Zoomed Image

Cybersecurity in 2025: A Practical Guide for IT Departments

Guidance for IT teams in 2025 across identity, endpoints, APIs, Zero Trust, data governance, monitoring, and response.
Checklist-led approach for organisations with 100–10,000 endpoints. Mapped to SOC 2 and ISO 27001 where relevant
;
19 September 2025
Will Islwyn Lambert

Introduction

Cybersecurity is already top of the agenda for most IT departments. Use this document as a checklist to help ensure your IT technology stack and processes are secure throughout.

For IT departments and security teams with established processes, use this document to double check that the controls in place cover all the points mentioned in here

For IT departments and security teams looking to create security processes, put controls in place covering the points mentioned here.

Operational Controls

We've added references to the core technical controls below to show which ones align to SOC 2, ISO 27001, and NIST references.

Legend: [SOC2] aligns to SOC 2; [ISO] aligns to ISO 27001; [NIST] maps to NIST SP 800‑53/CSF.

Core Technical Controls

Access Management

  • Enforce MFA for all users and admins. [SOC2][ISO A.5][NIST PR.AC]
  • Role‑based access; least privilege; deny by default. [SOC2][ISO A.5][NIST PR.AC]
  • Just‑in‑time elevation with expiry; session recording for admin tasks. [SOC2][ISO A.8]
  • Quarterly entitlement reviews; remove dormant accounts in ≤7 days. [SOC2][ISO A.5]

Endpoint Security (Windows, macOS, Linux, Mobile)

  • EDR deployed to 100% of managed endpoints with tamper protection. [SOC2][ISO A.8]
  • Patch OS and high‑risk apps within SLA (Critical ≤7 days; High ≤14 days). [SOC2][ISO A.8][NIST DE.CM]
  • Baseline hardening; device encryption; USB control; local admin removal. [ISO A.8]
  • Verified, tested backups for key devices and servers; immutable copies. [SOC2][ISO A.5][NIST PR.DS]

Network and Zero Trust

  • Adopt ZTNA for remote access; phase down VPN broad access. [SOC2][ISO A.8]
  • Microsegmentation for servers and critical SaaS; block east‑west by default. [ISO A.8]
  • DNS security, egress filtering, TLS 1.2+ everywhere. [SOC2][ISO A.8]
  • WAF/API gateways in front of public apps; rate limiting and auth. [SOC2][ISO A.8]

Data Protection and Governance

  • Data inventory and classification; label regulated data. [SOC2][ISO A.5]
  • Encryption at rest and in transit; central key management; secrets rotation. [SOC2][ISO A.8]
  • Backups with immutability and offline copy; recovery tests ≥ quarterly. [SOC2][ISO A.5]
  • Data residency and transfer controls for regulated regions. [ISO A.5]
  • Ensure databases and files on servers should be replicated, mirrored, or ideally both

API, website, and Application Security

  • Inventory APIs; authenticate with OAuth2/OIDC; block anonymous writes. [SOC2][ISO A.8]
  • Input validation, object‑level auth, and schema enforcement. [ISO A.8]
  • Rate limiting; bot and DoS protection; full request logging. [SOC2][ISO A.8]
  • Pre‑prod security testing (SAST/DAST), secrets scanning in CI/CD. [SOC2][ISO A.8]

Monitoring and Incident Response

  • Centralised logs (auth, admin, EDR, firewall, cloud, SaaS); 90‑day hot; 365‑day cold. [SOC2][ISO A.8][NIST DE.AE]
  • Alert tuning for credential abuse, ransomware patterns, data exfiltration. [NIST DE.CM]
  • IR playbooks: phishing, ransomware, insider, vendor breach; owners assigned. [SOC2][ISO A.5][NIST RS]
  • Tabletop tests ≥ semi‑annual; post‑mortems with action tracking. [SOC2][ISO A.10]

Governance, Risk, and Compliance

Policies

  • Acceptable Use; Password and MFA; Remote/Hybrid Work; Access Control.
  • Change Management; Secure Development; Backup and Recovery; Logging.
  • Vendor Risk; Data Classification and Handling; Incident Response.

