A security gap analysis is a process to find out the difference between the current level of information security. It’s an important part of business continuation planning and is also a form of risk assessment.

EthicalHat provides both one-time and ongoing security gap assessments using the Center for Internet Security’s 20 Critical Controls as the benchmark. We will evaluate your existing cybersecurity infrastructure against each of the 20 controls and prepare a comprehensive report telling you where you’re falling short.

To conduct the assessment, our team of skilled security analysts will compare your existing security environment against each control and sub-control to determine which security practices your company is already following and which ones you need to strengthen or incorporate into your security strategy. We will work with your IT and business teams to understand your datasets, business logic, and infrastructure set-up to come up with a set of actionable recommendations for you to build stronger threat prevention and defense capabilities.


    If you opt for an ongoing assessment, our team of project managers and security consultants will work closely with your teams to understand your current security state, identify gaps in your implementation of CIS controls, and recommend the most effective ways to fill those gaps and move closer to full compliance. Controls will be assessed and validated periodically (depending on the agreed upon frequency) to ensure ongoing compliance. With this approach, the program can sustain maturity.

    We will keep a close watch on evolving security threats and changing standards to quickly notify you when there is a need to implement patches, secure systems that are vulnerable to new threats, and upgrade your security-monitoring, threat-detection, and incident-response policies and tools. Like one-time assessments, ongoing assessments, too, can be conducted either on-site or remotely, or include a combination of both.


    If you opt for a one-time gap assessment, our security consultants will examine your security infrastructure and implementation of critical controls, and prepare a set of recommendations to improve your security posture. A one-time assessment is useful during a CISO’s first 100 days with an organization to assess the current state of the security program and deliver a roadmap for the future. If the program has been ignored for a while, a one-time assessment can help provide a strategic roadmap towards maturity.

    The assessment can be conducted either on-site or remotely, or include a combination of both depending on your specific requirements and budget. While a one-time external assessment can help you identify areas of improvement and put you on the path to full standards compliance, we recommend an ongoing assessment for your company’s evolving security needs.

    Why CIS Controls?


    CIS Controls comprise the most critical of cybersecurity best practices that are actionable and simple to implement. They cover everything from directions for asset inventorying to boundary defense to penetration testing and incident response. There is in-depth documentation available for each control and sub-control. CIS has also developed Implementation Groups (IGs) for sub-controls that help organizations prioritize and implement them based on their resources, expertise and risk exposure.


    The 20 controls are accessible to companies of all sizes. Even those in the early stages of formulating a cybersecurity strategy can use CIS Controls as a starting point. The Implementation Groups make it simpler for smaller companies to identify focus areas. Only the 43 sub-controls in IG1 that represent “Cyber Hygiene” are critical for every organization.


    CIS Controls can be directly mapped to other security standards and controls including NIST 800-53, PCI DSS, FISMA, and HIPAA.


    The Center for Internet Security’s Controls Self-Assessment Tool (CIS CSAT) is a free tool for businesses of all sizes to track their documentation, implementation, automation, and reporting of the 20 CIS Controls or best practices for cybersecurity. The web-based tool was developed by EthicalHat based on AuditScripts’ popular CIS Controls Manual Assessment spreadsheet and later donated to CIS. In addition to helping companies assess their implementation of CIS Controls, CSAT allows them to easily compare their own security performance with that of competitors.

    The first person from an organization to register becomes the tool ‘Owner’, who can delegate questions to other team members and set deadlines. Users can also upload evidence documents for each control, create and share assessment reports, and collaborate with other organizations on shared security goals.

    Difference Between One-time and Ongoing Assessments?

    A one-time security gap assessment is just that – a one-time assessment carried out by an external assessor to identify gaps in your security infrastructure and policy framework and recommend ways to close those gaps. Industry regulations may require you to get an external auditor or assessor to conduct a formal one-time assessment. It is also a good way to measure your security performance against the standards you choose to be assessed. You can then use the assessment report to either tweak your security strategy or formulate a new one.

    While a one-time assessment may be what you need right now to address specific issues or as part of your overall security strategy, EthicalHat recommends an ongoing assessment to make sure you are always on top of emerging security threats. The cyber-threat landscape is always changing, with malicious actors coming up with new ways to breach your protection barriers every day. In such a scenario, security becomes a full-time activity. A positive security assessment report means only that your systems are secure at the time of the assessment. This may change over a period of time.

    EthicalHat’s assessment team will make sure that your IT infrastructure is safe from newly discovered threats and vulnerabilities by keeping a close watch both on emerging risks, malware and patches, and on your network security. It will also update you on the latest security standards and policies for your industry and your compliance obligations.

    Need Immediate Assistance?

    To find out more about our CIS CSAT Cyber Security Gap Assessment, email us at or call us at +1-844-838-4422

    Get The Recent UpdatesArticlesNews In Your Inbox