Security & Resiliency Baseline Assessment
Before any security strategy can be credible, it must be grounded in an honest account of where the organisation actually stands. A baseline assessment provides that account — independently, rigorously, and without a vendor interest in what it finds.
Most organisations do not know what they do not know
Security postures degrade gradually and unevenly. A policy framework written three years ago may still look comprehensive on paper whilst being materially disconnected from current operations. Technology deployed during a previous upgrade cycle may have integration gaps that nobody has formally assessed. Cultural practices around access, visitor management, or incident reporting may have drifted from what the documentation says.
A Security & Resiliency Baseline Assessment creates a structured, evidence-based picture of the organisation's current security state across every dimension that matters — physical infrastructure, people and culture, technology, policy and governance, operational resilience, and third-party exposure. It is a point-in-time assessment: honest, independent, and built to inform whatever comes next, whether that is a TVRA, a transformation programme, a regulatory submission, or a board-level briefing.
A security programme built on assumed competence is not a security programme — it is a liability. The baseline assessment exists to replace assumption with evidence, so that every subsequent decision is made on solid ground.
What sets our assessments apart
Clarity
Organisations commission a baseline assessment precisely because the current picture is unclear. We surface what is actually present — gaps, strengths, and blind spots alike — without softening findings to protect relationships or future work.
Rigour
Our methodology combines site walkthroughs, structured interviews, documentation review, technology audit, and maturity benchmarking against recognised standards — not a checklist completed remotely from a desk.
Actionability
Every finding is accompanied by a prioritised recommendation. The assessment report is designed to be used — by security leadership, by boards, and by the teams responsible for closing the gaps identified.
Independence
We hold no commercial relationships with technology vendors or system integrators. Our findings reflect the evidence, not a preferred outcome. An assessor with a product to sell cannot give you an honest baseline.
What the assessment examines
Six dimensions of organisational security — each assessed through direct evidence rather than self-reported maturity scores alone.
Physical Security Infrastructure
Perimeter integrity, access control architecture, CCTV coverage and functionality, lighting adequacy, visitor and contractor management, and the alignment between the physical security estate and the organisation's current operational footprint. Conducted through direct site walkthrough and observation.
Technology & Systems
A thorough review of the security‑technology landscape examine several key factors: The condition of any legacy infrastructure, the difference between each system’s intended functions and its real‑world performance, how well the various system components communicate with one another, whether the software is up‑to‑date, the extent of monitoring that’s in place. Often, integration problems remain hidden until the environment is subjected to formal testing.
Operational Resilience
Business continuity arrangements, crisis response protocols, redundancy in critical security systems, incident management procedures, and the organisation's tested — not assumed — capability to maintain security function through disruption, escalation, or emergency.
People & Security Culture
Security awareness levels across the organisation, insider threat indicators, staff compliance with security protocols, the quality and recency of security training, and whether security is treated as a shared organisational responsibility or delegated entirely to a specialist team.
Policy & Governance
The completeness, currency, and practical relevance of the organisation's security policy framework — including whether documentation reflects actual practice, whether governance structures are functional, and whether the organisation can demonstrate compliance with applicable regulatory standards.
Third-Party & Supply Chain Exposure
The security obligations placed on contractors, suppliers, and service providers — and whether those obligations are adequately specified, monitored, and enforced. Third-party access is consistently one of the most underassessed areas of organisational security exposure.
How the assessment is conducted
Each assessment draws on several ways of gathering evidence. Rather than relying on any one source—be it a document, an interview, or an observation—every piece of information is considered only as part of the whole picturesecurity technology estate.
Scoping & Context Setting
Before assessment work begins, we establish the organisational context — sector, regulatory environment, asset criticality, known areas of concern, and any prior assessments or incidents. Scoping determines which sites, business units, and functions are included and calibrates the depth of examination in each area.
Documentation & Policy Review
Structured review of the organisation's security policy framework, standards documentation, incident logs, training records, third-party contracts, and any prior audit findings. Documentation review establishes the stated position — which is then tested against operational reality in subsequent stages.
