A Practical Model to Perform Comprehensive Cybersecurity Audits

  • Regner Sabillon Universitat Oberta de Catalunya
Keywords: cybersecurity, cybersecurity audit, cybersecurity audit model, cybersecurity assurance, cybersecurity controls


These days organizations are continually facing being targets of cyberattacks and cyberthreats; the sophistication and complexity of modern cyberattacks and the modus operandi of cybercriminals including Techniques, Tactics and Procedures (TTP) keep growing at unprecedented rates. Cybercriminals are always adopting new strategies to plan and launch cyberattacks based on existing cybersecurity vulnerabilities and exploiting end users by using social engineering techniques. Cybersecurity audits are extremely important to verify that information security controls are in place and to detect weaknesses of inexistent cybersecurity or obsolete controls. This article presents an innovative and comprehensive cybersecurity audit model. The CyberSecurity Audit Model (CSAM) can be implemented to perform internal or external cybersecurity audits. This model can be used to perform single cybersecurity audits or can be part of any corporate audit program to improve cybersecurity controls. Any information security or cybersecurity audit team has either the options to perform a full audit for all cybersecurity domains or by selecting specific domains to audit certain areas that need control verification and hardening. The CSAM has 18 domains; Domain 1 is specific for Nation States and Domains 2-18 can be implemented at any organization. The organization can be any small, medium or large enterprise, the model is also applicable to any Non-Profit Organization (NPO).


Download data is not yet available.


Bodeau, D., Boyle, S., Fabius-Greene, J. and Graubart R. (2010). “Cyber Security Governance”, MITRE. Retrieved January 24, 2018, from https://www.mitre.org/sites/default/files/pdf/10_3710.pdf.

Boyce, R. (2001). “Vulnerability Assessment: The Pro-Active Steps to Secure your Organization”, SANS Institute. Retrieved January 24, 2018, from https://www.sans.org/reading-room/whitepapers/threats/vulnerability-assessments-pro-active-steps-secure-organization-453.

CERT Division (2017). “CSIRT Frequently Asked Questions”, Carnegie Mellon University.
Retrieved January 24, 2018, from https://www.cert.org/incident-management/csirt-development/csirt-faq.cfm.

Department of Homeland Security (2012). “Vulnerability Assessment and Management”, NICSS. Retrieved January 24, 2018, from https://niccs.us-cert.gov/workforce-development/cyber-security-workforce-framework/vulnerability-assessment-and-management.

Donaldson, S., Siegel, S., Williams, C. and Aslam, A. (2015). “Enterprise Cybersecurity: How to Build a Successful Cyberdefense Program Against Advanced Threats”. New York: Apress, pp. 201-204.

Financial Executives International – FEI (2014). “Financial Executives, Cyber Security & Business Continuity”, Canadian Executives Research Foundation (CFERF). Retrieved January 24, 2018, from https://www.feicanada.org/enews/file/CFERF%20studies/2013-2014/IBM%20Cyber%20Security%20final3%202014.pdf.

Financial Industry Regulatory Authority – FINRA (2015). “Report on Cybersecurity Practices”, pp 1- 46. Retrieved January 24, 2018, from https://www.finra.org/sites/default/files/p602363%20Report%20on%20Cybersecurity%20Practices_0.pdf.

Foresite (2016). “Quick guide to common Cybersecurity Frameworks”.
Retrieved January 24, 2018, from https://www.foresite.com/blog/quick-guide-to-common-cybersecurity-frameworks/.

ISACA (2014). Implementing the NIST Cybersecurity Framework. Rolling Meadows: ISACA.
ISACA (2013). Transforming Cybersecurity. Rolling Meadows: ISACA.

ISACA (2015). Cybersecurity Fundamentals. Rolling Meadows: ISACA

Kaspersky Lab (2015). “Top 10 Tips for Educating Employees about Cybersecurity”, AO Kaspersky Lab. Retrieved January 24, 2018, from http://go.kaspersky.com/rs/kaspersky1/images/Top_10_Tips_For_Educating_Employees_About_Cybersecurity_eBook.pdf.

