IT Security Audit Checklist for Berlin SMBs: 7 Domains to Review Before a Breach

A security audit is not a penetration test. A pentest actively exploits vulnerabilities to demonstrate impact. A security audit is a structured review of your current controls, configuration, and processes against a defined baseline — identifying gaps before an attacker finds them. For most Berlin SMBs, a well-executed internal security audit delivers more immediate value than a pentest, because it addresses the configuration weaknesses that are far more commonly exploited than zero-day vulnerabilities.

This checklist covers the seven domains that matter most for a Berlin SMB operating under DSGVO and, increasingly, NIS2-adjacent requirements.

Domain 1: Identity and Access Management

• ☐ MFA enforced for all user accounts — no exceptions for senior management or shared accounts
• ☐ Legacy authentication protocols blocked (Basic Auth to Exchange, SMTP AUTH for non-service accounts)
• ☐ Privileged accounts (Global Admin, Domain Admin) used only when required — not as daily-use accounts
• ☐ Inactive accounts disabled or deleted — review accounts not active in 90+ days
• ☐ IT offboarding procedure tested: verify that departed employee accounts are fully disabled within 24 hours of termination
• ☐ Password policy enforced: minimum 12 characters, complexity, no password reuse across 10 cycles
• ☐ SSPR (Self-Service Password Reset) enabled to reduce helpdesk calls and eliminate password-reset-over-phone social engineering risk

Domain 2: Endpoint Security

• ☐ Endpoint Detection and Response (EDR) deployed on all Windows and macOS devices — verify coverage, not just policy existence
• ☐ OS and application patch compliance: all devices within 14 days of critical security updates
• ☐ Disk encryption enabled and recovery keys escrowed (BitLocker/FileVault)
• ☐ Local administrator rights removed from standard users — users should not have local admin on company devices
• ☐ USB/removable media policy defined and enforced
• ☐ Device compliance checked against MDM baseline (Intune compliance report or equivalent)
• ☐ Screen lock timeout set to 5 minutes or less on all devices

Domain 3: Email Security

• ☐ SPF record published and valid — include all legitimate sending sources, end with -all (hard fail)
• ☐ DKIM signing configured for your domain in M365 or your email platform
• ☐ DMARC published with at least p=quarantine — p=reject is the hardened target
• ☐ Anti-phishing policies configured in Microsoft Defender for M365 — impersonation protection for your domain and key executives
• ☐ Safe Links and Safe Attachments enabled (Defender for Office 365 Plan 1)
• ☐ External email warning tag enabled — users see a banner when email comes from outside the organisation
• ☐ Email forwarding to external addresses audited — auto-forwarding rules to Gmail or personal accounts are a data exfiltration risk

Domain 4: Network Security

• ☐ Firewall firmware current — check vendor advisory for your model and version
• ☐ Remote access reviewed — if you use VPN, verify MFA is enforced at the VPN gateway, not just the corporate network
• ☐ Wifi networks segmented — guest wifi on separate VLAN, IoT devices isolated from corporate endpoints
• ☐ Inbound firewall rules audited — remove any rules with source “any” that aren’t operationally required
• ☐ RDP access reviewed — RDP should never be exposed directly to the internet (TCP 3389). Use Azure Bastion, VPN, or RDS Gateway instead.
• ☐ DNS filtering active — block known malicious domains at the DNS resolver layer (Cloudflare Gateway, Cisco Umbrella, or equivalent)

Domain 5: Backup and Recovery

• ☐ All business-critical data backed up — confirm scope: on-premise servers, cloud VMs, M365 (Exchange, SharePoint, OneDrive), and SaaS applications
• ☐ Backup follows the 3-2-1 rule: 3 copies, 2 different media types, 1 offsite
• ☐ Backup is immutable or air-gapped — ransomware cannot reach and encrypt your backups
• ☐ Recovery test completed within the past 6 months — a backup never tested for restore is not a backup
• ☐ Recovery time documented: how long does it take to restore your most critical systems from backup?
• ☐ M365 data backed up via third-party solution (Veeam, Acronis, Datto) — Microsoft retains M365 data for a limited time only; it is not a backup

Domain 6: Data Protection (DSGVO)

• ☐ Processing activities documented (Verzeichnis von Verarbeitungstätigkeiten / VVT) — required for all controllers under DSGVO Article 30
• ☐ Data processor agreements (AVV / Auftragsverarbeitungsverträge) in place with all vendors processing personal data on your behalf
• ☐ Data retention periods defined and enforced — personal data not retained longer than necessary
• ☐ Data breach response procedure documented — you have 72 hours to notify the Berliner Beauftragte für Datenschutz under DSGVO Article 33
• ☐ Personal data transfer outside the EU assessed — if you use US-based SaaS vendors, verify SCCs (Standard Contractual Clauses) or EU hosting
• ☐ Privacy policy current and accurate on your website

Domain 7: Security Awareness

• ☐ Phishing simulation conducted in the past 12 months — users who click simulated phishing receive immediate training
• ☐ Security awareness training completed by all staff — minimum annual, quarterly preferred for high-risk roles (finance, HR, executives)
• ☐ Social engineering procedure defined: what should an employee do if they receive a suspicious call claiming to be IT support or their bank?
• ☐ Incident reporting process communicated — employees know how and where to report a suspected security incident
• ☐ IT asset return procedure for remote employees documented and tested

Scoring and Prioritisation

After completing the audit, score each domain by the percentage of controls in place:

Score	Status	Action
0-40%	High Risk	Immediate remediation — prioritise identity, endpoint, backup
41-70%	Moderate Risk	30-60 day remediation plan, address highest-impact gaps first
71-90%	Solid Baseline	Close remaining gaps, consider penetration test to validate technical controls
91-100%	Advanced Posture	Maintain and test — schedule annual audit and quarterly review

For most Berlin SMBs conducting this audit for the first time, the identity and backup domains surface the most critical gaps. MFA is still not universally enforced in SMBs, and tested backup restoration is the exception rather than the rule. Both are high-value, achievable improvements that materially reduce your exposure.

Who Should Conduct the Audit

An internal IT team can run this checklist, but there are structural limitations: the person managing the infrastructure is auditing their own work. For DSGVO compliance documentation or board/investor reporting, an independent audit by a third party carries more weight and surfaces blind spots that internal teams normalise over time.

If you want an independent review of your security posture against this baseline, our free IT assessment covers the identity, endpoint, email, and backup domains and gives you a prioritised remediation list within one week.