Get rid of the countless spreadsheets, email chains, portals and apps. Bring every activity for industrial cybersecurity into one pane of glass.

before_new after_new


Prepare Phase

1. Gauge the maturity of your program.

Generally, organizations assume that they have an up-to-date cybersecurity program or frameworks in place to manage the myriad of risks present today. However, more often than not, organizations overestimate the maturity of their cybersecurity program and leave themselves open to tremendous risk.  

The Critical Infrastructure Maturity Model (CIMM) is a 2-minute assessment that gives a high-level view of your program’s maturity. This will help you understand what your next steps are and where to focus your resources. 

2. Get stakeholders involved.

Once there is a good understanding of where your organization can improve based on the maturity assessment, the next step is to secure resources. This will require discussions to align stakeholders on your cybersecurity strategy in order to convince them to allocate budget, time, and team resources for the next steps in your program.

Review these guides for best practices on gaining stakeholder alignment and securing budget.

Gaining More Value From Assessments
3. Select a framework

Prepare for your organization’s baseline assessment(s) by selecting a framework for standardizing risk measurements against compliance and maturity goals. 

When you’re ready for the first assessment, we’ve made getting started simple. Just select your chosen framework and assign the questions. All of our assessments can be performed 100% remotely, and can even be completed from mobile devices. This makes it easier on the teams responding to questions, eliminates travel costs, and severely cuts down on the time needed to complete the assessment.

choose a framework

We offer more built-in assessment frameworks Than any other Industrial risk management platform.

Select a lifecycle maturity phase to see the corresponding assessment frameworks:
NIST 800-53 Rev. 5

Catalog of security and privacy controls for information systems and organizations from a diverse set of threats and risks.

TSA – Critical Pipeline Cybersecurity

Critical Pipeline Cybersecurity Assessment Framework from TSA and DHS. Learn more.


For Australian energy companies. Contains Australian-specific controls, along with questions from existing frameworks, such as the United States’ ES-C2M2 and NIST-CSF. Learn more.


Data protection and privacy compliance to the European Union & European Economic Area General Data Protection Regulation.

New Combined Custom Framework

New frameworks created with our configurable module builder. Choose & combine questions from industry standard frameworks.

New Custom Framework

New frameworks you create with our configurable module builder. Your own custom questions.

Your Existing Custom Framework

Your own internally developed framework uploaded with our configurable module builder.


NERC compliance on critical infrastructure protection provisions for power suppliers.

Cybersecurity Maturity Model Certification (CMMC)

Evaluates the cybersecurity posture of organizations within the Defense Industrial Base (DIB) sector

Defense Federal Acquisition Regulation Supplement (DFARS)

Contractor/supplier compliance based on DoD requirements based on NIST 800-171

Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model (ONG-C2M2)

Evaluates cybersecurity posture specific to the oil & gas industries, based on ES-C2M2

NIST Cybersecurity Framework (CSF)

Evaluates adherence to cybersecurity standards and best practices

Maritime Cyber Assessment

Vessel/entity compliance based on both BIMCO and IMO guidelines.


Trust Services Criteria – 2017

Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2)

Evaluates cybersecurity posture of organizations within the energy sector

Cyber Maturity: Information Technology

Evaluates an entity’s IT environment, based on NIST 800-53 and ISO 27001/2.

Cyber Maturity For Operational Technology

Evaluates an entity’s OT environment. Based on NIST 800-53 and IEC 62443.

Critical Infrastructure Maturity Model (CIMM)

Risk management program maturity.


1. Establish criticality of your entities /assets /facilities 

In getting ready for your baseline assessment, you’ll want to set up an entity (asset/facility/etc) criticality by defining how critical each one is to keep the business functioning. This is often referred to as a business impact analysis.  Since this step will help determine what level of risk your organization is willing to tolerate for each entity, you’ll want to avoid falling for these common mistakes.

When it comes time for your baseline assessment, taking each entity’s level of criticality into consideration can prove to be tricky. For example, you’d likely tolerate less risk for a highly-critical entity.

We’ve designed our intelligent insights engine to take business context into consideration when calculating risk scores. This gives an ability to be consistent in measuring risk across the organization, even with subjective views of risk that change as the business changes.

onboard the entities you want to assess
2. Begin the assessment(s).

At this point, you should have accomplished the three most important steps of any risk management strategy. Once you’ve established an agreement between stakeholders, a budget, and laid the foundations for a successful assessment process, you can begin assigning the assessments.

For some organizations, this means setting aside a few days, or weeks, to complete an assessment at each facility.  Alternatively, introducing a digital platform to the assessment process can minimize your team’s downtime and even eliminate the need for travel.