Lee, R. (2015). “The Sliding Scale of Cybersecurity”, SANS Institute.
Retrieved January 24, 2018, from https://www.sans.org/reading-room/whitepapers/analyst/sliding-scale-cyber-security-36240.

Ministry of Economic Affairs and Communication (2017). “2014-2017 Estonia Cybersecurity Strategy”, ENISA. Retrieved January 24, 2018, from https://www.enisa.europa.eu/topics/national-cyber-security-strategies/ncss-map/Estonia_Cyber_security_Strategy.pdf.

National Cyber Security Alliance (2017). “Stay Safe Online”, NCS.
Retrieved January 24, 2018, from https://staysafeonline.org/ncsam/.

National Institute of Standards and Technology - NIST (2017). “Framework for Improving Critical Infrastructure Cybersecurity”, version 1.1.

National Institute of Standards and Technology – NIST(2017). “NIST Special Publications SP”. Retrieved January 24, 2018, from http://csrc.nist.gov/publications/PubsSPs.html.

NATO Cooperative Cyber Defence Centre of Excellence – CCDCOE (2015). “Cyber Security Strategy Documents”. Retrieved January 24, 2018, from https://ccdcoe.org/strategies-policies.html.

North American Electric Relaibility Corporation – NERC (2010). “Security Guideline for the Electricity Sector: Identifying Critical Cyber Assets”, NERC. Retrieved January 24, 2018, from
Organisation for Economic Co-Operation and Development – OECD (2012). “Cybersecurity Policy Making at a Turning Point”, OECD. Retrieved January 24, 2018, from http://www.oecd.org/sti/ieconomy/cybersecurity%20policy%20making.pdf.

PCI Security Standards Council (2014). “Best Practices for implementing a Security Awareness Program”, PCI DSS. Retrieved January 24, 2018, from
Pricewaterhouse Coopers - PwC (2016). “PwC’s Board Cybersecurity Governance Framework”, PwC. Retrieved January 24, 2018, from
Proaño, R., Saguay, C., Jacome, S. and Sandoval, F. (2017). “Knowledge based systems as an aid in information systems audit”. Enfoque UTE V.8 Sup. 1, Feb 2017, pp.148-159.

Sabillon, R., Serra-Ruiz, J., Cavaller, V. and Cano, J. (2017). "A Comprehensive Cybersecurity Audit Model to Improve Cybersecurity Assurance: The CyberSecurity Audit Model (CSAM)". 2017 Second International Conference on Information Systems and Computer Science (INCISCOS), Quito, Ecuador.

SANS Institute (2017). “SANS Forensics Whitepapers”, SANS Institute.
Retrieved January 24, 2018, from https://digital-forensics.sans.org/community/whitepapers.

Shackleford, D. (2015). “Who’s using Cyberthreat Intelligence and how?”,SANS Institute.
Retrieved January 24, 2018, from https://www.sans.org/reading-room/whitepapers/analyst/cyberthreat-intelligence-how-35767.

Trusted Computing Group (2013). “Architect’s Guide: Cybersecurity”.
Retrieved January 24, 2018, from https://www.trustedcomputinggroup.org/wp-content/uploads/Architects-Guide-Cybersecurity.pdf.

United States Computer Emergency Readiness Team - US-CERT (2017). “Cybersecurity Framework”, US-CERT. Retrieved January 24, 2018, from https://www.us-cert.gov/ccubedvp/cybersecurity-framework.

U.S. Department of Homeland Security (2016). “Cybersecurity”.
Retrieved January 24, 2018, from https://www.dhs.gov/topic/cybersecurity.

U.S. Department of Energy (2007). “IT Security Architecture”.
Retrieved January 24, 2018, from https://energy.gov/sites/prod/files/cioprod/documents/DOE_Security_Architecture.pdf.
How to Cite
Sabillon, R. (2018). A Practical Model to Perform Comprehensive Cybersecurity Audits. Enfoque UTE, 9(1), pp. 127 - 137. https://doi.org/https://doi.org/10.29019/enfoqueute.v9n1.214
Computer Science, ICTs