IT Security & Penetration Test
IT Security & Penetration Test
IT security audits and penetration tests are required by an increasing number of regulations — the EU Cyber Resilience Act, DORA, GDPR Article 32, and sector-specific cybersecurity rules. These reports provide independent verification of security posture.
What IT Security & Penetration Test Provides
Penetration Test Report
External and internal pentest reports detailing vulnerabilities found, exploitation paths, and remediation status. Required for CRA compliance and DORA ICT risk management.
Vulnerability Scan Results
Automated vulnerability scanning outputs (Nessus, Qualys, OpenVAS) with severity ratings and remediation tracking. Continuous security monitoring evidence for compliance frameworks.
ISO 27001 Audit Report
Information security management system (ISMS) audit findings from ISO 27001 certification audits. Provides independent assurance of security controls and processes.
Incident Response Records
Security incident logs, breach notification records, post-incident review reports. Evidence of incident detection and response capability required by GDPR, DORA, and CRA.
How It Connects to Sustalium
Upload security audit reports, penetration test findings, and vulnerability scan data to Sustalium. Results map to CRA compliance records, DORA ICT risk registers, GDPR security controls, and ISO 27001 evidence packages. Sustalium tracks remediation deadlines and re-test schedules.
Used by Compliance Frameworks
Governance & Trade
AI Ethics (EU AI Act)
Document responsible AI governance and compliance with EU AI Act requirements.
View frameworkGDPR Compliance
Declare your data privacy and security practices for EU customers.
View frameworkDORA (Digital Operational Resilience)
Demonstrate ICT operational resilience to meet the strict auditing requirements of the EU financial sector.
View frameworkCanada AIDA (AI Governance)
Document your high-impact AI systems for safety, bias mitigation, and transparency to comply with Canadian law.
View frameworkFrequently Asked Questions
What is IT security audit data in compliance?
IT security audit data encompasses penetration test reports, vulnerability scan results, information security audit findings, and security incident records that demonstrate an organisation's cybersecurity posture. Penetration tests simulate real-world attacks to identify exploitable vulnerabilities. Vulnerability scans provide automated identification of known vulnerabilities in systems and software. ISO 27001 audit reports provide independent assessment of information security management systems. Incident response records document security events and the organisation's response capability. This evidence is required by the EU Cyber Resilience Act, DORA, GDPR Article 32, and sector-specific cybersecurity regulations.
Why is IT security audit evidence important for compliance?
Cybersecurity regulations increasingly require documented evidence of security practices — not just policies and procedures. The EU Cyber Resilience Act requires manufacturers to conduct vulnerability testing and maintain documented test results. DORA requires financial entities to perform regular ICT risk assessments, penetration testing, and vulnerability management — all with documented evidence. GDPR Article 32 requires appropriate technical and organisational measures — security audit evidence demonstrates what measures are in place and that they are effective. Without documented IT security audit evidence, organisations cannot prove they have fulfilled their cybersecurity obligations.
What types of IT security audit evidence exist?
Penetration test reports document internal and external pentest methodology, findings, exploitation paths, evidence, and remediation status — required for CRA vulnerability reporting and DORA threat-led penetration testing (TLPT). Vulnerability scan results from tools like Nessus, Qualys, OpenVAS, and Rapid7 document detected vulnerabilities with severity ratings, affected systems, and remediation tracking. ISO 27001 audit reports from accredited certification bodies provide independent assessment of ISMS implementation and effectiveness. Incident response records document security incident timelines, detection methods, impact assessments, containment actions, and post-incident reviews — providing evidence of incident detection and response capability required by GDPR, DORA, and CRA.
How does Sustalium manage IT security audit evidence?
Security audit reports, penetration test findings, vulnerability scan exports, and incident response records are uploaded to Sustalium. Results map to the relevant cybersecurity compliance frameworks: pentest findings to CRA compliance records and DORA ICT risk registers, vulnerability scans to DORA vulnerability management requirements and ISO 27001 preventive action evidence, incident records to GDPR breach notification readiness and CRA after-market monitoring obligations. Sustalium tracks remediation deadlines and re-test schedules, ensuring that identified vulnerabilities are addressed within required timeframes and that evidence of remediation is documented.
Which compliance frameworks require IT security audit evidence?
The EU Cyber Resilience Act (CRA) requires manufacturers to conduct vulnerability testing and maintain documented evidence of vulnerability management throughout the product support period. DORA (Digital Operational Resilience Act) requires regular ICT risk assessments, penetration testing, and vulnerability management for financial entities. GDPR Article 32 requires documented security measures appropriate to the risks of processing personal data. The EU AI Act requires security testing evidence for high-risk AI systems. ISO 27001 requires internal audits, management reviews, and evidence of corrective actions. Sector-specific regulations (financial services, healthcare, critical infrastructure) have additional cybersecurity audit and testing requirements. Enterprise buyers increasingly require security audit evidence as a condition of procurement.
Have security audit data? Sustalium structures IT security evidence across all applicable frameworks.