Security Controls Insurers Require
Cyber Security Audit: What It Covers and Why Insurers Require It
A cyber security audit is a structured review of how well your organisation actually protects its systems and data, measured against a known standard rather than a gut feeling. For most UK small and mid-sized firms it has stopped being optional: insurers ask about it before they quote, larger customers demand evidence of it in contracts, and it is the fastest way to find the gaps an attacker would use. This guide explains what an audit covers, how it differs from the other security checks you keep hearing about, and how to prepare so it goes smoothly.
If you are reading this because a renewal form or a supplier questionnaire mentioned an audit, you are in the right place. We will keep it in plain English and focus on what a non-technical owner or office manager needs to arrange and evidence.
What a cyber security audit actually is
A cyber security audit is a point-in-time assessment that checks your security controls, policies and configurations against a benchmark, then reports where you meet it and where you fall short. The benchmark might be a formal framework like ISO 27001, the government’s Cyber Essentials scheme, or an insurer’s own questionnaire. The output is a findings report: what is in place, what is missing, and what to fix first.
People use several terms for roughly the same thing. An IT security audit and a cyber security audit overlap heavily; the first sometimes leans more towards hardware, licensing and IT governance, while the second focuses on threats and defences. A GDPR audit is narrower again, concentrating on how you handle personal data. In practice a good audit touches all of these, because insurers and regulators care about the whole picture. We cover the data-protection side separately in our GDPR audit guide.
What it covers
Security audit procedures vary by provider, but a thorough cyber security audit reviews most of the following:
- Access management. Who can log in to what, whether accounts are removed when people leave, and whether administrator rights are limited to the people who genuinely need them.
- Multi-factor authentication. Whether MFA is enforced on email, remote access and cloud services, which is now the single control insurers ask about most.
- Patching and updates. Whether operating systems and software receive security updates promptly, and whether anything unsupported is still in use.
- Malware protection and device security. Anti-malware or endpoint detection, and how laptops, phones and any bring-your-own devices are secured.
- Backups. Whether backups exist, are kept separate from the live network, and have actually been tested by restoring from them.
- Network and firewall configuration. Boundary firewalls, secure configuration of servers and cloud services, and how remote and home working is handled.
- Policies and people. Written policies, staff awareness of phishing, and how incidents are reported.
- Incident response. Whether there is a written plan for what happens after a breach, and who is responsible.
The audit checks not just that these exist on paper, but that they are switched on and working. That distinction is where most firms lose marks.
How it differs from a pen test and Cyber Essentials
These three get muddled constantly, so it is worth being precise.
A penetration test is an active, hands-on attempt to break into your systems the way an attacker would. It finds specific technical vulnerabilities. An audit is broader and more procedural: it reviews controls, policies and evidence across the whole organisation. Many businesses need both, and we explain the technical side in our guide to penetration testing for UK businesses.
Cyber Essentials is a specific certification against five technical controls, backed by the National Cyber Security Centre. The self-assessment tier is verified by a certification body, while Cyber Essentials Plus adds a hands-on technical audit by a qualified assessor. From April 2026 the scheme tightened its requirements, including a minimum 12-character password rule and a rule that cloud services holding business data can no longer be carved out of scope. You can read the current control set on the NCSC Cyber Essentials overview and the official scheme detail at IASME. A cyber security audit is wider than Cyber Essentials but often uses those five controls as its backbone, because they map neatly onto what insurers expect. See our Cyber Essentials certification guide for the certification route specifically.
Why insurers require it
Cyber insurers price risk, and they cannot price what they cannot see. An audit gives them evidence that the controls they care about, MFA, tested backups, patching and access control, are genuinely in place. If your proposal form claims MFA everywhere and a later claim reveals it was never enforced, the insurer can reduce or refuse the payout. That is why the honest answer on the questionnaire matters more than the impressive one, and why an audit before you apply protects you at claim time. This links directly to what your policy will and will not pay for, which we break down in what cyber insurance covers and its exclusions.
How to prepare
You do not need a security team to get ready. Gather an up-to-date list of your devices, users and cloud services, confirm MFA is on for email and remote access, check that a recent backup has actually been restored and not just scheduled, and remove any accounts belonging to people who have left. Write down your basic policies even if they are short. Fixing the obvious gaps before the audit turns a long list of failings into a clean report, and a clean report turns into a cheaper, safer insurance renewal.
Frequently asked questions
What is a cyber security audit? It is a structured review of your organisation’s security controls, policies and configurations against a recognised benchmark, ending in a report that shows what you have in place and what needs fixing. It gives insurers, customers and your own board evidence of how well you are actually protected.
How is a cyber security audit different from a penetration test? An audit reviews controls, policies and evidence across the whole organisation, while a penetration test actively tries to break into your systems to find specific technical weaknesses. They answer different questions, and many businesses benefit from doing both.
Do insurers require a cyber security audit? Increasingly, yes. Cyber insurers want evidence that key controls like multi-factor authentication, tested backups and prompt patching are in place before they quote, and inaccurate answers on a proposal form can reduce a future claim. An audit provides that evidence and protects you at claim time.
Is Cyber Essentials the same as a cyber security audit? No. Cyber Essentials is a specific certification against five technical controls, whereas a cyber security audit is a broader review that often uses those controls as a starting point but also looks at policies, incident response and third-party risk.
How often should we run a cyber security audit? Most firms audit at least annually, which lines up with insurance renewals and the annual Cyber Essentials cycle. You should also run one after any major change, such as a new office, a shift to home working, or a significant new cloud system.