Services Overview

At Citadel we offer several different services that build upon one another to achieve the enhancement or creation of your Information Security Management System (ISMS) program. We tailor and scope each service to address the client's current security program maturity level. We strive to ensure peace of mind when contemplating business risk and cyber security practices.


Risk Assessment.jpg

Risk Assessment

Risk assessments are the key starting point to help you understand where the gaps may be in your environment with regard to security controls. By using a standard approach to assessing risk Citadel can help you understand which controls to put in place to improve your security stance and enhance your Information Security Management System (ISMS) program.

We use a standard risk assessment in either an asset or scenario based risk approach and will use qualitative and quantitative methods to determine the severity of the risk. The risks will be scored in line with your risk appetite and will be cataloged and memorialize for auditing purposes.

This approach will demonstrate your understanding and acceptance of information security to any auditors that review your environment.

The risk assessment also gives you a go forward strategy to continually monitor your environment for new risks that emerge either from changes in your environment or changes in the market place in general.


Security Policy evaluations help firms assess their stance and adherence to ISO, NIST, or other standards such as COBIT, ITIL, or PCI. No one policy stance fits all firms, thus a full evaluation of the existing policy set can help evolve the Information Security Management System (ISMS).

We use will the existing policy set as a baseline and review the policies in accordance with the clients stated standards goals. We will make recommendations for improvements based on any discovered gaps in the policy set.

This approach, in conjunction with a defined risk management program, can help mature an established ISMS. Due to the continually changing nature of the security landscape, policy reviews should be conducted annually at a minimum. However, policy reviews can occur at any cycle of the ISMS program as internal or external changes dictate.




From NIST – “The Framework is voluntary guidance, based on existing standards, guidelines, and practices, for critical infrastructure organizations to better manage and reduce cybersecurity risk. In addition to helping organizations manage and reduce risks, it was designed to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders.” 

The framework provides a launching point to establish core security principles following the NIST standards. The framework core centers around the concepts of Identify, Protect, Detect, Respond, and Recover.

Firms can progress through tiers of implementations thus reducing upfront costs by methodically adopting best practices in a manner that does not overwhelm their current operations. Citadel can guide clients through the NIST matrix of controls once a current analysis of the environment is complete. This assessment type is most suited for those that have no or rudimentary security program in place.


The ISO 27001 standard differs from NIST standards primarily as a means towards demonstrable certification through a certified 3rd party. The standard is warranted for those firms who wish to have a rigorous 3rd party validation of their security standards.

The standard is implemented in the same fashion as the NIST framework with a large focus on Risk Management as the driving force of the analysis.

Citadel helps clients in the Pre-Certification stage of the effort by ensuring the clauses, risk management, statement of applicability, and controls are in place and being practiced prior to a first audit attempt.

To do this we use the Deming model of Plan->Do->Check->Act in each phase of the precertification process to ensure that clients are sufficiently prepared for their audit.




One of the most challenging aspects of any ISMS program is the proactive management of 3rd party vendors. Vendors, like your internal employees, pose a significant challenge in terms of risk mitigation. Both the ISO and NIST standards address the issue of 3rd Party / Vendor / Supplier Management.

Citadel can help address these issues by acting as the independent 3rd party risk assessor of your suppliers. We can use predetermined templates to evaluate suppliers, conduct remote or onsite audits, and report findings back into your existing Information Security Management System (ISMS) program. This cost-effective approach goes beyond simple supplier document responses and forces suppliers to demonstrate commitment to their own ISMS program.

This type of approach can greatly strengthen your supplier management effort and further demonstrate your commitment to sound cyber security practices.


Citadel can provide on demand services for clients to act in a senior advisor role which would include:

  • Support on company lead security audits (Internal)
  • Real time consultation for operational staff
  • Consultation with 3rd party vendor auditing and tracking
  • Support on security incidents and guidance through remediation and return to normal operations
  • Support on company audits (External)
  • Annual Citadel lead security audit

Citadel can provide needed representation onsite or remotely to assist in the management of the security environment to supplement operational staff. As a client that engages Citadel on the creation, maintenance, or evaluation of their Information Security Management System (ISMS) program, this service is significantly discounted as our goal is to ensure minimal disruption to your environment while demonstrating superior commitment to cyber security practices.