Powered by

# Assess Overview

# Getting Started

There is a "chicken and the egg" problem at the start of your cybersecurity preparedness initiative:

On one hand, you can't assess your security needs and priorities without a full inventory of all your data and assets, but to perform that identification process in the best organized manner, it's best to proceed from the broad vision and categorization of the organization's key components and status achieved in the Assessment steps.

Similarly, your organization might not want to wait to apply some implementations in the Protect phase until the whole Assessment and Identification steps are completed, and that's ok.

Your organization will also not want to wait any longer than necessary to Educate your staff, so even though it's listed as the eighth step, it should be introduced as soon as possible.

The takeaway is to understand that it is ok to act on different parts of the Playbook process at different times and simultaneously, and that it is all an ongoing process in a cycle that we need to always be going through continually.

# Overview

The Assess phase is the starting point of the cybersecurity playbook. Its purpose is to help the company understand its real cybersecurity risk before selecting tools, writing policies, or assigning tasks. For an SME, this step is especially important because limited time, budget, and personnel must be focused on the risks that matter most.

A company cannot protect everything equally. The Assess phase helps leadership identify which threats are most relevant, which systems and data create the highest business exposure, which obligations must be met, and which weaknesses should be addressed first. This turns cybersecurity from a vague technical concern into a practical business planning process.

The goal of Assess is not to create fear or produce a long theoretical report. The goal is to build a clear, usable picture of the company’s current risk position. By the end of this section, the company should understand what kinds of attacks are most likely, what current threat trends may affect the business, what legal or contractual requirements apply, which risks are most serious, and where the organization falls short of a reasonable cybersecurity baseline.

This phase should be led by business leadership with support from IT, security staff, outside providers, department heads, and key operational teams. Cybersecurity risk is not only an IT issue. It can affect revenue, operations, customer trust, legal exposure, insurance coverage, and the company’s ability to keep functioning during a disruption.

The Assess phase is divided into five main parts.

# 1. Understand Common Attack Types

The company first needs to understand the main types of cyberattacks that commonly affect companies like theirs. These include social engineering attacks such as phishing, business email compromise, ransomware, stolen credentials, cloud account compromise, malware, invoice fraud, third-party compromise, and exploitation of unpatched systems.

This step gives executives and staff a realistic view of what they are defending against. Most cyber incidents do not begin with sophisticated movie-style hacking. They usually begin with ordinary weaknesses: a reused password, an exposed system, an unpatched device, a fake invoice, a manipulated employee, or a vendor account that was not properly controlled.

1.1 Understand Common Attack Types

# 2. Understand the Current Threat Environment

Cybersecurity risks change over time. Attackers adapt their methods, target new technologies, exploit newly discovered vulnerabilities, and take advantage of business trends such as remote work, cloud adoption, AI tools, and outsourced IT services.

This step helps the company understand the current threat environment and how it may affect its own operations. The purpose is not to follow every cybersecurity headline. The purpose is to identify which current threats are relevant to the company’s size, industry, systems, vendors, and data.

1.2 Understand the Current Threat Environment

# 3. Gather Compliance and Contractual Requirements

The company must understand the cybersecurity obligations it is already expected to meet. These may come from laws, regulations, customer contracts, vendor agreements, cyber insurance policies, payment processors, industry standards, or data protection requirements.

This step prevents the company from treating cybersecurity as optional. In many cases, the business has already promised customers, insurers, regulators, or partners that certain controls are in place. Those obligations must be identified before the company can accurately assess risk.

1.3 Gather Compliance and Contractual Requirements

# 4. Conduct a Risk Assessment

The risk assessment is the core activity of the Assess phase. It identifies the most important cyber risks facing the company, estimates their likelihood and business impact, and prioritizes them for action.

A practical SME risk assessment should focus on realistic business scenarios. For example: What happens if email is compromised? What happens if ransomware locks file storage? What happens if a finance employee pays a fraudulent invoice? What happens if customer data is exposed? What happens if the company’s IT provider is compromised?

The output should be a ranked list of risks with clear ownership, recommended treatment, and next steps. If the risk assessment does not lead to decisions and action, it has failed.

1.4 Conduct a Risk Assessment

# 5. Measure Current Security Maturity Gap

After identifying risks, the company should compare its current cybersecurity practices against a reasonable target baseline. This shows the gap between where the company is now and where it needs to be.

This maturity review should examine practical areas such as asset inventory, MFA, access control, patching, backups, endpoint protection, email security, vendor management, employee training, logging, incident response, and recovery planning.

The cybersecurity maturity gap analysis aims to identify the most important gaps and create a realistic improvement roadmap.

1.5 Measure Current Security Maturity Gap

# Expected Outputs from the Assess Phase

At the end of the Assess phase, the company should have:

  • A clear understanding of the most common attack types that could affect the business.

  • A summary of current threat trends relevant to the company.

  • A list of applicable legal, regulatory, contractual, insurance, and customer requirements.

  • A cybersecurity risk register that ranks the company’s most important risks.

  • A maturity gap analysis showing which controls are missing, weak, or undocumented.

  • A prioritized action plan for the next phases of the playbook.

# Bird's Eye View Take on the Process

As a quick primer, ask and answer the following 10 starter questions to get an idea of the direction of your upcoming comprehensive cybersecurity risk assessment:

  1. What are our most critical business systems?
    Example: email, accounting software, CRM, payroll, e-commerce site, file storage, production systems.

  2. What sensitive data do we store, process, or share?
    Example: customer records, employee files, financial data, contracts, credentials, intellectual property.

  3. Where is that sensitive data located?
    Example: laptops, cloud drives, email inboxes, SaaS platforms, servers, employee personal devices, vendor systems.

  4. Who has access to our most important systems and data?
    This should include employees, executives, contractors, IT providers, vendors, and former staff whose accounts may still exist.

  5. Do all critical accounts use multi-factor authentication?
    Focus first on email, admin accounts, financial platforms, cloud storage, remote access, and SaaS admin portals.

  6. What cyber incident would hurt us the most?
    Examples: ransomware, business email compromise, invoice fraud, customer data leak, website compromise, cloud account takeover.

  7. How quickly could we recover if our systems were locked, deleted, or unavailable?
    This tests whether backups, recovery processes, and business continuity plans are real or just assumed.

  8. Are our backups complete, protected, and regularly tested?
    The key word is “tested.” A backup that has never been restored is not reliable.

  9. Which third parties have access to our systems, data, or operations?
    Include MSPs, SaaS providers, accountants, payment processors, logistics providers, developers, and contractors.

  10. How would an employee report a suspicious email, login, invoice, or device issue?
    If the answer is unclear, the company has a detection problem, not just a training problem.

What are the top five cyber events that could stop revenue, expose sensitive data, trigger legal obligations, or damage customer trust — and are we prepared for each one?

# Objective

The Assess phase answers a simple but critical question: “What are we actually at risk from, and what should we fix first?”

Without this step, companies often waste time on the wrong problems. They buy tools before understanding their exposure. They write policies nobody follows. They assume backups work without testing them. They believe outsourced IT means outsourced accountability. They train employees on generic threats while ignoring the fraud, access, cloud, and recovery risks that could actually damage the business.

The Assess phase creates the foundation for the rest of the cybersecurity playbook. It makes the Identify, Protect, Detect, Respond, Recover, Review, and Educate phases more focused, more realistic, and more useful.

© Copyright 2026. All rights reserved.