Security Audit Checklist for Professional Services

# Security Audit Checklist - Professional Services

## Purpose
Run quarterly to identify security gaps, maintain compliance, and protect your business from common cyber threats.

## When to Use
A cybersecurity checklist covering password policies, access controls, software updates, backup verification, and phishing awareness.

## Instructions
1. Review the template below and familiarise yourself with the structure
2. Replace all [bracketed placeholders] with your professional services business details
3. Customise the tone and formatting to match your brand
4. Save in your preferred tool (Slack or Notion)

---

## Security Audit Checklist

### Password & Authentication (Owner: IT Manager)
- [ ] Password policy enforced: minimum 12 characters, mix of upper, lower, numbers, symbols
- [ ] Multi-factor authentication (MFA) enabled on all business-critical systems
- [ ] Default passwords changed on all devices and software
- [ ] Password manager in use across the organisation
- [ ] Shared accounts eliminated or documented with justification
- [ ] Service account passwords rotated within the last 90 days

### Access Control (Owner: IT Manager)
- [ ] User access review completed: all current employees have appropriate access levels
- [ ] Former employees' accounts deactivated within 24 hours of departure
- [ ] Admin and privileged access limited to those who genuinely require it
- [ ] Guest and contractor access has defined expiry dates
- [ ] Principle of least privilege applied across all systems

### Software & Systems (Owner: IT Manager)
- [ ] Operating systems on all devices running the latest stable version
- [ ] Antivirus and endpoint protection installed and up to date on all devices
- [ ] Business applications updated to latest versions (no end-of-life software)
- [ ] Firewall configured and active on all company networks
- [ ] VPN required for remote access to internal systems
- [ ] Unused applications and services removed or disabled

### Data Protection & Backup (Owner: IT Manager)
- [ ] Automated backups running daily for all critical data
- [ ] Backup restore tested within the last quarter (actual data recovery verified)
- [ ] Backups stored in a separate location from primary data (cloud or off-site)
- [ ] Sensitive data encrypted at rest and in transit
- [ ] Data retention policy documented and followed
- [ ] Client data handling complies with Australian Privacy Principles (APPs)

### Physical Security (Owner: Office Manager)
- [ ] Server room or network equipment locked and access-controlled
- [ ] Visitor sign-in process in place with escort requirements
- [ ] Clean desk policy in place for sensitive documents
- [ ] Screens locked when unattended (auto-lock after 5 minutes)

### Staff Awareness (Owner: HR / IT Manager)
- [ ] Cybersecurity awareness training completed by all staff within the last 12 months
- [ ] Phishing simulation conducted within the last quarter
- [ ] Incident reporting procedure documented and communicated to all staff
- [ ] Staff aware of social engineering risks (phone scams, impersonation)

---

**Complexity:** intermediate | **Setup time:** 20 minutes | **Tools:** Slack, Notion

Note: This template has been tailored for professional services businesses in Australia. Adjust terminology and compliance references to match your specific context.