Security Audits & Testing.
The worst time to find a gap is when the auditor is sitting across the table. Our internal audit and testing services find every non-conformity before it costs you a certification — or a contract.
Know Your Gaps Before the Auditor Does
A company invests 6 months and €50,000 in certification preparation, walks into the official assessment, and fails on a major non-conformity that could have been caught in week 3. This scenario is avoidable. Internal auditing is the quality control mechanism for your implementation — it finds the gaps while there's still time to close them.
ITIS-Secure's audit services are independent, rigorous internal assessments conducted by the same people who prepare clients for official certification. Our auditors know what VDA ISA 6.0 assessors look for, what ISO27001 auditors scrutinise first, and where companies consistently fail.
Every audit ends with a written report, a prioritised remediation plan, and a clear picture of certification readiness. No vague findings, no unexplained scores — just the specific actions needed to close the gap between where you are and where your certification body expects you to be.
Our Audit & Testing Services
Every service delivers a written, actionable report — because enterprise buyers need to know exactly what they're getting.
Gap Analysis
A structured assessment of your current security posture against your target framework — identifying what controls exist, what's missing, and what requires remediation.
Gap Analysis Report — control-by-control assessment, RAG status, remediation priorities, estimated effort to close.
Companies starting a certification programme or unsure of their current compliance posture.
Book a Gap Analysis →Internal Audit Programme
A systematic internal audit of your ISMS and controls against your target standard, conducted by a qualified lead auditor. Generates the audit evidence that certification bodies require to see. Note: This is an internal assessment that prepares you for official certification — it is not the official certification audit itself.
Formal Internal Audit Report — findings, nonconformities (major/minor), observations, and corrective action register.
Companies with an existing ISMS who need to demonstrate continual improvement and audit programme compliance.
Book an Internal Audit →Risk Assessment
A structured information security risk assessment — threat identification, vulnerability analysis, impact and likelihood scoring, and risk treatment planning using recognised methodology.
Risk Assessment Report + Risk Treatment Plan + Risk Register + Statement of Applicability input.
Organisations at the start of their ISMS journey or those due for their annual risk assessment review.
Book a Risk Assessment →Penetration Testing & Vulnerability Assessment
Technical security testing — vulnerability scanning, network penetration testing, web application testing, social engineering assessments — to identify exploitable weaknesses in your environment.
Technical Penetration Test Report — vulnerabilities found, CVE references, CVSS scores, and prioritised remediation guidance.
Companies needing technical evidence of control effectiveness for certification, or those wanting to validate their security posture.
Request Penetration Testing →Pre-Certification Mock Audit
A full simulation of the official certification assessment — conducted by our lead auditors using the same methodology, evidence requests, and interview process that official assessors use.
Mock Audit Report — assessment findings, certification readiness score, and a specific action list to close before the official assessment date.
Companies 4–8 weeks from their official certification date who want certainty they will pass.
Book a Mock Audit →Supplier & Third-Party Audits
Assessment of your vendors, suppliers, and third-party service providers against your information security requirements — meeting ISO27001 Clause 8.4, and TISAX prototype protection requirements.
Third-Party Audit Report per supplier + consolidated risk register for your vendor portfolio.
Companies with contractual obligations to audit their supply chain, or those preparing for TISAX TPISR assessment.
Discuss Supplier Audits →How Our Audit Process Works
A structured, repeatable approach that delivers clear results within days.
Scoping
We define the audit scope, agree the framework version and criteria, and align on audit objectives and timelines.
Day 1Evidence Review
We review your policies, procedures, risk assessments, records, and technical evidence against the framework requirements.
Interviews & Walkthroughs
We interview key personnel and conduct technical walkthroughs to validate that controls are operating as documented.
Report & Remediation
We deliver a written audit report with every finding classified, a corrective action register, and a prioritised remediation roadmap.
Within 5 working daysFrequently Asked Questions
