The bank operated multiple security control sets maintained over several years, resulting in fragmented governance and inconsistent implementation across business units. Existing policies were not fully aligned to modern frameworks such as NIST CSF or CIS v7, and there was no single view of security maturity. Leadership required a unified cybersecurity controls framework, a measurable maturity baseline, and clear visibility into control effectiveness, incident preparedness, and operational risks.
1. Framework Consolidation & Mapping
We performed a full control-mapping exercise consolidating the bank’s existing policies, standards, and procedures into a unified structure aligned with:
– NIST CSF (Identify, Protect, Detect, Respond, Recover)
– CIS Controls v7
– NIST CSWP role-based responsibilities
2. Maturity Assessment & Evidence Review
Using a structured assessment model, we evaluated implemented controls, operating procedures, awareness programs, incident records, and governance artefacts to determine maturity levels across all NIST CSF domains.
3. Gap Analysis & Risk Prioritization
We documented gaps between current controls and leading frameworks, highlighting deficiencies in governance, asset inventory, logging practices, incident response readiness, vendor oversight, and workforce roles & responsibilities.
4. Unified Cybersecurity Controls Framework
A consolidated controls framework was developed, mapping all bank obligations to CIS v7 and NIST CSF, enabling standardized implementation and eliminating overlaps between legacy control sets.
5. Executive Reporting & Roadmap
We produced an actionable remediation roadmap with short-term and long-term initiatives, sequenced by risk, cost, and operational impact.
