updated on new and emerging threats. |
| Define Key Performance Indicators (KPIs) | Create measurable goals to track detection efficiency, response time, and overall program effectiveness. |
| Provide Ongoing Training | Offer regular training sessions for analysts and incident response teams to maintain strong technical readiness. |
| Include Security Checkpoints in Projects | Add dedicated security assessments at each project phase to identify and address risks early. |
Additionally, leadership should take part in regular incident response drills and use what they learn to improve the company’s response plan. Reviewing these processes often will help the team stay prepared and adapt quickly as new threats appear
Results
The review of the company’s ISO/IEC 27001 program showed strong progress with only minor non-conformities, reflecting a mature but still evolving information security system. Personnel demonstrated solid engagement in improving controls, though some areas still require refinement to align fully with business goals. Since the audit was conducted through random sampling, CyberGlobal recommended regular follow-up assessments to maintain continuous compliance.
In addition, a high-level review using THEIIA (The Institute of Internal Auditors) best practices was performed. Due to time constraints, this review was limited in scope, but it laid the groundwork for future workshops to better assess the company’s adherence to governance and control standards.
Overall, the audit provided clear, practical steps to help the company build a stronger, more organized, and flexible cybersecurity system.