When a $3K “cybersecurity gap assessment” reveals you don’t actually have cybersecurity to assess…
A prospect just reached out wanting to pay me $3,000 to assess their ISO 27001 readiness.
Here’s how that conversation went:
Me: “Can you share your security policies and procedures?” Them: “We don’t have any.”
Me: “How about your latest penetration test, vulnerability scans, or cloud security assessments?” Them: “Nothing.”
Me: “What about your asset inventory, vendor register, or risk assessments?” Them: “We haven’t done those.”
Me: “Have you conducted any vendor security due diligence or data privacy reviews?” Them: “No.”
Me: “Let’s try HR—employee contracts, job descriptions, onboarding/offboarding procedures?” Them: “It’s all ad hoc. Nothing formal.”
Here’s the problem: You can’t assess what doesn’t exist.
It’s like subscribing to a maintenance plan for an appliance you don’t own yet
The reality? Many organizations confuse “having IT systems” with “having cybersecurity.” They’re running business-critical operations with zero security foundation—no documentation, no testing, no governance.
What they actually need isn’t an assessment. It’s a security program built from the ground up.
ISO 27001 compliance isn’t a checkbox exercise. It requires: ✓ Documented policies and risk management processes ✓ Regular security testing and validation ✓ Asset and vendor management frameworks ✓ HR security controls and awareness training
If you’re in this situation, here’s my advice: Don’t waste money on assessments. Invest in building foundational security controls first. Then assess.
What’s your take? Have you encountered organizations confusing security assessment with security implementation?
#CyberSecurity #ISO27001 #InfoSec #RiskManagement #ISMS
DISC InfoSec blog post on ISO 27k
- METATRON: Open-Source, Air-Gapped, Audit-Ready AI Pentesting
- AI Governance and Cybersecurity: Designing for the Inevitable Attack
- Why Run LLMs Locally? The Future of Private Enterprise AI
- AI Model Risk Management Is Becoming the Foundation of Enterprise AI Governance
- Sun Tzu for the AI Governance Era: 7 Strategic Rules for InfoSec and Compliance Leaders
InfoSec services | ISMS Services | AIMS Services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | Security Risk Assessment Services | Mergers and Acquisition Security
Get in touch if you want a thorough evaluation of how your environment aligns with ISO 27001 or ISO 42001 requirements.
