AlvorAdvisory

01The diagnostic

Know exactly where you stand, and what to fix first.

We measure your current state against the framework and the maturity models that apply to you, then hand you a prioritised, costed picture of the gap. The clearest way to start, with a defined scope and a defined price.

Book a consultation See the full lifecycle

NIST CSF 2.0 · C2M2ISO 27001 · SOC 2Flagship: fixed scope, fixed fee

The engagements

Eight ways to start with Assess.

Some assess the whole program, others a single function within it. Each is scoped and priced on its own. Start with one, or run several together.

Alvor Advisory · AssessAS-01

Security Program Assessment

Know exactly where you stand, and what to fix first.

You walk away with

Maturity scorecardPrioritised gap registerRisk-ranked exposure pictureCosted remediation roadmap

Program-wideFixed-feeTypically 3–4 weeks

Scope of workp. 2

Includes

Current-state review of the whole program against the framework you answer to
Maturity scoring on a recognised whole-program model (NIST CSF 2.0 or C2M2)
Risk analysis across the enterprise, your cloud, and your vendors
A prioritised, risk-ranked gap register with a costed roadmap

Best for a first, complete read of where the program stands.

Scope this engagement Read the full page

Alvor Advisory · AssessAS-02

Compliance Readiness Assessment

See the exact distance to certification before you commit to the audit.

You walk away with

Readiness reportGap-to-certification registerRemediation priorities

Program-wideFixed-feeTypically 2–3 weeks

Scope of workp. 2

Includes

Gap assessment of the program against one named standard: ISO 27001, SOC 2, or a sector regime
Control-by-control review of what is in place against what the standard requires
An honest read on the time and effort to certification

Best for teams heading into a first certification or surveillance audit.

Scope this engagement Read the full page

Alvor Advisory · AssessAS-03

Domain Maturity Assessment

Score a single security function against the model built for it.

You walk away with

Function maturity scorecardCapability gap analysisTargeted improvement roadmap

TargetedFixed-feeTypically 2–3 weeks

Scope of workp. 2

Includes

Vulnerability management, scored against the SANS VMMM
Application security, scored against BSIMM or OWASP SAMM
Security operations, scored against the SOC-CMM
A focused, function-level maturity rating and improvement path

Best for a deep read of one capability, not the whole program.

Scope this engagement

Alvor Advisory · AssessAS-04

AI Security and Governance Assessment

See where AI is already in your business, and what it exposes.

You walk away with

AI usage inventoryExposure findings reportAI governance gap register

Function: AI governanceScopedTypically 2–4 weeks

Scope of workp. 2

Includes

Shadow-AI discovery: the tools, models, and assistants already in use
Data and model-pipeline exposure review, from training data to outputs
Third-party AI risk across the vendors and features you already rely on
Findings mapped to ISO/IEC 42001 and the NIST AI RMF

Best for organisations whose AI adoption is running ahead of governance.

Scope this engagement Read the full page

Alvor Advisory · AssessAS-05

Incident Response and Resilience Readiness

Know the plan holds before you ever need it.

You walk away with

IR readiness reportTabletop findingsRecovery gap register

Function: ResilienceScopedTypically 2–3 weeks

Scope of workp. 2

Includes

IR plan and playbook review against how your organisation actually runs
A tabletop exercise with your leadership and technical teams
Recovery validation: backups, continuity, and the path back to normal
A clear read on insurer and reportable-incident expectations

Best for teams whose IR plan has never been rehearsed.

Scope this engagement

Alvor Advisory · AssessAS-06

Cloud Security Posture Review

Find what your cloud is actually exposing.

You walk away with

Posture findings reportPrioritised remediation order

Function: Cloud securityScopedTypically 2–4 weeks, sized to the estate

Scope of workp. 2

Includes

Configuration and posture assessed against the CIS Benchmarks and the CSA Cloud Controls Matrix
Identity, network, and data-exposure review across your accounts
ISO 27017 and 27018 in scope where the cloud handles personal data
Findings ranked by exploitability and blast radius

Best for cloud-first teams unsure what their accounts expose.

