Service 01
We find out where you actually stand — against standards, regulations, and real threats.
Security maturity isn't a number in a report. It's an organisation's ability to actually withstand an attack.
A lot of companies think their security is covered — because they have a firewall, antivirus, and backups. A Security Assessment is about finding out how true that really is. Not whether you have the tools, but whether they actually work, in the full context of your environment.
We benchmark your state against recognised standards — NIST CSF, ISO 27001, or CIS Controls — and put the results into the real context of your sector and size. It's not about paper compliance, it's about whether you're really ready.
The output isn't just a report. You get a prioritised list of what to tackle first — sorted by risk, impact, and feasibility within your budget.
What's included
We assess your current state against NIST CSF, ISO 27001, or CIS Controls. The output isn't a table of numbers — it's a clear picture of what works and what doesn't.
We start with conversations with key people — IT, management, operations. We go through documentation, technical solutions, and existing processes. The result is a clear map of the current state and a concrete comparison against the chosen standard. We do this with minimal disruption to your operations — typical scope is 2–3 weeks.
We check readiness for ZoKB, NIS2, and DORA. You know what the law requires — we'll tell you how far from it you are.
For each regulatory framework we go through specific requirements and map where you're compliant, where there are gaps, and where you need urgent attention. The result is a gap analysis with clear prioritisation — what to tackle first and what can wait. We always factor in the real capacity of your organisation, not just formal compliance with the text of the law.
We go through your network and system architecture. We look for weak spots in the design, not just in the configuration.
We focus on the design — how systems are interconnected, how networks are segmented, how access is controlled. Architectural problems aren't fixed with a patch — that's why it matters to surface them before they show up as an incident. The review runs without access to production systems, based on documentation and a guided workshop.
We test your systems the way an attacker would. We set scope and depth to match your context.
We work to a clearly defined scope — focusing on specific applications, infrastructure, or a combination of both. The output isn't just a list of CVEs from a tool — it's a realistic risk write-up and remediation guidance your in-house team can implement. We also offer re-testing after remediation to verify the fix actually works.
We help you build or revise your IRP. When something happens, you don't want to think about what to do — you want to follow the plan.
The IRP covers roles and responsibilities, escalation paths, communication templates, and playbooks for the most common incident types — ransomware, phishing, data leak. We tailor the plan to your size and context. Optionally we test the plan via tabletop exercises walking through a simulated scenario with key people.
Based on the assessment we propose concrete steps. Sorted by priority, feasibility, and your budget.
The roadmap is a 12–18 month plan with clear milestones, owners, and resource estimates. Each initiative is justified by risk, not fashion. The document is designed to be readable for non-technical management — it serves as the basis for investment decisions and for communication with regulators.
Who it's for
01
ISO 27001, NIS2, or other regulatory requirements — you want to know where you stand before paying for an audit.
02
You need to understand what happened, why it could happen, and how to make sure it doesn't happen again.
03
Security is a priority for you, but you don't know what to tackle first. An assessment gives your effort the right direction.
Frequently asked
It depends on scope. A baseline maturity assessment takes 2–3 weeks. A comprehensive assessment including pen testing can take 4–8 weeks. We always agree the scope upfront.
Always concrete steps. A report without prioritisation is useless paper. The output always includes a list of recommendations sorted by urgency and impact.
No. The assessment makes sense at any stage — even if you have no certification and aren't planning one. It's about knowing where you stand.
Let's start
Call or write to us — we'll discuss scope, answer your questions, and propose an approach tailored to your environment.