An enterprise-style internal security audit project aligned with NIST guidance and cybersecurity governance best practices.
This hands on project simulates a real world internal audit engagement led by a cybersecurity risk and governance leader. It blends technical execution with strategic oversight to demonstrate how internal audits drive business alignment, compliance, and continuous improvement.
The audit approach is based on:
- NIST Cybersecurity Framework (CSF)
- NIST SP 800-53 Control Families
- Industry audit standards (ISO 19011)
- Practical governance and risk management principles
- Scope and plan an internal audit with business impact in mind
- Map security controls to NIST standards and identify compliance gaps
- Analyze policies, procedures, and system configurations
- Provide findings, risk ratings, and actionable recommendations
- Demonstrate audit lifecycle, stakeholder reporting, and follow-up
- Defines scope, timeline, stakeholders, and objectives
- Aligns audit goals with risk priorities and business context
- Maps internal controls to NIST CSF
- Identifies gaps and sets the stage for control testing
- Hands-on walkthroughs and evidence gathering
- Interviews with control owners and technical validation
- Detailed procedures for testing security controls
- Covers access control, logging, backups, MFA, and more
- Documents risks identified during the audit
- Includes severity ratings and remediation recommendations
- Executive summary, key findings, and recommendations
- Professional reporting aligned to audit standards
- Frameworks: NIST Cybersecurity Framework (CSF), ISO 19011
- Skills Demonstrated:
- Control gap analysis (NIST SP 800-53)
- Audit planning
- Control testing
- Evidence collection logs
- Policy and configuration reviews
- Interviews with stakeholders
- Risk-based audit ratings
- Remediation tracking
Ideal for aspiring:
- Cyber Risk Managers
- GRC Analysts
- Internal Auditors
- Cybersecurity Professionals pivoting into audit or governance roles
This project is open source under the MIT License.