Services / Risk & Compliance Assessments
Know where you stand
before someone else
finds out for you.
Our assessments give you a current, defensible picture of your security and privacy posture — across frameworks, regulations, and risk domains. Every engagement starts with a free consultation and ends with findings you can act on.
Not sure which assessment fits? That's what the consultation is for.
How We Approach Assessment Work
Assessments that drive action, not documents that don't.
Most risk assessments produce a report that confirms what the client already suspected, recommends things they already know they should do, and sits on a shelf until the next audit cycle forces a repeat of the exercise.
We build assessments around decisions — the budget conversation, the board presentation, the auditor engagement, the insurance renewal, the enterprise deal that's waiting on your security documentation. Every finding is prioritized, every recommendation is specific, and every engagement is structured to transition into ongoing advisory if that's where the work leads.
13
Assessment engagements across security, privacy, and compliance
5-6
Weeks typical engagement timeline from kickoff to final report
Free
Initial consultation to scope your engagement and assess your situation
1
Partner-level advisor on every engagement. No handoffs.
Risk & Compliance
Security posture and
compliance assessments.
For organizations that need a current, defensible picture of their security program — before an audit, a board presentation, an insurance renewal, or an incident makes the gap obvious.
NIST CSF · ISO 27001 · Custom Frameworks
Enterprise Risk Assessment
Comprehensive current-state security posture analysis across people, process, technology, and third-party risk. Control maturity assessment, gap identification, and a prioritized remediation roadmap.
Type I and Type II Preparation
SOC II Audit Readiness
Gap assessment against Trust Services Criteria, control design and implementation guidance, evidence collection process design, and full support from readiness through Type II audit completion.
ISMS Development & Implementation
ISO 27001 Preparation
Information Security Management System design, Annex A control assessment, Statement of Applicability development, and full preparation through Stage 1 and Stage 2 certification body audit.
CIS Controls v8.1 · IG1 · IG2 · IG3
CIS Controls Assessment
Control-by-control assessment against your applicable Implementation Group with attack vector coverage mapping, prioritized remediation roadmap, and cyber insurance documentation support.
CMMC 2.0 · NIST SP 800-171 · C3PAO Prep
CMMC Readiness and Gap Analysis
Level 1 or Level 2 gap analysis, NIST SP 800-171 control implementation review, System Security Plan development, POA&M preparation, and C3PAO assessment preparation.
FedRAMP · StateRAMP · NIST 800-53
FedRAMP & ATO Advisory
Authorization readiness assessment, NIST 800-53 control implementation guidance, SSP development, 3PAO preparation, and continuous monitoring program design for federal and state government authorization.
Industry-Specific Compliance
Regulated industry assessments.
For organizations operating under specific regulatory frameworks where generic security assessments don't satisfy the compliance standard — and where auditors know the difference.
Administrative · Physical · Technical Safeguards
HIPAA Security Rule Assessment
Administrative, physical, and technical safeguards assessment, ePHI inventory and data flow mapping, risk analysis aligned to OCR expectations, BAA review, and safeguards implementation roadmap.
PCI-DSS v4.0 · CDE Scoping · QSA Prep
PCI DSS Gap Assessment
Cardholder Data Environment scoping, twelve requirements gap analysis, compensating controls evaluation, evidence collection guidance, and QSA preparation for merchants and service providers.
GDPR · CCPA / CPRA · U.S. State Laws
Global Privacy Compliance
Multi-jurisdictional privacy law assessment across GDPR, CCPA/CPRA, and U.S. state privacy laws. Data mapping, gap analysis, privacy program design, and the operational infrastructure to stay current as regulations change.
Specialized Advisory Assessments
High-stakes engagements
that require different expertise.
For organizations facing specific decision points — a transaction, a board conversation, a vendor program that isn't working, or a cloud environment that's grown faster than its security controls.
FAIR Methodology · Financial Risk Modeling
Cyber Risk Quantification
FAIR methodology financial modeling of cyber risk exposure. Dollar-denominated loss scenarios for board presentations, budget justifications, and cyber insurance negotiations. Defensible inputs, auditable outputs.
Pre-Acquistion Assessment · Deal Timeline Delivery
M&A Cyber Due Diligence
Pre-acquisition cybersecurity risk assessment built for deal timelines. Security debt quantification, privacy liability estimation, deal term implications, and 100-day post-close integration roadmap.
Vendor Lifecycle · Risk Tiering · Framework Alignment
Third-Party Risk Management
Vendor risk assessment framework design, tiering methodology, questionnaire library development, lifecycle workflow design, and tooling guidance. Built for how vendor risk actually works operationally.
AWS · Azure · GCP · CIS Benchmarks
Cloud Security Posture Assessment
Read-only audit of AWS, Azure, or GCP environments. CIS Benchmark compliance evaluation, misconfiguration detection, IAM analysis, and IaC-ready remediation templates your engineering team can deploy.
How Every Engagement Works
The same process, regardless of which assessment you need.
STEP 01
Free Consultation
We talk through your situation, your drivers, and which assessment fits. You leave the call with a clear scope and honest timeline — no commitment required.
STEP 02
Scoped Engagement
Every assessment is scoped to your actual environment, your compliance requirements, and your timeline — not a fixed package you fit yourself into.
STEP 03
Findings You Can Use
Specific, prioritized, defensible findings. Not a generic report. Every recommendation is actionable within your resource constraints and organizational reality.
STEP 04
Ongoing if You Need It
Assessments transition to continuous compliance advisory, vCISO engagement, or DPO advisory for organizations that need ongoing program support beyond the initial engagement.
Not sure which assessment
you actually need?
Start with the free consultation. We'll map your situation, your compliance obligations, and your timeline against the right engagement — and tell you honestly if something else would serve you better.