FAQ : Audits
Can the network audit report be used for ISO 27001 certification?
Yes. Our audits follow the controls of ISO 27001:2022 (Annex A — technological and physical controls) and the NIST CSF as reference frameworks. The audit report constitutes documentary evidence of due diligence for ISO auditors, the FDPIC and your business partners.
Does Bexxo operate throughout Switzerland?
Bexxo operates primarily in French-speaking Switzerland, with remote or on-site interventions throughout Switzerland. Based in Ins (canton of Berne), at the crossroads of Swiss linguistic regions, our team supports SMEs in French, German and English.
Does my WordPress site need a security audit?
Yes. WordPress powers 43% of websites worldwide and is by far the most targeted CMS by attackers. Vulnerabilities often come from third-party plugins, outdated themes and misconfigurations. A Bexxo audit checks all of these points, not just the WordPress core.
Does my website need a security audit?
Yes, if your website collects personal data, processes payments or is accessible from the internet. 73% of websites have at least one critical vulnerability (source: Bexxo, internal data). The nFADP (Swiss Data Protection Act) requires companies to document their security measures — an audit provides this proof. In the event of a data breach, the absence of diligence can result in fines of up to CHF 250,000.
Does the audit include fixing the identified vulnerabilities?
No — the audit covers identification, classification and the action plan. Fixing the vulnerabilities is a separate service, which can be carried out by your internal teams based on the report, or by Bexxo on a quoted basis. This separation guarantees the objectivity of the audit: the auditor cannot have an interest in finding more vulnerabilities than actually exist. All our packages include assistance in understanding the report and taking the first corrective measures.
How long does a network audit take?
From 2 to 10 business days depending on the package and the size of the infrastructure. The Essential package takes 2 to 3 days, the Standard 3 to 7 days, the Premium 5 to 10 days. You receive a detailed report with a criticality-prioritised action plan at the end of the audit.
How long does a network security audit take?
The duration depends on the package and the size of the infrastructure:
- Essentiel: 1 to 2 working days for a network of fewer than 50 devices.
- Avancé: 3 to 5 working days depending on topology complexity.
- Premium: 1 to 2 weeks for a multi-site infrastructure or complex architecture (VPN, hybrid cloud, OT/IT).
The report is delivered within this timeframe, with a presentation session included for the Premium package.
How long does a web audit take?
From 2 to 10 business days depending on the package and the complexity of the site. The Essential package takes 2 to 3 days, the Standard 3 to 7 days, the Premium 5 to 10 days. You receive a detailed report with a prioritised action plan at the end of the audit.
How long does a website security audit take?
The duration varies depending on the package and the complexity of the site:
- Essentiel: 1 to 2 working days.
- Avancé: 3 to 5 working days.
- Premium: 1 to 2 weeks depending on the size of the site and scope (APIs, database, third-party applications).
The report is delivered within this timeframe, followed by a presentation session (Premium package) or an email exchange.
How much does a network security audit cost?
Our network packages range from CHF 2,000 (Essential — vulnerability scan, simplified report) to CHF 18,000 (Premium — in-depth penetration tests, full assessment, management presentation). The Standard package (CHF 4,500) is the most requested by Swiss SMEs.
How much does a web security audit cost?
Our packages range from CHF 1,500 (Essential — 10 control points, automated scan, simplified report) to CHF 15,000 (Premium — 20 control points, in-depth penetration tests, API assessment, management presentation). The Standard package (CHF 3,000) is the most requested by Swiss SMEs.
Is a network audit mandatory under the Swiss nFADP?
The nFADP (Swiss Federal Act on Data Protection, in force since September 2023) requires companies to implement proportionate technical and organisational measures to protect personal data. Although it does not explicitly require an annual network audit, documentation of security measures is mandatory. In the event of a data breach, the absence of demonstrated diligence can result in fines of up to CHF 250,000 for data controllers. An audit report constitutes this proof of diligence with the Federal Data Protection and Information Commissioner (FDPIC).
Is my network subject to the nFADP?
Yes. The nFADP (new Federal Act on Data Protection, in force since September 2023) requires appropriate technical security measures for all personal data processed. A network intrusion causing a data leak can result in fines of up to CHF 250,000 and an obligation to notify the FDPIC.
Is the analysis really free and without commitment?
Yes, unconditionally. The initial analysis is offered by Bexxo as part of our cybersecurity awareness initiative for Swiss SMEs. No credit card is required, no contract is signed. At the end of the analysis, if you are interested in additional services (in-depth audit, package, training), you will receive a detailed quote — which you are free to accept or decline. 68% of Swiss SMEs have never had a cybersecurity review (NCSC): this analysis is designed to remove that barrier.
Is the audit compliant with ISO 27001 and nFADP standards?
Yes. Our audits follow the controls of ISO 27001:2022 (Annex A — technological controls) and the NIST CSF as reference frameworks. The audit report can serve as proof of due diligence in the event of an FDPIC inspection under the nFADP.