Our flexibility lends to your ability to run assessments in a way that is best for your company. You can assign assessments to yourself, assign the whole thing to someone else, or split up the questions and assign them to multiple people. 

assign assessments to specific team members
3. Track assessment progress and risk scores

Tracking the progress of an assessment has never been easier. Pull up your assessment dashboard to see status updates, and watch the assessment questionnaires instantly turn into risk scores. Your long nights and weekends of turning spreadsheets into insights are finally behind you.

track the progress of assessments in one place
4. Report assessment results

When the assessments are complete you’ll need to report on what was discovered. Each stakeholder will likely have their own unique concerns that need to be accounted for in reports. Questions may include: 

  • How much have you improved since the last assessment?
  • How quickly were remediations made?
  • What are the most critical controls to be remediated?


Rather than shuffling through spreadsheets and email threads, every report you’ll ever need related to assessments is a few clicks away, and instantly updated as new data comes in. Choose from a wide range of reports in the Reporting Dashboard and have them ready at a moment’s notice.

create multiple reports with the click of a button
5. Create a risk improvement plan

You’ll need to be prepared to answer the question, “What do we do next, now that we have all this data.” Using the responses from the assessments, and taking in the business context of each facility, you can begin to quantify where efforts should be focused, and decide where budget should be allocated.

We provide posture roadmaps where you can drill down into each area of risk and see the specific remediations needed. Now, you can define your strategy faster and have a clear plan of action to help speed you through improvements.

view the posture of each facility


1. Begin remediations

After the risk improvement plan has been solidified, it’s time to work through each remediation and make improvements. This will require a solid communication loop to ensure that progress is being made, and the appropriate teams are involved. Automating tasks can help with this, so at this stage, it is ideal to consider how to bring in automation and scale your program.

One way automation can help is by creating one source of truth where everyone can provide updates, feedback, and track remediations to make managing all activities easier.

With the Remediation Workflow Manager, assign specific remediations to individuals and monitor their progress to completion. All collaboration between those involved happens inside the same place, with all activity logged and archived.

Just like with your assessments, you can #deletethespreadsheet and keep remediations organized without needing to track endless email chains, logs from other apps, and GBs of supporting documents. 

Since your remediation activities are in the same place as your assessment activities, you can easily show a clear improvement journey from the discovery of a risk to the improvement. This makes it easier to show how your program maturity and security posture has improved over time. And, yes, we have the pre-built reports for that too.

check on the status of your remediations
2. Introduce custom assessments

As your program accelerates, you’ll need to assess other areas that may require customized questionnaires. A more mature organization may also want to implement processes that go beyond the basic standards required by the government that are contained in existing frameworks.

Our Configurable Module Builder gives you the capability of building your own custom assessment or uploading the spreadsheet you’ve already been working from.

Now, your custom assessments can run faster, with all the same benefits of instant reporting and dashboards for tracking progress and risk scores that standard framework assessments receive.

3. Manage third-party risk

Managing your suppliers, vendors, and other third-party risk management is another critical area that your accelerating cyber risk program will need to cover. We’ve made this simple by offering a limited access portal where your third-party assets can answer assessment questionnaires.

Assign your standard framework assessment questions or your customized assessment questionnaire to your vendors and suppliers within the Third-Party Respondent Portal. Then track their progress and watch the reports and dashboards update in real-time as items are completed. Once again, no spreadsheets to send out or collect.

review the assessment results of your third party suppliers and vendors
4. Prepare for audits

When it comes time to run audits and conduct compliance events, documenting these processes and their outcomes will go a long way. 

Just like all other activities across the lifecycle risk management, we provide a fast collaboration process, activity logging, and archiving of the risk decisions you make. The Risk Registry is an enhancement stemming from industry best practices that allow organizations to have a repository of identified risks that can be actioned on and documented within the platform. This enables users to have a clear insight into what risks are present and accept them through a documented process.

The Validations Workflow allows your admins to validate whether controls in finished assessments are in place for further documentation.

All the reports you’ll need for audits and compliance are created for you and only a few clicks away any time you need them..


1. Maximize efficiencies

By this point, your risk management program is moving along well  This is the time to invest in more automation to eliminate manual processes, and increase visibility across the company through system integrations.

Whether you want to take advantage of our pre-built integrations, like Nozomi Networks, SecurityScorecard and ServiceNow, or you’d like to work on something more custom, we can help. Our SaaS platform is designed for flexibility and expansion. Contact us to begin a discussion.

Executive Summary

Assessment and Remediations overview

Assessments & Remediations

insights and reporting overview

Insights & Reporting