Scope this engagement

Alvor Advisory · AssessAS-07

Third-Party Risk Assessment

Understand the risk you inherit from the vendors you depend on.

You walk away with

Third-party risk registerVendor tiering model

Function: Third-party riskScopedTypically 2–4 weeks

Scope of workp. 2

Includes

Inventory and tiering of your vendors by the access and data they hold
Risk review of your critical and high-tier suppliers
A repeatable scoring method you can keep using

Best for organisations with a growing or unmapped vendor estate.

Scope this engagement

Alvor Advisory · AssessAS-08

Penetration Test and Control Validation

Confirm the controls you rely on actually hold.

You walk away with

Test report with severity ratingsValidated control findingsRetest on fixes

Function: Technical assuranceScopedTypically 1–3 weeks per scope

Scope of workp. 2

Includes

Hands-on testing of network, application, or cloud, scoped to your estate
Run to recognised methodologies: OWASP for applications, PTES and MITRE ATT&CK for adversary emulation
Delivered by certified offensive-security practitioners
Findings with clear reproduction steps and remediation guidance

Best for teams needing technical proof, not just a paper review.

Scope this engagement Read the full page

The catalogue, mapped

One flagship. Seven ways to go deeper.

Inner orbit · program-wideOuter orbit · targetedSelect a node to open its report

What you walk away with

It resolves to one maturity scorecard and a single prioritised, risk-ranked gap register, so the diagnosis and the remediation roadmap are the same artefact.

01Maturity scorecard
02Prioritised gap register
03Risk-ranked exposure picture
04Costed remediation roadmap

The decision is yours

The flagship assessment is fixed-fee and stands on its own. Its roadmap is the scoped proposal for Architect, and the next move is yours.

Next trackArchitectDecide what good looks like before a single control is built.

AlvorAdvisory

Start where it makes sense for you.

A short conversation is the fastest way to scope Assess and see where it fits across the lifecycle.

Book a consultation Back to the advisory

AlvorAdvisory

01The diagnostic

Know exactly where you stand, and what to fix first.

Book a consultation See the full lifecycle

NIST CSF 2.0 · C2M2ISO 27001 · SOC 2Flagship: fixed scope, fixed fee

The engagements

Eight ways to start with Assess.

Some assess the whole program, others a single function within it. Each is scoped and priced on its own. Start with one, or run several together.

Alvor Advisory · AssessAS-01

Security Program Assessment

Know exactly where you stand, and what to fix first.

You walk away with

Maturity scorecardPrioritised gap registerRisk-ranked exposure pictureCosted remediation roadmap

Program-wideFixed-feeTypically 3–4 weeks

Scope of workp. 2

Includes

Current-state review of the whole program against the framework you answer to
Maturity scoring on a recognised whole-program model (NIST CSF 2.0 or C2M2)
Risk analysis across the enterprise, your cloud, and your vendors
A prioritised, risk-ranked gap register with a costed roadmap

Best for a first, complete read of where the program stands.

Scope this engagement Read the full page

Alvor Advisory · AssessAS-02

Compliance Readiness Assessment

See the exact distance to certification before you commit to the audit.

You walk away with

Readiness reportGap-to-certification registerRemediation priorities

Program-wideFixed-feeTypically 2–3 weeks

Scope of workp. 2

Includes

Gap assessment of the program against one named standard: ISO 27001, SOC 2, or a sector regime
Control-by-control review of what is in place against what the standard requires
An honest read on the time and effort to certification

Best for teams heading into a first certification or surveillance audit.

Scope this engagement Read the full page

Alvor Advisory · AssessAS-03

Domain Maturity Assessment

Score a single security function against the model built for it.

