CONFIDENTIAL

Cybersecurity Report

Acme B.V.

Report date: 2026-05-02
Report number: KOR-2026-042
Prepared by: Korur Consultancy

Executive Summary

During the cybersecurity audit at Acme B.V. 17 control points were reviewed across five categories. The organisation scores strongly on baseline security such as MFA, email filtering and data encryption, but structural improvements are needed around backup testing, network segmentation and compliance administration. This report contains direct fixes applied on site, together with a phased remediation plan for the outstanding items.

Total Score

Passed

35%

Failed

35%

Partial

24%

Not applicable

Audit Scope

The audit took place on 2 May 2026 at the Utrecht location. The following areas were examined: identity management, data protection, incident response, infrastructure (office + cloud), and GDPR compliance. Out of scope: penetration testing, source-code audit, and physical security.

Architecture Diagrams

Network & Resource Topology

Overview of all internet-facing and internal network components.

Kubernetes Cluster Layout

Workload, namespace and persistent storage layout.

IAM Roles & Trust

Role hierarchy, access rights and MFA gates per identity group.

Security Checklist

6 of 17 passed

Access Control

2/5 passed

AC-01

Passed

Multi-Factor Authentication (MFA) active on all accounts

Finding: MFA is active for Microsoft 365 and VPN accounts, with fallback via authenticator app.
Recommendation: No action required. Plan an annual review covering new services and leavers.

AC-02

Failed

Privileged Access Management - separate admin accounts

Finding: Five employees use their regular account for administrative tasks; there are no separate admin accounts.
Recommendation: Create dedicated admin accounts (suffix '-adm'), restrict everyday access to the daily-tasks account, and log every escalation.

AC-03

Partial

Single Sign-On (SSO) implemented

Finding: SSO is active for Microsoft 365 and Slack, but accounting (Exact Online) and CRM (Pipedrive) use separate logins.
Recommendation: Configure SAML/OIDC federation for Exact Online and Pipedrive in the existing Azure AD tenant.

AC-04

Passed

Password manager rolled out to the whole organisation

Finding: 1Password Business has been rolled out with per-department team vaults. Adoption is 100% across all 21 employees.
Recommendation: No action required. Keep the vault structure up to date for new hires and leavers.

AC-05

Failed

Break-glass (emergency access) account defined and secured

Finding: There is no documented break-glass account for emergencies; if Azure AD becomes unavailable there is no alternative access route.
Recommendation: Create an offline-stored emergency account, place the credentials in a sealed envelope inside a locked safe, and test annually.

Data Protection

1/3 passed

DP-01

Failed

Automated backups with a tested restore procedure

Finding: Daily backups run to the NAS, but no restore test has been performed in the last 14 months. It is unknown whether the backups are usable.
Recommendation: Run a quarterly restore test against a staging environment, document the RTO/RPO, and verify backup encryption.

DP-02

Passed

Data encrypted at rest (storage, databases)

Finding: BitLocker is active on all laptops, Azure Storage and SQL are encrypted with platform-managed keys.
Recommendation: No action required. Consider customer-managed keys for sensitive datasets in the longer term.

DP-03

Partial

Data classification policy documented

Finding: A draft policy from 2024 exists, but it has not been updated for the new AI tools and formal sign-off is missing.
Recommendation: Update the policy, have it signed off by management, and apply labels in Microsoft Information Protection.

Incident Response

1/3 passed

IR-01

Passed

Written Incident Response Plan in place

Finding: IR plan v2.1 (Jan 2026) is in place, with roles, escalation path and communication tree.
Recommendation: No immediate action. Schedule a review after every significant change to the IT environment.

IR-02

Failed

IR plan tested (tabletop exercise) in the last 12 months

Finding: The last exercise was in October 2024. Current staff have never walked through the procedure.
Recommendation: Schedule a half-yearly tabletop exercise with scenarios: ransomware, email compromise, and data breach.

IR-03

Partial

External incident contacts (CERT, insurer) documented

Finding: The insurer is listed in the IR plan; CERT.NL and legal counsel are missing from the contact list.
Recommendation: Add the CERT.NL reporting line and a cyber-legal lawyer to the IR contact list, including their 24/7 phone number.

Infrastructure

1/3 passed

INFRA-01

Passed

DDoS protection active on internet-facing endpoints

Finding: Cloudflare Pro is active for the primary domains, with rate limiting and bot management enabled.
Recommendation: No action required. Monitor Cloudflare statistics monthly for anomalous patterns.

INFRA-02

Failed

Strong Wi-Fi password and network segmentation

Finding: The office network uses a shared WPA2 password (in place since 2022) and has no separate guest or IoT VLAN.
Recommendation: Migrate to WPA3-Enterprise with Azure AD integration, and configure three VLANs: Staff, IoT, Guest.

INFRA-03

Partial

Patch management - OS + application updates < 30 days

Finding: Windows Update runs automatically, but 4 servers and 2 line-of-business applications are over 60 days behind on patches.
Recommendation: Implement a monthly patch window with an approval workflow and document the exceptions.

Compliance

1/3 passed

COMP-01

Passed

Email filtering (anti-phishing, anti-spam) active

Finding: Microsoft Defender for Office 365 with Safe Links, Safe Attachments and anti-phishing policy is active.
Recommendation: No action required. Schedule a quarterly review of false positives and blocked-sender reports.

COMP-02

Failed

GDPR data-processing register maintained

Finding: The processing register exists as an Excel file from 2023; the new HR tool and marketing platform are missing from it.
Recommendation: Update the processing register to the GDPR template, add the missing processing activities, and plan a half-yearly review.

