The Assessment Framework
The OTVerdict assessment framework is structured around clearly defined operational control domains aligned to defensibility expectations for industrial environments.
Domains include Governance, Architecture, Access Control, Monitoring, Resilience, Supply Chain, and Continuous Improvement — each supported by practical criteria and defined evidence requirements to ensure clarity and consistency.
Operational Control Domains
Each domain defines a structured control area assessed within the OTVerdict framework.
Governance, Authority & Accountability
Defines executive oversight, accountability structures, and formal responsibility for OT cyber risk management.
Projects, Handover & Lifecycle Control
Ensures secure project delivery, commissioning handover integrity, and controlled lifecycle management of OT systems.
Asset Inventory & Criticality
Maintains accurate asset visibility and classification based on operational criticality and business impact.
Network Security & Architecture
Implements secure network design, segmentation, and architectural controls protecting OT environments.
Physical Security
Controls physical access to OT assets, facilities, and supporting infrastructure environments.
Identity, Privilege & Remote Access
Manages authentication, privileged access, and secure remote connectivity into OT systems.
System Hardening & Secure Configuration
Maintains hardened baselines, secure configurations, and controlled system maintenance processes.
Malware Protection & Threat Detection
Protects OT environments through malware controls and structured detection mechanisms.
Logging, Monitoring & Detection
Implements logging strategies, alerting mechanisms, and security event monitoring processes.
Vulnerability & Patch Management
Identifies vulnerabilities and manages structured patching within operational constraints.
Backup, Recovery & Resilience
Ensures system recoverability and operational continuity through defined backup and restoration processes.
Network Hygiene & Infrastructure
Maintains foundational infrastructure controls, secure device management, and network cleanliness.
People & Culture
Establishes security awareness, training, and behavioural accountability across operational teams.
Assurance & Review
Measures effectiveness of OT cyber controls through audits, reviews, and continuous improvement processes.
Mapped Principles
The framework's domains are mapped to the core principles and requirements of NIS2, the UK Cyber Assessment Framework (CAF), and IEC 62443. This mapping ensures the assessment reflects internationally recognized standards and regulatory expectations.
This assessment is not a certification or accreditation. Instead, it provides an independent review of site-level OT cyber evidence readiness and defensibility, with clear alignment to regulatory and industry standards for audit and assurance purposes.