Elementrica
03Case Studies04References05Company06News07Contact
PLENDE

IT SECURITY AUDITS

IT security audits: prove you are compliant before the regulator checks

Compliance audits for DORA, NIS2, the Polish NIS Act and ISO 27001, plus technical audits of Active Directory, Entra ID and cloud. You get a report with concrete gaps and a remediation plan, ready to hand to an auditor.

DORA, NIS2, NIS Act, ISO 27001 alignmentTechnical audit of AD, Entra ID and cloudReport with remediation plan and prioritiesReady for a regulator audit

WHY IT MATTERS

Penalties for non-compliance are real now, and the deadline will not wait

DORA, NIS2 and the NIS Act impose hard duties and concrete deadlines. Non-compliance is not abstract, it is the risk of a fine, management liability and lost contracts.

An audit tells you exactly where you stand and what is missing to meet the requirement. Instead of a vague “improve security” you get a list of concrete gaps with priorities and a remediation path.

WHAT YOU GET

A report that ends the discussion with the auditor

01
Compliance assessment
Your actual state mapped onto the regulation, clearly showing what you meet and what you do not.
02
Gap list
Concrete non-conformities referenced to the requirement clause, no generalities.
03
Remediation plan
What to do, in what order and at what priority, to close compliance.
04
Technical audit
The real configuration of Active Directory, Entra ID and cloud, not just paper documentation.
05
Executive summary
Regulatory risk and decisions to make, in the language of liability and cost.
06
Implementation support
We help your team close gaps and, if needed, re-verify the result.

We match audit scope to the regulation that applies to you. Below are the audit types we run.

OUR APPROACH

An audit with a hand on the technology, not just the documents

Many auditors check policies and procedures. We also look inside: at the real Active Directory configuration, Entra ID permissions, cloud settings. Paper can be compliant while the environment is exposed.

The audit is run by people who attack these systems daily in penetration tests and hold credentials such as ISO 27001 Lead Auditor. That is why the report ties the regulatory requirement to real technical risk.

COMPLIANCE FRAMEWORKS

We cover the key regulatory duties

We map the audit directly onto the requirements of a specific regulation, so the report answers the auditor’s questions point by point.

DORA
Operational resilience for financial entities: ICT risk management, incidents, testing, third parties.
NIS2
Risk-management measures and reporting duties for essential and important entities.
NIS Act / CRA
The national cybersecurity system and the Cyber Resilience Act requirements for products with digital elements.
ISO 27001
Preparation and internal audit of the information security management system for certification.

STANDARDS & CERTIFICATIONS

We work to recognized methodologies, not gut feeling

Every project is run by certified pentesters and based on public standards. That makes the result repeatable, auditable and comparable across vendors.

Team certifications
OSCPOSCPOffSec
OSEPOSEPOffSec
OSWEOSWEOffSec
OSEDOSEDOffSec
OSWAOSWAOffSec
OSWPOSWPOffSec
BSCPBSCPPortSwigger
CPTSCPTSHack The Box
CBBHCBBHHack The Box
CWEECWEEHack The Box
CRTOCRTOZero-Point Security
CREST CRTCREST CRTCREST
CREST CPSACREST CPSACREST
ISO 27001 LAISO 27001 LAISO/IEC
Azure Security EngineerAzure Security EngineerMicrosoft
Security Operations AnalystSecurity Operations AnalystMicrosoft
Security AdministratorSecurity AdministratorMicrosoft
OSCPOSCPOffSec
OSEPOSEPOffSec
OSWEOSWEOffSec
OSEDOSEDOffSec
OSWAOSWAOffSec
OSWPOSWPOffSec
BSCPBSCPPortSwigger
CPTSCPTSHack The Box
CBBHCBBHHack The Box
CWEECWEEHack The Box
CRTOCRTOZero-Point Security
CREST CRTCREST CRTCREST
CREST CPSACREST CPSACREST
ISO 27001 LAISO 27001 LAISO/IEC
Azure Security EngineerAzure Security EngineerMicrosoft
Security Operations AnalystSecurity Operations AnalystMicrosoft
Security AdministratorSecurity AdministratorMicrosoft
Regulations
DORANIS2NIS Act (KSC)Cyber Resilience Act
Standards
ISO/IEC 27001NIST CSFCIS ControlsOWASP ASVS 5.0.0
Technical areas
Active DirectoryEntra IDCloud (Azure, AWS)Hardening & configuration

We share the full list of certifications and standards on request, together with a sample test scope.

HOW WE DO IT

From regulatory scope to a remediation plan

01
Scope
We define which regulations and systems the audit covers, and the assessment criteria.
02
Data gathering
Documentation review, interviews and snapshots of the real environment configuration.
03
Gap analysis
We compare the actual state against requirements and technical good practice.
04
Prioritization
We order gaps by risk and impact on compliance, not alphabetically.
05
Report & plan
We deliver a report with a remediation plan, ready to present to an auditor.

