Before you can begin drawing up plans for a new organizational cybersecurity program, you need to perform a thorough analysis of your organization's technology surface and the effectiveness of current controls. The Business Impact Assessment (BIA) and Risk Assessment have shown you which of your assets are the most critical to business performance, as well as which assets face the largest cyber risks. The intersection of business impact and risk level has left you with a list of assets to prioritize for protection. The final step before you can begin planning the integration and configuration of security controls for these assets is to assess the Current State of security controls for the assets compared to the Desired State that this framework will help you achieve.

The CyberLadder Framework provides you with a checklist of security controls that indicate an organization's level of compliance with the framework. Each of the controls specified is described in Stage 3: Implement. This checklist represents the Desired State of the Gap Analysis for your program, and will serve as the basis for ongoing Audits mandated as part of Stage 4: Educate & Test. To perform a Gap Analysis, survey, and assess your entire digital surface and assign each control with a ranking indicating the current level of compliance:

  • 0 ---> The control is non-existent in the organization
  • 1 ---> The control has been implemented in some areas at random, with no central mandate or control
  • 2 ---> The organization has attempted to implement the control organization-wide, but still has no sense of central control over its implementation and use
  • 3 ---> The control has been implemented throughout most of the organization, with central control present and further implementation in progress
  • 4 ---> The control has been fully implemented organization-wide, with centralized monitoring and management present and regular reviews of the control in place

The CyberLadder Compliance Checklist is broken down into eight domains. Each domain has a dedicated batch of controls that fall under it. The domains are:

  • Domain 1: Security Policies & Plans
  • Domain 2: Physical Security
  • Domain 3: Personnel/HR Security
  • Domain 4: Network Security
  • Domain 5: Device & Application Security
  • Domain 6: Identity & Access Management
  • Domain 7: Data Security & Governance
  • Domain 8: Security Operations Management

Assess each control in each domain, assign it a score using the provided scale, then average out the score for each domain. The resulting scores indicate your level of compliance and serve as the Current State assessment for your cybersecurity program. Now that you have the Current State assessment in place, you can compare the results with the asset priorities derived from the BIA and Risk Assessment. From this, you will be able to define a list of controls that need to be implemented. Ensure that you create and save these requirements in a document to be shared with the necessary stakeholders.

Now, you can move onto Stage 2: Plan where you will assemble to necessary institutions to construct a cybersecurity program for your business and enact the necessary controls to bring you to compliance.