Home / Services / Security & compliance
Service 04

How to pass an audit and a regulator

European regulation now reaches more and more companies, and boards suddenly face questions nobody can answer. This page explains what is actually being asked of you and how to prepare.

Why everyone is dealing with this now

Security used to be a matter for the IT department. Today it is a matter for the board, for two reasons.

First, regulation. European rules have extended to sectors that never dealt with any of this. A company that has been manufacturing for decades suddenly learns it falls under obligations it has never heard of. And responsibility sits with the board, not with the network administrator.

Second, customers. Large companies now vet their suppliers. A questionnaire with thirty questions arrives, and if you cannot answer it, you do not win the contract - regardless of price.

This is not about having perfect security. It is about being able to demonstrate that you know what you have, what the risks are and what you do about them. Most companies already do much of this - they just have not written it down.

What is actually being asked

Setting the legal text aside, every audit and questionnaire asks the same four things:

  • Do you know what you have? Which systems, data and suppliers. Nothing else works without this.
  • Do you know what can go wrong? And have you consciously decided what to do about it - mitigate, insure, or accept.
  • Is it written down? Who has which permissions, what happens during an incident, how backups are handled. A rule that exists only in someone's head does not exist for an auditor.
  • Can you evidence it? That it is actually done - records, logs, restore tests.

How I work

01

Where you stand today

I review what you have and compare it against what will be expected of you. The output is a gap analysis - a list of what is missing.

02

Risk analysis

We set out what can go wrong and what the business impact would be. Not academically - the point is to know what to worry about and what not.

03

Policies and rules

We write the documents describing how things work at your company. Documents your people will read and follow - not a hundred-page treatise for the archive.

04

Evidence

We set things up so that records are produced proving the rules are followed. This is where companies most often fail an audit.

What I work to

I follow the principles of ISO/IEC 27001 - the international standard for information security management - and ISO/IEC 20000 for IT service management. They are not the only possible frameworks, but they have an advantage: anyone who knows them knows what to expect from you. And most customer questionnaires are derived from them.

I use them as a structure, not dogma. For a company of fifty people there is no point building a system fit for a multinational. The aim is for you to pass while not drowning in administration.

When this makes sense

  • You have learned that new regulation applies to you and do not know what it means.
  • A customer has sent a security questionnaire and you have no idea how to complete it.
  • You are preparing for certification and want to know how far along you are.
  • You suspect security rests on one person and their memory.

Frequently asked questions

Does this mean we have to get certified?

Not necessarily. Many companies only need to demonstrate that they work to sensible principles - to a customer or a regulator. Certification is a separate decision and costs both money and time.

Will this bury us in paperwork?

If done badly, yes. That is why I scale the scope to the size of the company. A document nobody reads is a cost, not protection.

We are a small company. Does this apply to us?

Possibly. The criteria are usually sector and size, but even a small supplier to a large company receives the questionnaire. This can be established in a first consultation.

Are you ISO 27001 certified?

No, and I do not claim to be. I work to the principles of these standards and prepare you for audit - the certificate itself is issued by an accredited certification body, not by a consultant.

Facing an audit?

We go through your situation and I tell you where you stand, what is missing and what to address first. No obligation.

Book a free consultation →