Operational Cadence

  • Risk assessment monthly or quarterly; register with owners and due dates.
  • Continual risk logging - when someone identifies a risk - log it!
  • Internal control reviews; evidence stored and versioned.
  • Third‑party assessments for critical suppliers annually.

Mappings: Policies support SOC 2 Common Criteria; ISO 27001 Annex A controls; NIST CSF Identify/Protect/Detect/Respond/Recover.

People and Process

  • Security awareness for all staff; phishing; clear reporting path.
  • HR‑IT joiner/mover/leaver automation; access removal within 24 hours.
  • Admin access gated by approvals and expiry; activity recorded.
  • Employee Cybersecurity Manual

2025 Priorities

  • AI threats: deepfake phishing; automated credential stuffing; model abuse. Controls: strong verification for payments/approvals; anomaly detection on auth.
  • Cloud posture: CSPM/SSPM; least privilege; secret scanning; baseline guardrails.
  • SaaS governance: SSO/MFA enforced; admin scope minimised; export and sharing policies.
  • Supply chain: SBOM where feasible; dependency monitoring; vendor breach playbook.

90‑Day Implementation Plan

Days 0–30

  • Enable MFA everywhere; block legacy auth.
  • EDR coverage to 100%; fix gaps.
  • Define patch SLAs; start weekly cadence.
  • Centralise logs; create high‑value alerts.

Days 31–60

  • ZTNA pilot; restrict VPN access.
  • Backups: immutability + quarterly tests.
  • API inventory; enforce auth and rate limits.
  • Run phishing drill; close findings.

Days 61–90

  • Quarterly access review; remove dormant accounts.
  • Tabletop IR exercise; update playbooks.
  • Vendor reviews for top 10 suppliers.
  • Publish policy set; track acknowledgements.

One‑Page Checklist

DomainControlOwnerStatusEvidence
IdentityMFA enforced; JIT admin; quarterly reviewsPolicy, logs, review report
EndpointsEDR 100%; patch SLA met; disk encryptionEDR reports; patch dashboard
Network/ZTNAZTNA in place; segmentation; egress controlConfigs; change records
DataClassification; encryption; immutable backupsLabels; KMS logs; restore test
APIs/AppsAuth; input validation; rate limits; loggingGateway configs; test results
MonitoringCentral logs; tuned alerts; 24×7 coverageSIEM configs; on‑call rota
IRPlaybooks; roles; semi‑annual testsAfter‑action report
VendorsRisk reviews; breach clauses; offboardingAssessments; contracts
TrainingAnnual training; phishing drills; trackingCompletion logs; drill report
  • All internet‑facing services inventoried and scanned monthly
  • Default deny for inbound; egress controlled
  • Secrets rotated; no hard‑coded credentials
  • Payment and approval changes verified out‑of‑band
  • Critical alerts reach on‑call within 2 minutes

Notes

  • Use this playbook to justify control design during SOC 2 readiness or ISO 27001 audits.
  • Keep evidence current: screenshots, exports, tickets, and meeting notes with dates.
  • Measure progress by coverage (%), MTTR, patch SLA, and incident count.

xAssets helps companies achieve cybersecurity controls by providing a holistic inventory of your entire IT infrastructure, fed from multiple sources. Our discovery tools provide deep intel on each endpoint and centralizing data from discovery and multiple sources include Meraki, Intune, etc, provides an easy-to-use toolset for finding assets and hence easing the management of all aspects of cybersecurity.

You can use a free instance to evaluate the system and we are always happy to help you get started.

Further Reading

Get a Demo

What’s Included?

  • Demo shaped to your needs
  • Free instance

    Free Instances Explained

    Free instances are free forever and can show demo data or your data.

    IT asset management free instances

    • Single user, 100 endpoints, 1,000 total assets
    • Includes network discovery (optional)
    • SNMP based devices are included free
    • Single Sign On (SSO)
    • Does not support Intune, SCCM, procurement, contracts, barcoding, configuration, or workflow

    Fixed asset management free instances

    • Single user, 1,000 fixed assets
    • Includes all fixed asset register features
    • Single Sign On (SSO)
    • Does not support depreciation, CIP, procurement, barcoding, planned maintenance, configuration, or workflow

    During Evaluation

    • No licensing, integration, or module restrictions
  • Strategic advice
  • All the expert help you need
  • Written proposal and quote