Pronoetic

Service line · Assessments

Compliance and Risk Assessments

An assessment should be a decision document, not a formality. Every engagement is a full assessment with a detailed write-up, gap analysis, evidence notes, a prioritized roadmap, and a summary your executives can actually use.

Scope an assessment See the frameworks
Hands arranging labeled evidence folders and clipped documents on a review table.

01The deliverable

What every assessment includes.

Seven frameworks, one standard of work. None of these are optional extras.

  1. Full assessment

    Every control in the framework examined against your real environment, not your org chart.

  2. Detailed write-up

    Findings in complete sentences, specific to you. No boilerplate paragraphs recycled between clients.

  3. Gap analysis

    Where you stand against what the framework expects, with severity ratings that are honest.

  4. Evidence notes

    What proof exists today, what is missing, and where each artifact should live going forward.

  5. Prioritized roadmap

    What to fix first and why, sequenced for a real team with a real budget.

  6. Executive-ready summary

    The whole engagement distilled into language a board can absorb in five minutes.

A prepared evidence packet with clipped pages, a pen, and a laptop edge on a desk.

Built to survive an auditor's questions

02The frameworks

Discrete assessments, sold as what they are.

Each of these is a complete engagement on its own. Any of them can also feed a Readiness Sprint or run inside the Security Program Retainer.

Financial data

GLBA

For organizations handling consumer financial data, including those answering to the FTC Safeguards Rule. Safeguards mapped, tested, and documented.

Healthcare

HIPAA

For covered entities and business associates touching protected health information, from independent practices to platforms.

Education

FERPA

For schools, districts, and higher education institutions responsible for student education records and the systems that hold them.

Payments

PCI DSS

For any organization that stores, processes, or transmits cardholder data, at any volume, including scope reduction guidance.

International standard

ISO 27001

For organizations proving a working information security management system to customers, partners, and certifiers.

Common language

NIST CSF 2.0

The baseline we recommend when leadership wants one clear, current picture of the entire security program.

Technical baseline

CIS 18

The practical control set for measuring day-to-day security hygiene, hardening, and operational discipline.

Supported and custom

SOC 2 · CMMC · COBIT · EDUCAUSE · yours

If your auditor, customer, insurer, or board uses it, we can assess against it. Existing assessments can be imported and mapped rather than redone from scratch.

03How it runs

Four steps. No drift.

01

Scope

Framework, boundaries, systems, and evidence owners agreed up front, in writing.

02

Assess

Interviews, documentation, and configuration review. Evidence is captured as we go, not reconstructed later.

03

Deliver

Detailed write-up, gap analysis, evidence notes, and the prioritized roadmap, presented in a live executive readout.

04

Decide

Fix it with your own team, run a Readiness Sprint, or fold the roadmap into the retainer. Your call, with a clear map either way.

Two professionals reviewing security posture together on a laptop in a small meeting room.

Assessment as a working session, not an ambush

Start here

Pick the framework. We bring the judgment.

One call to scope it: the framework, the boundary, the timeline, and exactly what you will be holding at the end.

Scope an assessment