COMP-03

N/A

Third-party supplier security assessed

Finding: Acme B.V. currently has no external processors with access to production data.
Recommendation: Not applicable in the current situation. Reassess as soon as an external supplier is engaged.

Remediation Plan

Priority	Finding	Action	Effort	Responsible
Critical	Privileged Access Management - separate admin accounts Five employees use their regular account for administrative tasks; there are no separate admin accounts.	Create dedicated admin accounts (suffix '-adm'), restrict everyday access to the daily-tasks account, and log every escalation.	1-3 days	IT Admin
Critical	Automated backups with a tested restore procedure Daily backups run to the NAS, but no restore test has been performed in the last 14 months. It is unknown whether the backups are usable.	Run a quarterly restore test against a staging environment, document the RTO/RPO, and verify backup encryption.	4-8h	Korur
High	Break-glass (emergency access) account defined and secured There is no documented break-glass account for emergencies; if Azure AD becomes unavailable there is no alternative access route.	Create an offline-stored emergency account, place the credentials in a sealed envelope inside a locked safe, and test annually.	4-8h	IT Admin
High	IR plan tested (tabletop exercise) in the last 12 months The last exercise was in October 2024. Current staff have never walked through the procedure.	Schedule a half-yearly tabletop exercise with scenarios: ransomware, email compromise, and data breach.	1-3 days	Korur
High	Strong Wi-Fi password and network segmentation The office network uses a shared WPA2 password (in place since 2022) and has no separate guest or IoT VLAN.	Migrate to WPA3-Enterprise with Azure AD integration, and configure three VLANs: Staff, IoT, Guest.	1-3 days	Korur
High	GDPR data-processing register maintained The processing register exists as an Excel file from 2023; the new HR tool and marketing platform are missing from it.	Update the processing register to the GDPR template, add the missing processing activities, and plan a half-yearly review.	1-3 days	Korur
Medium	Single Sign-On (SSO) implemented SSO is active for Microsoft 365 and Slack, but accounting (Exact Online) and CRM (Pipedrive) use separate logins.	Configure SAML/OIDC federation for Exact Online and Pipedrive in the existing Azure AD tenant.	1-3 days	Korur
Medium	Data classification policy documented A draft policy from 2024 exists, but it has not been updated for the new AI tools and formal sign-off is missing.	Update the policy, have it signed off by management, and apply labels in Microsoft Information Protection.	1-3 days	Korur
Medium	External incident contacts (CERT, insurer) documented The insurer is listed in the IR plan; CERT.NL and legal counsel are missing from the contact list.	Add the CERT.NL reporting line and a cyber-legal lawyer to the IR contact list, including their 24/7 phone number.	1-4h	Korur
Medium	Patch management - OS + application updates < 30 days Windows Update runs automatically, but 4 servers and 2 line-of-business applications are over 60 days behind on patches.	Implement a monthly patch window with an approval workflow and document the exceptions.	1-3 days	IT Admin

Appendix A — Glossary

MFA (Multi-Factor Authentication): Authentication using two or more verification steps, for example a password plus an authenticator app or hardware token.
SSO (Single Sign-On): Logging in once via a central identity provider and then having access to multiple connected systems.
RBAC (Role-Based Access Control): Authorisation model that grants permissions based on roles rather than per individual user.
RTO/RPO (Recovery Time/Point Objective): RTO is the maximum acceptable downtime after an incident; RPO is the maximum acceptable amount of data loss, measured in time.
WAF (Web Application Firewall): Application-layer firewall that filters HTTP requests to block attacks such as SQL injection and XSS.
OIDC (OpenID Connect): Authentication protocol on top of OAuth 2.0 that lets applications verify identity and fetch user information.
JWT (JSON Web Token): Compact, signed token format for securely transferring claims between parties, commonly used for sessions and authorisation.
WPA3-Enterprise: Modern Wi-Fi security standard with 802.1X authentication and stronger encryption than WPA2.
GDPR / AVG: European privacy legislation (General Data Protection Regulation) governing the processing of personal data.
CERT.NL: Computer Emergency Response Team for Dutch organisations; the central reporting point for cybersecurity incidents.
Zero Trust: Security model that does not grant implicit trust based on network location; every request is verified on its own merits.
PVC (PersistentVolumeClaim): Kubernetes resource that requests storage for stateful workloads, backed by an underlying volume.

Appendix B — References & Standards

1
NIST Cybersecurity Framework v2.0Framework
https://www.nist.gov/cyberframework
2
ISO/IEC 27001:2022 Information Security ManagementStandard
https://www.iso.org/standard/27001
3
OWASP Top 10Framework
https://owasp.org/Top10/
4
CWE/SANS Top 25 Most Dangerous Software WeaknessesStandard
https://cwe.mitre.org/top25/
5
CIS Critical Security Controls v8.1Framework
https://www.cisecurity.org/controls
6
NCSC-NL Handreiking Cyberweerbaarheid voor MKBGuidance
https://www.ncsc.nl/
7
Microsoft Zero Trust Adoption FrameworkGuidance
https://learn.microsoft.com/security/zero-trust/
8
Autoriteit Persoonsgegevens - AVG-handleidingGuidance
https://autoriteitpersoonsgegevens.nl/

Appendix C — Korur Contact Information

Korur Security Consulting

[email protected]

Phone

+31 (0) XXXX XXXXX

Website

https://korur.nl

Address

Korur HQ, Utrecht, Netherlands

Follow-up Assessment

For follow-up assessments or remediation support, please contact us using the details above. Mention the report number in your message so we can retrieve your file right away.