Assess · The flagship diagnostic
A fixed-fee diagnostic of your whole security program: scored on a CMMI-aligned 0 to 5 scale across all six CSF functions, mapped to ISO 27001 and SOC 2, and resolved into one maturity scorecard and one risk-ranked gap register. The diagnosis and the roadmap are the same artefact.
Scope and price agreed in writing before any work. No obligation.
Security has grown organically and nobody can say, in one page, where the program stands. The scorecard gives you that page, on a recognised scale rather than an opinion.
Directors, investors, or an acquirer want a defensible answer, not reassurance. A scored profile with an evidence basis is an answer you can table and stand behind.
You are about to spend real money on security and want the baseline first, so the spend lands on the highest-exposure gaps and the improvement is measurable afterwards.
What you are commissioning
The flagship engagement of the Assess track backs this page. Scope and the fixed fee are agreed in writing before any work begins.
Assess trackFixed-feeTypically 3–4 weeks
Know exactly where you stand, and what to fix first.
Best for a first, complete read of where the program stands.
Includes
Deliverables
The standardised assessments are fixed-fee. Every other engagement is scoped and priced in writing before you commit, from a one-off review to a managed service.
The method
Every category is scored against a published rubric, and scores reflect evidence sighted, not practices described: interviews, documents, and technical sampling of the estate. Where the story and the evidence differ, the evidence prevails.
The maturity scorecard and the gap register resolve into a single deliverable: each gap carries a risk rank, an owner, a recommendation, and a costed remediation, so accepting the diagnosis is the same act as adopting the plan.
Led by a principal security architect, reviewed by a function subject-matter specialist, and quality-reviewed by the practice lead before issue. The sample report below shows exactly who signs what.
The same rubric is applied every time, so a repeat assessment measures movement rather than re-litigating the baseline. Many teams re-run it annually; under Operate, the tracking becomes continuous.
Proof of method
Eight pages of the standard report, redacted: the executive summary, the function profile, per-category summaries, a full control-level assessment, and the gap register with recommendations.
Questions
It is fixed-fee, sized to your organisation in a short scoping conversation and agreed in writing before any work begins. The fee buys a defined scope: all six NIST CSF 2.0 functions, the interviews and evidence review behind them, and the full report.
Typically a set of interviews across engineering, operations, and leadership, your existing policies and documents, and read-only technical sampling of agreed control families. The engagement is designed to take senior people's hours in minutes, not days.
Yes. NIST CSF 2.0 is the measurement frame because it covers the whole program including governance; every finding is also mapped to ISO/IEC 27001:2022 Annex A and the SOC 2 Trust Services Criteria, so the same work serves your certification path.
The gap register doubles as the scoped proposal for what comes next, and the next move is entirely yours: remediate with your own team, hand the roadmap to a partner, or continue with us into Architect and Build. The assessment stands on its own and commits you to nothing.
An audit judges you against a standard's pass line; this measures the whole program's maturity and tells you what to fix first and what it will cost. It is the artefact you want before an audit, and we remain deliberately separate from the body that eventually certifies you.
One conversation, then the scope and the price in writing. Your enquiry arrives already marked for maturity assessment.