EVIDENCE

Numbers behind every promise

Every test is run by certified pentesters, and we document the result with reproduction steps, evidence and a verified remediation path. Proof, not a promise.

500+
security tests and audits completed
5.0
average score from 10 verified Clutch reviews
20+
offensive certifications across the team
01
Certified team
20+ offensive certifications across the team (OSCP, OSEP, OSWE, CREST). Tests are run by our people, not anonymous subcontractors.
02
Manual testing
We work by hand to PTES and OWASP, chaining seemingly small flaws into a real, proven attack path.
03
Evidence, not a promise
Every finding comes with reproduction steps and a working proof. A report that holds up in front of an auditor.
04
Retest included
After fixes are deployed we confirm in writing that the gaps are closed. We do not vanish once the PDF is sent.

AUDIT TYPES

Pick the compliance area that applies to you

KNOWLEDGE

IT security audit in practice, step by step

What a security audit is, and what a penetration test is

An audit assesses whether configuration, processes and documentation meet regulatory requirements and good practice. A penetration test actively tries to bypass those controls. An audit answers whether you are compliant, a pentest answers whether you are resilient.

The best result comes from combining the two, and that is usually how we work. The audit points out coverage gaps and formal non-conformities, while the penetration test confirms whether controls that are compliant on paper actually hold up against an attacker.

Which regulations may apply to you

DORA applies to financial entities and requires ICT risk management, incident handling and regular resilience testing. NIS2 covers essential and important entities across many sectors and imposes risk-management measures and reporting duties, including on management. The Polish NIS Act governs the national cybersecurity system.

On top of that come the Cyber Resilience Act with requirements for products with digital elements, and ISO 27001 as a recognized standard for an information security management system. The first step of an audit is to establish which of these frameworks actually apply to you, because that determines the scope and assessment criteria.

How we run an audit: from documents to real configuration

Many auditors stop at reviewing policies and procedures. We also look inside: at the real Active Directory configuration, Entra ID permissions and cloud settings. A document can be compliant while the environment is exposed, and the difference only shows once you look at the configuration.

The audit is run by people who attack these same systems daily in penetration tests and hold credentials such as ISO 27001 Lead Auditor. That is why the report ties the regulatory requirement to real technical risk, rather than just ticking a checklist.

How to read the report and remediation plan

We deliver the report in a form that ends the discussion with the auditor. We tie every non-conformity to a specific requirement clause, describe the actual state and indicate exactly what needs to change. We order gaps by risk and impact on compliance, not alphabetically, so you know where to start.

The remediation plan is not general advice, it is a sequence of actions with priorities. Once fixes are implemented we can re-verify the closed gaps and confirm it in writing, which helps in an external audit and in the conversation with the board.

The audit as proof of compliance

Penalties for non-compliance have stopped being abstract. DORA, NIS2 and the NIS Act carry real consequences, including management liability, and partners increasingly require proof of security as part of due diligence. An audit delivers that proof in a form you can present.

We map the report directly onto the requirements of a specific regulation, documenting scope, method and evidence. As a result it is not an internal note but material ready to present to a regulator, a certification auditor or a business partner.

FAQ

Common questions

How is an audit different from a penetration test?

An audit assesses whether configuration and processes comply with requirements and good practice. A penetration test actively tries to bypass them. The best result comes from combining both, which is usually how we work.

Do you help close gaps after the audit?

Yes. The report includes a remediation plan, and our team can support implementation and re-verify closed gaps.

Is the report enough for the regulator?

We map the report directly onto a specific regulation and prepare it with an external audit in mind. We document scope, method and evidence.

Who runs the audit?

Auditors with industry credentials, including ISO 27001 Lead Auditor, who also know the offensive side from penetration testing.

CASE STUDIES

Case studies in this area

REFERENCES

“The project was delivered professionally and on time, with a strong grasp of both technology and business. We were impressed by their cybersecurity expertise and partnership approach.”
M
Mateusz Widenka
Head of Delivery, Order Group
Clutch★★★★★5.0 · 10 reviewsRead all reviews on Clutch

FIRST STEP

Start with a free consultation

Tell us what you want tested. Within 24 hours you get a proposed scope and next steps. You talk to a consultant who understands the technical side, not a salesperson.

Get in touch
No obligation · we reply within 24 h · your data stays confidential
Methodology
PTES · OWASP
Team
20+ certifications
Rating
5.0 on Clutch
What you get
A scope proposal matched to your risk
A report with evidence and reproduction steps
Remediation priorities by real impact
A retest after fixes are deployed
Asia, ElementricaKacper, ElementricaGrzesiek, Elementrica
A member of our team runs the call, and we reply within 24 hours. No bots, no call center.