Loading...
Loading...
Don't know where to start? Begin here. A 4-week structured assessment that scores 100+ controls against the framework of your choice and delivers a 12-month remediation roadmap with effort and cost estimates.
Most CISOs and IT leaders we meet have the same question on day one: where do we even start? Should we invest in EDR? Vault our privileged accounts? Run a pentest? Hire an MDR provider? Pursue ISO 27001? The honest answer is that those decisions are impossible to prioritise without first measuring the programme against a framework. That is what the gap assessment delivers.
In four weeks, we score your security programme against a recognised control framework (NIST CSF 2.0, ISO/IEC 27001:2022 Annex A, CIS Controls v8, BNM RMiT, or a hybrid), produce a heatmap of where the gaps are, and deliver a sequenced 12-month roadmap with effort and cost estimates against each gap.
The output is built to be the input to your next budget cycle: prioritised, scoped, costed, and defensible at board level.
Framework-agnostic management framework. Six functions (Govern, Identify, Protect, Detect, Respond, Recover). Default for most engagements; translates cleanly to ISO and CIS.
93 controls across organisational, people, physical and technological domains. Pick this if certification is the eventual goal.
18 controls, prioritised by Implementation Group (IG1, IG2, IG3). Strong tactical roadmap, less management-system overhead than ISO.
Mandatory for Malaysian licensed FSI. Pick this if you are a bank, insurer, takaful operator or DFI.
For NCII operators and regulated sectors awaiting NACSA codes of practice. Often run as a hybrid with NIST CSF.
Most realistic for mature programmes. Primary scoring against one framework with appendix cross-reference to others.
Joint scoping with the CISO/IT leadership. Framework selection. Document review: existing policies, prior audits, asset inventory, network diagrams, incident log, training records, vendor list.
Structured interviews across business, IT, security, ops and compliance teams. Targeted evidence collection — control walk-throughs, configuration reviews, sample testing.
Each control scored against the chosen framework. Maturity model applied (typically CMMI 1-5). Heatmap consolidation. Remediation effort and cost estimation per gap.
Executive summary (one-page). Detailed scored gap report (50-80 pages). 12-month remediation Gantt with owners, effort and cost. Board readout with Q&A pack.
A penetration test answers 'can an attacker break this specific system today?' A gap assessment answers 'is our entire security programme designed against a recognised framework, and where are the holes?' The pentest is technical depth on a defined scope; the gap assessment is programme breadth across people, process and technology. Both are useful, in that order — gap assessment first to scope the programme, pentest later to validate specific control depth.
Default to NIST CSF 2.0 if you have no regulatory driver — it is framework-agnostic, well-understood, and translates cleanly to ISO and CIS. Pick ISO/IEC 27001:2022 if certification is the eventual goal. Pick CIS Controls v8 if you want a prioritised tactical roadmap rather than a management-system framework. Pick BNM RMiT if you are a licensed Malaysian financial institution. Most of our customers ultimately run a hybrid — NIST CSF as the primary score, with ISO 27001 Annex A and CIS v8 cross-references in appendices.
Existing policies, prior audit reports, asset inventory, network and architecture diagrams, incident log (last 24 months), training records, vendor list, prior pentest and vulnerability-scan output. We do not need everything before kickoff — the structured interview phase in week two is designed to draw out missing evidence efficiently. Customers who arrive with no documentation at all are still served well; the gap is simply scored as such.
Yes — we deliver remediation through dedicated services depending on the gap profile. Common follow-on engagements include vCISO retainer for programme leadership, managed detection & response for SOC capability, intelligence-led pentesting for control validation, ISO 27001 implementation support, and PAM operations. The gap assessment itself is delivered with deliberate independence so the findings are not biased toward services we want to sell.
No — a gap assessment is the diagnostic, not the cure. Achieving ISO 27001:2022 certification requires building the management system: scope, ISMS policies, risk methodology, Statement of Applicability, internal audit, management review, then external Stage 1 and Stage 2 audits. The gap assessment scores you against ISO Annex A and identifies the work; the implementation engagement (typically 6-12 months) builds the system; an accredited certification body (not nCrypt) issues the certificate.
Scoping calls take 30 minutes. The 4-week sprint kicks off the following Monday. You leave week four with a board-ready, costed 12-month roadmap.
Get a Scope