Skip to Main Content
This website uses cookies. View our cookie policy
United Kingdom
Select regional store:
NCSC Audit and Review

NCSC Audit and Review

SKU: 4949
Format: Consultancy

Obtain government-mandated standard certification or framework/guideline compliance with our NCSC-certified Audit and Review service.

An NCSC-certified Audit and Review service from IT Governance will put you on the right track towards achieving government-required standards, frameworks, policies and guidelines. Held to the highest standards, an Audit and Review will identify any vulnerabilities, prioritise their level of risk and develop a plan of action to remediate the threats.

Enquire now


The objective of the NCSC Audit and Review service is to provide independent risk and compliance-based audit assessments of an organisation’s compliance with UK government security objectives, policies, standards and processes such as the Security Policy Framework, National Cyber Security Strategy, 10 Steps to Cyber Security, Information Assurance Maturity Model, the NIS Directive and other relevant industry or private-sector standards and schemes such as ISO 27001 (ISMS), Cyber Essentials, Cloud Security Principles and CIS 20 Critical Controls.

The Audit and Review service typically involves providing support, guidance and advice in the following areas:


Audit planning

  • Audit scoping meeting and identifying the most appropriate audit for the client’s needs.
  • Developing audit plans and audit regimes that match the organisation’s business needs and are in line with organisational risk to ensure the smooth running of the audit.
  • Verifying that information processes meet the security criteria, requirements or policy, standards and procedures.


Definition and execution of audit-related processes

  • Defining and implementing processes and techniques to verify ongoing conformance to security policies, standards, and legal and regulatory requirements.
  • Carrying out security compliance and risk-based audits in accordance with an appropriate and suitable methodology, standard or framework.


Evaluation of findings

  • Assessing the management of information risk across the organisation or business unit.
  • Objectively assessing the maturity of the audit and risk function using cross-government benchmark standards.
  • Providing impartial assessment and audit reports covering security compliance and risk-based audits, investigations and information risk management.
  • Providing an independent opinion on whether control objectives are being met.
  • Identifying the organisation’s systemic trends and weaknesses in security.



  • Recommending responses to audit findings and appropriate corrective action.
  • Recommending appropriate security controls from the most appropriate frameworks and standards using a wide range of sources such as ISO 27001/2, 10 Steps to Cyber Security, Cyber Essentials, the Security Policy Framework, etc.
  • A roadmap for mitigating findings and achieving compliance.
  • Recommending controls, efficiencies and cost-effective options to address the non-compliance issues and information assurance gaps that have been identified during the audit process.



  • The main output of the Audit and Review is a detailed audit report.
  • Executive summary of critical findings and recommendations.
  • Clear and concise findings are provided for each of the audited sections.
  • A prioritised roadmap to compliance with the applicable standard, framework or policy.
  • Recommendations for remediating the findings are provided.
  • The audit findings and recommendations can also be delivered via a face-to-face presentation.


Follow up

  • Follow up on corrective actions where applicable to check highlighted risks and findings have been adequately mitigated.
  • Engagement in follow-up projects that have been recommended as part of the audits, such as penetration tests, etc.


Average length of time of an audit and review consultancy

  • Typical consultancy projects last five days for small organisations evaluating a single standard or framework. However, actual duration largely depends on the organisation’s size and complexity.


Only Certified Professionals (CCPs) work on your projects

The CCP Scheme is the UK government’s approved standard of competence for cyber security/information assurance professionals, and provides an independent assessment and verification process for those working in these fields.

All NCSC Audit and Review consultancy projects are carried out by our duly qualified CCPs.


Benefits of an NCSC-certified Audit and Review

  • NCSC-approved consultancy service.
  • CCP consultants assigned to oversee projects.
  • Tailored to the standards and frameworks required.
  • Establishes trust and confidence with clients.
  • Provides the required level of assurance.
  • Reduces overall organisational and operational risk.


Who is it designed for?

The NCSC Audit and Review consultancy service from IT Governance is primarily designed for public sector and critical national infrastructure organisations of any size that require independent risk and compliance-based audit assessments. It is also beneficial for private-sector organisations that seek to provide a high level of assurance and instil confidence among their public-sector customers and stakeholders.


Download free resources

Pricing document

Service description



Why choose IT Governance?

IT Governance is a leader in the field of information management standards and best-practice IT governance. Fully certified and with more than 15 years of experience, we have helped global organisations in the private and public sectors obtain local and international regulatory accreditations.

We offer a complete set of products and services, including consultancy, penetration testing, audits, books, toolkits, training courses and staff awareness for IT governance, risk management, cyber security, regulatory compliance and data protection. This means you can get whatever you need for your project in one place.

IT Governance is duly recognised under the following frameworks:

  • UK government CCS-approved supplier of G-Cloud 9 services
  • NCSC certified for Audit and Review consultancy
  • CREST certified as ethical security testers
  • Cyber Essentials Plus certified, the UK government-backed cyber security certification scheme
  • ISO 27001 certified, the world’s most recognised cyber security standard

For more information, call +44 (0)333 800 7000 or email

Customer Reviews

(0.00)stars out of 5
# of Ratings: 0