You walk away with

Function maturity scorecardCapability gap analysisTargeted improvement roadmap

TargetedFixed-feeTypically 2–3 weeks

Scope of workp. 2

Includes

Vulnerability management, scored against the SANS VMMM
Application security, scored against BSIMM or OWASP SAMM
Security operations, scored against the SOC-CMM
A focused, function-level maturity rating and improvement path

Best for a deep read of one capability, not the whole program.

Scope this engagement

Alvor Advisory · AssessAS-04

AI Security and Governance Assessment

See where AI is already in your business, and what it exposes.

You walk away with

AI usage inventoryExposure findings reportAI governance gap register

Function: AI governanceScopedTypically 2–4 weeks

Scope of workp. 2

Includes

Shadow-AI discovery: the tools, models, and assistants already in use
Data and model-pipeline exposure review, from training data to outputs
Third-party AI risk across the vendors and features you already rely on
Findings mapped to ISO/IEC 42001 and the NIST AI RMF

Best for organisations whose AI adoption is running ahead of governance.

Scope this engagement Read the full page

Alvor Advisory · AssessAS-05

Incident Response and Resilience Readiness

Know the plan holds before you ever need it.

You walk away with

IR readiness reportTabletop findingsRecovery gap register

Function: ResilienceScopedTypically 2–3 weeks

Scope of workp. 2

Includes

IR plan and playbook review against how your organisation actually runs
A tabletop exercise with your leadership and technical teams
Recovery validation: backups, continuity, and the path back to normal
A clear read on insurer and reportable-incident expectations

Best for teams whose IR plan has never been rehearsed.

Scope this engagement

Alvor Advisory · AssessAS-06

Cloud Security Posture Review

Find what your cloud is actually exposing.

You walk away with

Posture findings reportPrioritised remediation order

Function: Cloud securityScopedTypically 2–4 weeks, sized to the estate

Scope of workp. 2

Includes

Configuration and posture assessed against the CIS Benchmarks and the CSA Cloud Controls Matrix
Identity, network, and data-exposure review across your accounts
ISO 27017 and 27018 in scope where the cloud handles personal data
Findings ranked by exploitability and blast radius

Best for cloud-first teams unsure what their accounts expose.

Scope this engagement

Alvor Advisory · AssessAS-07

Third-Party Risk Assessment

Understand the risk you inherit from the vendors you depend on.

You walk away with

Third-party risk registerVendor tiering model

Function: Third-party riskScopedTypically 2–4 weeks

Scope of workp. 2

Includes

Inventory and tiering of your vendors by the access and data they hold
Risk review of your critical and high-tier suppliers
A repeatable scoring method you can keep using

Best for organisations with a growing or unmapped vendor estate.

Scope this engagement

Alvor Advisory · AssessAS-08

Penetration Test and Control Validation

Confirm the controls you rely on actually hold.

You walk away with

Test report with severity ratingsValidated control findingsRetest on fixes

Function: Technical assuranceScopedTypically 1–3 weeks per scope

Scope of workp. 2

Includes

Hands-on testing of network, application, or cloud, scoped to your estate
Run to recognised methodologies: OWASP for applications, PTES and MITRE ATT&CK for adversary emulation
Delivered by certified offensive-security practitioners
Findings with clear reproduction steps and remediation guidance

Best for teams needing technical proof, not just a paper review.

Scope this engagement Read the full page

The catalogue, mapped

One flagship. Seven ways to go deeper.

Inner orbit · program-wideOuter orbit · targetedSelect a node to open its report

What you walk away with

It resolves to one maturity scorecard and a single prioritised, risk-ranked gap register, so the diagnosis and the remediation roadmap are the same artefact.

01Maturity scorecard
02Prioritised gap register
03Risk-ranked exposure picture
04Costed remediation roadmap

The decision is yours

The flagship assessment is fixed-fee and stands on its own. Its roadmap is the scoped proposal for Architect, and the next move is yours.

Next trackArchitectDecide what good looks like before a single control is built.

AlvorAdvisory

Start where it makes sense for you.

A short conversation is the fastest way to scope Assess and see where it fits across the lifecycle.

Book a consultation Back to the advisory