30 Business Days · Framework-Agnostic · Risk-Driven

Most organizations don't know where their security risk actually lives. This finds it.

The ISERA isn't an audit. It isn't a pen test. It's the diagnosis that happens before you can prescribe anything — and before an auditor finds the gap your team didn't know existed.

Request a Scoping Conversation → See What's Different
The Problem with Standard Assessments

Why most risk assessments fail — and what we do instead

Most security assessments produce a report. The ISERA produces a program. Here's the difference.

The standard approach

Template-driven

Most assessments start with a framework checklist and measure you against it. The result is a gap list relative to a standard, not a picture of your actual risk.

The ISERA approach

Environment-driven

The ISERA starts with your actual environment: your systems, your team, your data flows, your AI tools. The framework comes later, to make your findings portable.

The standard approach

Findings dump

A 200-page report with 47 findings ranked by severity tells you what's wrong. It doesn't tell you what to fix first, what it will cost you if you don't, or in what order a rational team should address it.

The ISERA approach

Prioritized roadmap

A sequenced action plan ranked by business risk — not technical severity. What moves your actual risk profile. What to do first, second, and what to defer.

The standard approach

Assessment as verdict

Most assessments position the assessor as the judge and the organization as the defendant. The result is defensiveness, incomplete disclosure, and a report that captures the official story.

The ISERA approach

Assessment as diagnosis

Steve's methodology starts with the people. Internal trust before external trust. When the team trusts the assessor, they bring forward the problems they've been quietly aware of. Real findings surface. Real gaps close.

The standard approach

No follow-through

The assessment ends. The report gets filed. Six months later, the findings are still open because no one built the execution plan.

The ISERA approach

A program, not a report

The ISERA ends with a working document your team can actually execute: prioritized backlog, Jira-ready epics, vendor selection guidance, board-ready summary.

Scope

What the ISERA examines

Nine assessment areas. Every one tied to business risk, not compliance checkbox.

Assessment Area What We Examine Output
Business context Critical services, data assets, regulatory obligations, board-level risk appetite Risk appetite baseline
People and process Who owns what, how decisions get made, where accountability gaps live Accountability map
Identity and access Who has access to what, privilege accumulation, service account hygiene Identity risk findings
Infrastructure and configuration Cloud architecture, patch posture, configuration drift, network segmentation Infrastructure risk register
Data flows and handling Where sensitive data lives, how it moves, where it pools, who touches it Data flow map
Third-party and vendor risk Open-source dependencies, SaaS integrations, contractor access Third-party risk profile
AI systems and tools What AI is deployed, what it can access, how it's governed, what evidence it produces AI risk findings
Monitoring and telemetry What you can see, what you're missing, alert coverage, incident detection Visibility gap analysis
Governance and documentation Policies, evidence packages, board reporting, compliance readiness Governance gap summary
What You Get

Four deliverables. Zero filler.

Every ISERA produces the same four outputs. Each one is specific to your organization, written in plain language, and usable the day you receive it.

Risk Register

Every risk your organization actually carries, in plain language, with business impact described in terms your board understands — not technical severity scores.

Perception Gap Analysis

Where your leadership team and your technical team see risk differently. Always revealing. Always actionable. The gap between what management thinks is covered and what's actually covered is where breaches live.

Prioritized Remediation Roadmap

A sequenced action plan. Not 47 equal findings. A ranked backlog with Jira-ready epics, estimated effort, vendor selection guidance, and sequencing logic that a team can actually execute.

Board-Ready Reporting

One shared language for technical and executive leadership. A summary your board can govern with, your CISO can present, and your prospects can accept as evidence of a mature program.

Right Fit

ISERA is the right next step if:

Compliance Compatibility

Framework-agnostic. Certification-ready.

The ISERA satisfies the risk assessment requirements of every major framework — simultaneously. One engagement, multiple compliance destinations. The framework you're targeting determines what we emphasize; the underlying assessment work is the same.

SOC 2

Trust Services Criteria

Satisfies CC3.1 and CC3.2 (risk assessment requirements). The ISERA output gives your auditor the evidence package they're looking for.

