Cyber Assessment Security Maturity

Scope Now
Digit Labs - Untitled 2 01 01


A security gap analysis is a process to find out the difference between the current level of information security. It’s an important part of business continuation planning and is also a form of risk assessment.

EthicalHat provides both one-time and ongoing security gap assessments using the Center for Internet Security’s 20 Critical Controls as the benchmark. We will evaluate your existing cybersecurity infrastructure against each of the 20 controls and prepare a comprehensive report telling you where you’re falling short.

To conduct the assessment, our team of skilled security analysts will compare your existing security environment against each control and sub-control to determine which security practices your company is already following and which ones you need to strengthen or incorporate into your security strategy. We will work with your IT and business teams to understand your datasets, business logic, and infrastructure set-up to come up with a set of actionable recommendations for you to build stronger threat prevention and defense capabilities.

Digit Labs - CYBER SECURITY 2 01 01


If you opt for an ongoing assessment, our team of project managers and security consultants will work closely with your teams to understand your current security state, identify gaps in your implementation of CIS controls, and recommend the most effective ways to fill those gaps and move closer to full compliance. Controls will be assessed and validated periodically (depending on the agreed-upon frequency) to ensure ongoing compliance. With this approach, the program can sustain maturity.

We will keep a close watch on evolving security threats and changing standards to quickly notify you when there is a need to implement patches, secure systems that are vulnerable to new threats, and upgrade your security-monitoring, threat-detection, and incident-response policies and tools. Like one-time assessments, ongoing assessments, too, can be conducted either on-site or remotely, or include a combination of both.


If you opt for a one-time gap assessment, our security consultants will examine your security infrastructure and implementation of critical controls, and prepare a set of recommendations to improve your security posture. A one-time assessment is useful during a CISO’s first 100 days with an organization to assess the current state of the security program and deliver a roadmap for the future. If the program has been ignored for a while, a one-time assessment can help provide a strategic roadmap towards maturity.

The assessment can be conducted either on-site or remotely, or include a combination of both depending on your specific requirements and budget. While a one-time external assessment can help you identify areas of improvement and put you on the path to full standards compliance, we recommend an ongoing assessment for your company’s evolving security needs.

Why CIS Controls?


CIS Controls comprise the most critical of cybersecurity best practices that are actionable and simple to implement. They cover everything from directions for asset inventorying to boundary defense to penetration testing and incident response. There is in-depth documentation available for each control and sub-control. CIS has also developed Implementation Groups (IGs) for sub-controls that help organizations prioritize and implement them based on their resources, expertise and risk exposure.


The 20 controls are accessible to companies of all sizes. Even those in the early stages of formulating a cybersecurity strategy can use CIS Controls as a starting point. The Implementation Groups make it simpler for smaller companies to identify focus areas. Only the 43 sub-controls in IG1 that represent “Cyber Hygiene” are critical for every organization.


CIS Controls can be directly mapped to other security standards and controls including NIST 800-53, PCI DSS, FISMA, and HIPAA.


The Center for Internet Security’s Controls Self-Assessment Tool (CIS CSAT) is a free tool for businesses of all sizes to track their documentation, implementation, automation, and reporting of the 20 CIS Controls or best practices for cybersecurity. The web-based tool was developed by EthicalHat based on AuditScripts’ popular CIS Controls Manual Assessment spreadsheet and later donated to CIS. In addition to helping companies assess their implementation of CIS Controls, CSAT allows them to easily compare their own security performance with that of competitors.

The first person from an organization to register becomes the tool ‘Owner’, who can delegate questions to other team members and set deadlines. Users can also upload evidence documents for each control, create and share assessment reports, and collaborate with other organizations on shared security goals.