The Assessment Process

From scoping call to defensibility report.

A structured four-step process. Evidence-led, expert-reviewed, delivered as a written report you can show a regulator.

01
STEP 0120-min call

Scope & Onboarding

Define boundaries. Establish control. Align expectations.

Engagement begins with understanding your OT environment and regulatory context. A structured scoping call confirms site count, NIS2 entity classification, systems in scope, and the right assessment tier. Fee is confirmed and invoiced at the end of this step.

02
STEP 02

Evidence-Based Questionnaire

Structured control validation grounded in documented proof.

Once scope is confirmed, a structured evidence questionnaire is issued covering all agreed control domains. Each question requires verifiable documentation — architecture diagrams, policies, configurations, procedure records. Policy statements without evidence are not sufficient.

03
STEP 03Independent

Independent Expert Review

Expert judgement applied to submitted evidence.

Submitted evidence is manually reviewed by an OT network and systems engineer with 15+ years in industrial control system environments. Every control is scored against defined sufficiency criteria — Red, Amber, or Green — with justification documented for each decision. This is not automated scoring.

04
STEP 0410 working days

Defensibility Report & Recommendations

Formal documentation of defensibility and prioritised improvement actions.

A written defensibility report is delivered within 10 working days of completed evidence submission. The report gives you a documented position you can show a regulator, insurer, or board — and a clear roadmap of what to fix first.

ADD-ON SERVICE

Annual Revalidation

Maintain a current defensibility position as your OT environment and the regulatory landscape evolve.

The initial assessment is a point-in-time engagement. For organisations that need to demonstrate ongoing due diligence — to regulators, insurers, or boards — an Annual Revalidation reassesses key control domains, reviews material changes to the OT environment, and updates your defensibility position statement.

  • Targeted reassessment of key control domains
  • Review of material operational or architectural changes
  • Updated defensibility position statement
  • Support for insurer and regulatory reporting cycles

Ready to establish your OT defensibility position?

A 20-minute scoping call is all it takes to confirm scope and get started.

Typical fee: £1k–£8k·3–8 weeks delivery
Request a Scope Call