ISO 27001:2022

ISMS Risk Assessment

Satisfies Clause 6.1 (risk assessment and treatment). Produces the risk register your ISMS requires.

NIST CSF 2.0

Govern & Identify Functions

Covers the Govern and Identify functions comprehensively — the two foundational categories that precede everything else in the CSF.

HIPAA Security Rule

Risk Analysis Requirement

Satisfies §164.308(a)(1) — the required security management process and risk analysis that every covered entity and business associate must maintain.

CMMC 2.0

RA Domain

Addresses Risk Assessment (RA) domain requirements at Level 2. Provides the documented risk assessment your assessor will look for.

NIST SSDF

Respond Function

Maps to the Respond function for software-producing organizations. Particularly relevant for dev teams adopting AI coding tools.

The Process

30 business days. Here's what happens.

Every ISERA follows the same four-phase structure. No surprise requests. No scope creep. You know exactly where we are and what comes next.

Phase
1
Days 1–5

Intake and Scoping

We establish your environment, your key stakeholders, your existing documentation, and the business context that makes risk meaningful. No guessing, no assumptions — we start with what's real.

Phase
2
Days 6–15

Workshops and Discovery

Structured sessions with both business decision-makers and technical operators. This is where the perception gap surfaces. We go where the evidence actually lives — not just where it's been documented.

Phase
3
Days 16–25

Analysis and Synthesis

We build your risk register, map your evidence package, and develop the prioritized roadmap. The findings aren't generic — they're drawn from what we actually observed in your environment.

Phase
4
Days 26–30

Readout and Handoff

Executive readout. Board-ready summary. Technical team walkthrough. You leave with a working document, not a PDF that gets filed. The handoff is a program, not a report.

Common Questions

Questions we get before every engagement

What's the difference between ISERA and a compliance audit?
A compliance audit measures your controls against a standard and produces a report card. The ISERA diagnoses your actual risk environment and tells you where to invest. The ISERA often precedes an audit — and consistently produces better audit outcomes because the organization understands its own gaps before the auditor finds them. Many clients use ISERA findings to build the evidence package that makes the audit straightforward.
Do you need ISERA if you already have a security team?
Often, yes — for two reasons. First, internal teams develop blind spots. The perception gap between what security leadership believes is true and what the technical team knows to be true is one of the most consistent findings in every ISERA. An outside practitioner surfaces it; internal teams generally can't. Second, the ISERA produces documentation that internal teams frequently don't have time to create: a current risk register in business language, a perception gap analysis, and a board-ready summary.
How is this different from a vulnerability scan or pen test?
A vulnerability scan finds known CVEs in your running systems. A pen test finds exploitable paths an attacker could take. The ISERA examines the governance, process, and evidence architecture of your security program. All three are complementary. The ISERA frequently identifies where a pen test would be most valuable — and we'll recommend one as part of your roadmap if it's warranted.
We're not pursuing any certification. Is ISERA still relevant?
Yes. The ISERA's primary output is a picture of your actual risk — not your compliance posture. Many clients engage us specifically because they need to know where they're exposed before any certification decision. The roadmap we produce is equally useful for a company with no compliance requirements and for one pursuing SOC 2 simultaneously.
What size organization is ISERA designed for?
The ISERA scales to your environment. We've run it for 15-person startups and 500-person enterprises. The scope adapts — a startup assessment is scoped to the systems and processes that actually exist; an enterprise assessment goes broader. In both cases, the output is calibrated to the organization's real risk profile, not a one-size-fits-all checklist.
What does Steve's involvement look like?
Steve leads every ISERA personally. No junior associates handed the engagement after the sales call. He runs the workshops, synthesizes the findings, and delivers the readout. When you engage Aletheia, you're engaging Steve — 30 years of experience, in the room, with your team.

The diagnosis your security program hasn't had.

30 business days. A complete picture of where you stand. A roadmap your board can govern with. No tools sold. No findings list. A real assessment by a practitioner who's run programs through four M&As, a DOJ Consent Decree, and a global pandemic — and never dropped a certification.

Request a Scoping Conversation → Or email directly: sweltman@aletheiasecurity.com