A Google Workspace security audit is a structured, manual review of your Workspace configuration against a defined set of security controls. It's not a vulnerability scan, it's not a penetration test, and it's not an automated tool that generates a report in 30 seconds. It's a person who knows the Admin Console going through your configuration live, checking each control against best practice, and documenting what's in place and what isn't.
The GetBulwark audit covers 20 controls across four categories, scored out of 215 points. The average score on a first-time audit is around 95–110. Here's what each category covers and why.
Category 1 — Identity and access (6 controls)
This category is the highest risk area for most small businesses, and it's where the most common and most serious findings appear.
- MFA enforcement: Is two-step verification enforced for all users — not just available, but required? Are admin accounts held to a higher standard (hardware keys)?
- Password policy: Is a minimum 12-character password enforced? Is the "enforce strong password" setting active?
- Super Admin count: How many accounts have Super Admin privileges? The answer should be one primary and one backup — no more.
- Less secure app access: Is legacy authentication (basic auth) disabled? Legacy protocols can bypass MFA entirely.
- Session duration: Do sessions expire, or do they persist indefinitely? Admin sessions should be set to a short expiry.
- Active account review: Are there active accounts for people who have left the business? This is checked against the user list in real time.
"Identity controls account for roughly half of a typical audit's risk score. MFA alone, properly enforced, eliminates more attack surface than all other controls combined."
Category 2 — Email security (5 controls)
Email is the primary attack vector for small businesses. This category checks whether your domain and email configuration are correctly hardened.
- SPF record: Is the SPF record present, correctly configured, and set to a hard fail (-all) rather than soft fail (~all)?
- DKIM: Is DKIM configured and actively signing outgoing email? An absent or misconfigured DKIM record undermines email authentication entirely.
- DMARC policy: Is DMARC present? Is the policy set to quarantine or reject (not none)? Is the reporting address configured so you can see what's happening to email sent from your domain?
- Spam and malware filtering: Is Gmail's enhanced pre-delivery message scanning active? Are suspicious link and attachment protection settings enabled?
- External email warning: Are users warned when an email arrives from outside the organisation, reducing the risk of impersonation attacks going unnoticed?
A DMARC record set to p=none is technically present but does nothing protective. It's a common finding — businesses set it up following guidance, leave it at p=none "temporarily", and never advance it. The audit flags this and the fix is a DNS record change that takes about five minutes.
Category 3 — Data governance (5 controls)
This category covers how data in Google Drive and Gmail is shared, who has access to it, and whether there are controls in place to prevent accidental or malicious data exposure.
- External Drive sharing policy: Can users share files with anyone externally? Is "anyone with a link" access available at the organisation level?
- Shared Drive external membership: Are external users present as members of any Shared Drive? Are former contractors or past clients still listed?
- Third-party app access: What apps have been granted access to user accounts through Google OAuth? Are there high-risk apps with broad permissions?
- Data export controls: Can users export their own Workspace data (Takeout)? For some businesses this is fine; for others with sensitive client data, it warrants review.
- Shared Drive permission levels: Are users appropriately permissioned in Shared Drives, or does everyone have Manager access to everything?
Want to see a sample audit report?
The sample report shows the scoring format, the before/after structure, and what findings look like in practice — before you commit to anything.
View sample reportCategory 4 — Device management (4 controls)
Most small businesses have team members accessing Workspace from personal devices — phones in particular — with no management policy applied. This category checks what visibility and control you have over those devices.
- Basic Mobile Management: Is Basic Mobile Management enabled? This allows enforcement of screen lock, remote wipe capability, and device visibility in the Admin Console.
- Enrolled device count: How many devices are enrolled versus how many active users are there? The gap indicates unmanaged devices accessing company data.
- Device compliance: Are enrolled devices compliant with the policies set? Are there any devices with outstanding policy violations?
- Endpoint security: Are endpoint detection and response agents deployed on company devices? Is there visibility into what's running on those devices beyond what Google reports?
What happens after the audit
Within 48 hours of the live review session, you receive a written PDF report with your score across all 20 controls, a breakdown of every finding (pass/amber/fail), and a prioritised remediation list. The report is yours to keep regardless of what you decide to do next.
For most businesses, the top three to five findings are the same: MFA not properly enforced, DMARC at p=none, former employee accounts still active, Drive sharing set too broadly, and mobile management not enabled. Together, these represent the majority of the real-world risk — and they're all fixable in a half-day of admin work.
If you'd rather have someone fix everything for you — running through all the remediation as a structured project, then handing you back a fully hardened Workspace — that's what the Workspace Hardening Project is for. The audit is the diagnosis. The project is the treatment.
