A thorough, practical security audit framework for small and medium businesses.
Run a thorough security audit on any SMB environment. Covers network, endpoints, identity, email, backups, and physical security.
Instant download • DOCX • XLSX • PDF • 200+ audit points
Most SMBs don't have a full-time security team. This audit checklist gives you a repeatable framework to assess an organisation's security posture, identify gaps, and produce a professional findings report. Over 200 audit points across 10 domains, each with severity ratings and remediation guidance.
Firewall rule audit, VLAN segmentation check, Wi-Fi encryption standards, guest network isolation, VPN configuration review, SNMP exposure check, and rogue device detection guidance.
Antivirus/EDR coverage, patch management status, OS version support lifecycle, disk encryption (BitLocker/FileVault), screen lock policy, and application whitelisting review.
MFA adoption audit, dormant account review, privileged access review, Entra ID (Azure AD) security defaults, conditional access policy evaluation, service account hygiene.
SPF/DKIM/DMARC record verification, anti-phishing policy, mailbox auditing, external forwarding rules review, mail flow rules (transport rules) security check, and impersonation protection.
3-2-1 rule validation, backup encryption status, recovery test verification, offsite/cloud replication check, backup monitoring alerting, and DR documentation completeness.
Secure Score review, auditing & logging configuration, DLP policy presence, sharing policy for SharePoint/OneDrive, external sharing audit, and Entra ID risk policies.
This checklist is built from real audit work I've done for South African SMBs — not from a textbook. It's designed to be used at a client site with nothing more than a laptop, a browser, and access to their environment. Each domain includes:
The Excel scoring sheet automatically calculates an overall security maturity score by domain, so you can present a professional heatmap to the client.