Site Visits & Physical Walkthrough
Direct physical inspection of the security estate — perimeter, access points, control rooms, CCTV infrastructure, and operational areas. Physical walkthrough identifies what documentation cannot: integration failures, informal workarounds, and areas of the estate that have drifted outside the formal security perimeter.
Structured Interviews
Confidential, structured interviews with key personnel across security, operations, HR, IT, and where appropriate, board or executive level. Interviews surface the gap between documented procedure and operational practice — the single most common source of material security exposure in otherwise well-documented organisations.
Technology & Systems Audit
functional assessment of the organization’s security‑technology landscape—covering access‑control platforms, video‑surveillance and analytics, intrusion‑detection systems, visitor‑management tools, and the broader monitoring infrastructure. The audit examines how comprehensively each solution is deployed, how well the components interoperate, whether the software is current, and if the systems are delivering the expected performance or showing signs of degradation.
Benchmarking & Maturity Rating
The six assessment dimensions are each measured against a defined maturity model and then benchmarked to recognized references—ISO 31000, international design guidelines, and global best‑practice standards. The resulting maturity scores give a uniform, easy‑to‑communicate basis for setting priorities, allowing leaders to see their relative position at a glance instead of receiving just a list of problems.
What you receive
The baseline assessment concludes with a structured report package designed to be used at every level of the organisation — from the security team to the board.
Baseline Assessment Report
A structured, evidence-based account of the organisation's current security posture across all six dimensions. Findings are presented clearly, with supporting evidence referenced for each conclusion drawn.
Maturity Scorecard
A dimension-by-dimension maturity rating providing a clear, visual representation of current standing — benchmarked against standard frameworks and presented in a format suitable for board and executive reporting.
Gap Analysis & Prioritisation Matrix
A risk-weighted mapping of identified gaps — sequenced by urgency, regulatory relevance, and practical deliverability. The foundation for any subsequent strategy or transformation work.
Prioritised Recommendations
Every gap identified is accompanied by a clear, actionable recommendation — with enough specificity to be directly usable by the team responsible for implementation, without requiring further advisory interpretation.
Executive Summary
A standalone executive summary suitable for board presentation — translating technical findings into governance language, with a clear statement of residual risk and the investment logic for recommended actions.
Recommended Next Steps
Guidance on how the baseline findings connect to subsequent workstreams — whether a TVRA, a transformation programme, or a regulatory submission. The baseline is the starting point; we map clearly to what comes next.
When to commission a baseline assessment
The baseline assessment is the right starting point whenever the organisation needs an honest, independent account of its current security position.
Before commissioning a TVRA
A baseline provides the operational context that makes a TVRA more precise — knowing what vulnerabilities currently exist before layering threat intelligence on top produces a sharper, more actionable risk picture.
At the outset of a transformation programme
Strategic security transformation requires an honest starting point. Without a formal baseline, transformation programmes are built on assumptions about the current state that frequently prove incorrect once implementation begins.
Following a leadership change
New security leadership needs an independent view of what they have inherited before committing to a strategic direction. A baseline provides that view without institutional bias.
In response to regulatory, major client requirements
Where a regulator, insurer, or major client requires evidence of security maturity — a formally conducted, independently delivered baseline provides a credible, structured response that ad hoc self-assessment cannot.
Following acquisition or significant growth
When an organisation has grown through acquisition or rapid expansion, the security posture inherited across new sites is frequently uneven. A baseline establishes what has actually been acquired from a security perspective.
When something feels wrong but the picture is unclear
Sometimes the trigger is simply an internal recognition that the security function is not performing as it should — without a clear view of where or why. A baseline replaces that uncertainty with a structured, evidenced account.
Commission an independent baseline assessment
If your organisation needs a clear, honest, independent account of its current security posture — the baseline assessment is where that clarity begins. The findings will tell you exactly where you stand, and exactly where to focus next.
Initial conversations are obligation-free. We will discuss your organisation's context, the scope of a baseline engagement, and what a realistic timeline looks like.