Cybersecurity Assessment
Create a control catalog based on 13 industry cybersecurity standards including ISO 27001, NIST CSF, and NIS2, and assess the security posture with questionnaires based on a control catalog.
Brief
A leading software organization requires a comprehensive cybersecurity assessment of various business units to evaluate its current posture against multiple international cybersecurity standards as part of a global cybersecurity harmonization initiative. The project encompasses three key phases: first, we created a control catalog based on thirteen cybersecurity standards and role-based questionnaires related to the controls. Second, we conducted a cybersecurity assessment using the questionnaires. Third, we created a final report that contained the graded cybersecurity domain, applications landscape, and suggestions for improvements.
Our approach ensured the project was delivered within demanding time constraints, equipping the organization to plan strategically for long-term investments in cybersecurity enhancements. Additionally, the control catalog we developed will serve as a valuable resource for client-internal future assessments, enabling the organization to track and benchmark its cybersecurity progress over time.
13
security standards used
80
interviews conducted
12
key business units assessed
Areas of Activity
Control Catalogue Creation
Created a comprehensive control catalog to guide the assessment. The controls of the catalogue have been based on 13 international and industry-specific security standards to ensure extensive coverage. Tailored to the organization’s specific needs, the catalog placed particular emphasis on cloud service utilization and offerings, as well as software development practices. This targeted approach ensured the assessment addressed critical areas of importance to the client’s operations.
Meaningful Final Report
Created a comprehensive control catalog to guide the assessment. The controls of the catalogue have been based on 13 international and industry-specific security standards to ensure extensive coverage. Tailored to the organization’s specific needs, the catalog placed particular emphasis on cloud service utilization and offerings, as well as software development practices. This targeted approach ensured the assessment addressed critical areas of importance to the client’s operations.
Role-Based Questionnaires and Interviews
Developed role-specific questionnaires based on the controls outlined in the comprehensive control catalog. Each questionnaire was meticulously designed to align with the expertise and responsibilities of the stakeholders involved in the assessment. These tailored questionnaires served as the basis for conducting eighty in-depth interviews with the organization’s stakeholders. The feedback collected from these interviews was systematically consolidated and analyzed to evaluate and summarize the status of each control in the catalog, providing a clear and actionable overview of the organization's cybersecurity posture.
Our Contribution to Success
Short time frame for Assessment Execution
Worked efficiently to ensure the completion of all the activities with demanding time constraints while ensuring optimal coverage of the assessment. Our approach enabled the inclusion of numerous business units and stakeholders, providing a thorough and accurate representation of the client’s cybersecurity posture. This broad engagement ensured that the assessment captured critical insights across the organization, supporting a well-rounded and actionable evaluation.
Comprehensive Cybersecurity Domains Analysis
Created an in-depth analysis across twelve security domains, providing the organization with a clear understanding of its cybersecurity landscape. This analysis enabled the identification of domains requiring special attention, offering a focused pathway for achieving higher levels of cybersecurity maturity.
Actionable Suggestions for Improvement
Provided tailored improvement suggestions for each business unit and assessed domain aimed at advancing the organization’s cybersecurity maturity. These recommendations ranged from quick wins or "low-hanging fruits" to long-term strategic initiatives. Additionally, organization-wide recommendations were included to ensure a cohesive and holistic approach to strengthening cybersecurity across all levels.