Advisory
A one off engagement with a concrete end product: a personalised report with findings, priorities and an actionable plan.
- Analysis, evaluation and recommendations
- Fixed start and finish, clear scope
- Outcome: strategic report and action plan
Advisory
Strategic cybersecurity advisory
Our advisory services are one off, independent analyses delivered as a concrete report with an action plan. No implementation, no ongoing operations. Those are offered through our partnerships.
Advisory versus partnership
When advisory, when partnership?
Advisory is a snapshot: we analyse, advise and deliver a report. A partnership is the ongoing delivery: we implement, manage and monitor. The two naturally follow each other.
Partnership
Ongoing delivery: implementation of measures, day to day management, monitoring and incident response. Through our IT, Security or Combined Partner models.
- Execution and operational management
- Continuous monitoring and support
- Explore our services and partnerships
Advisory services
Four independent advisory types
Every advisory engagement is tailored during an intake call to your situation, sector and priorities. The scope and method below is the standard starting point.
01
Cybersecurity Assessment
“How secure is my organisation?”
An independent, organisation wide evaluation of your cybersecurity maturity. We look from the helicopter: which business processes run, which assets are critical, which threats are realistic, and how mature is your organisation in policy, awareness and organisational measures. We touch no systems, we run no scans. The goal is a strategic overview of risks and maturity.
Scope
The Assessment is a one off analysis. Implementation of recommendations (SIEM rollout, XDR deployment, writing policies) is covered by an IT, Security or Combined Partnership.
Method
- Conversations and interviews with management and key roles
- Documentation review of existing policy and procedures
- Inventory of critical business processes and dependent assets
- Maturity scoring based on the Belgian CyFun Framework (CCB) on a scale of 1 to 5
- Risk analysis at organisation level linking threats to impact and likelihood
Deliverable
- Overview of critical business processes and assets
- Maturity scores per security domain
- Risk analysis with risk matrix (current and residual)
- Top risks with explanation and business impact
- Prioritised recommendations for short, medium and long term
- Concrete action plan
02
Compliance Assessment
“Do I meet regulation X?”
We test your organisation against the relevant cybersecurity regulation and frameworks. Based on sector, size and activities we determine together which framework applies. You receive a clear gap analysis and an advisory report with concrete steps to become compliant.
Scope
This report advises. The actual implementation of compliance measures is a separate engagement.
Method
- Determination of the applicable framework (NIS2, CyFun, ISO 27001, GDPR)
- Overview of all requirements per framework
- Testing per requirement: meets, partially meets, does not meet
- Compliance scoring and gap overview
- Remediation advice per gap with prioritisation
Deliverable
- Overview of applicable requirements
- Testing results per requirement
- Compliance score
- Gaps with remediation advice
- Implementation plan with prioritisation
03
Technical Security Audit
“Are my systems technically secure?”
We go hands on the systems and perform technical security tests. Where the Cybersecurity Assessment gives the strategic overview, the Technical Audit dives deep into the systems themselves: how is the network built, which ports are open, are firewalls correctly configured, are systems patched, are web applications vulnerable to known attacks.
Scope
A snapshot at a given moment, not a guarantee of complete security. Implementation of remediations (patching, firewall reconfiguration, system hardening) is covered by a partnership. Continuous vulnerability management (monthly scans, continuous monitoring) is covered by Security Partnership.
Method
- Vulnerability assessment: automated scans (Nessus, OpenVAS) with manual validation
- Penetration testing (when in scope): controlled attack simulation
- Network analysis: Nmap port scans, topology, VLAN segmentation, firewall rules
- Configuration review: firewall, server hardening, Active Directory, access rights
- Web application audit: testing for OWASP Top 10 vulnerabilities
Deliverable
- Management summary for non technical readers
- Detailed findings with description, location, severity and remediation
- Severity classification per finding (Critical, High, Medium, Low, Informational)
- CVSS score per vulnerability
- Overview table sorted by severity
- Remediation recommendations with prioritisation
04
Incident Response and Crisis Planning
“Am I prepared for a cyber incident?”
We evaluate your current readiness for cyber incidents and develop a tailored incident response plan and crisis communication plan. The result is a complete, actionable document: your playbook for the day something happens.
Scope
We deliver the plan on paper. Running exercises, training staff, setting up SIEM or monitoring and incident response retainer (stand by) are separate engagements or covered by Security Partnership.
Method
- Risk scenario analysis: which incidents are realistic?
- Evaluation of current readiness: procedures, roles, communication
- Incident response procedures per phase: Detection, Triage, Containment, Recovery, Evaluation
- Roles and responsibilities matrix
- Communication protocols internal and external, including mandatory reporting to CCB and DPA
- Tabletop exercise scenario
Deliverable
- Risk scenarios and current readiness
- Incident response procedures per phase
- Escalation criteria
- Roles and responsibilities
- Communication protocols
- Test and exercise plan with tabletop scenario
Assessment versus Audit
Cybersecurity Assessment or Technical Security Audit?
Both services complement each other. The Assessment delivers the strategic overview and priorities, the Technical Audit digs deep into the systems. You can take them separately or combined.
| Cybersecurity Assessment | Technical Security Audit | |
|---|---|---|
| Level | Organisation wide, strategic | System specific, technical |
| Method | Interviews, documentation review, frameworks | Vulnerability scans, penetration tests, configuration reviews |
| What we examine | Policy, processes, risks, maturity | Firewalls, servers, network configuration, web applications |
| Example finding | Patch management scores 2/5, no policy exists | Server X is missing patch CVE-2024-XXXX (Critical) |
| Audience | Management | IT lead, system administrator |
| Do we touch systems? | No | Yes, scans, tests, configuration review |
Ready for the next step?
Request an intake call
In a short, no obligation call we determine together which advisory type fits your situation, which scope makes sense and how long the engagement is expected to take.
Schedule an intakeWho it is for
SMEs, non profits and organisations in the insurance sector looking for an objective view of their cybersecurity posture, a foundation for compliance or preparation for an incident. Independent advice, we do not sell our own products.