Knowing What Your Controls Cover and Where They Fall Short

Quick Summary

We delivered a structured security control assessment capability that gives organisations a comprehensive, auditable view of every control in their security environment. Built on a pre-seeded control library drawn from frameworks including ISO 27001 and NIST, and extended through AI-assisted recommendations, the solution maps controls directly to assets and evaluates their effectiveness through a scored assessment process that feeds into the platform's broader risk calculations. 

1. Faster control coverage visibility: Pre-defined control lists and AI suggestions reduce the time and effort required to establish a complete control inventory, giving security teams an actionable starting point rather than a blank register. 
2. Stronger, evidence-backed compliance posture: Control effectiveness scores, asset mappings, and logged assessment data give organisations the structured evidence base they need to demonstrate compliance readiness and identify gaps before they become audit findings. 

Industry

Cybersecurity/SaaS 
 

Geography

UK 
 

Core Technologies Used

Frontend & Backend

• React  
• Python  

LLM Model

-OpenAI models GPT-4 class / GPT 4o, GPT-5 class [for reasoning] 

embedding model

-OpenAI - Text Embedding 3 Small [for RAG & semantic search] 

NLP Preprocessing 

-spaCy - en_core_web_lg  [for Entity extraction] 

Agentic Framework

-LangGraph 

Client Profile

The client is a cybersecurity product company building a compliance platform for SMEs and enterprises operating across regulated environments. The platform is designed to consolidate the core pillars of a security programme, covering asset management, risk assessment, policy compliance, staff awareness, and incident response, into a single governed product experience. We engaged as the product engineering partner responsible for designing, building, and delivering the platform from the ground up. The Current Control Assessment capability was built as a direct extension of the Asset Inventory foundation, linking the organisation's asset landscape to the controls that protect it. 

Challenges

1. No centralised control register: Most organisations had security controls in place across technical, administrative, and physical domains, but no single system capturing what those controls were, how they were categorised, or which assets they protected. 
2. Manual and inconsistent setup: Building a control inventory from scratch required significant manual effort, and without reference to established frameworks, the resulting lists were often incomplete, inconsistently categorised, and difficult to maintain. 
3. Weak linkage between controls and assets: Security teams struggled to demonstrate which controls applied to which assets, creating blind spots in coverage and making it difficult to assess whether critical assets were adequately protected. 
4. No structured effectiveness evaluation: Control assessments were carried out informally or not at all. Without a defined scoring methodology, it was impossible to quantify how well a control was performing or to feed that assessment into broader risk calculations. 
5. Reactive rather than proactive control management: Without visibility into control performance over time, organisations had no basis for anticipating which controls were likely to degrade or fail, leaving them dependent on reactive responses to identified gaps. 
6. Compliance evidence gaps: Auditors require organisations to demonstrate not just that controls exist, but that their effectiveness has been assessed and logged. Manual processes rarely produced the structured evidence trail that frameworks such as ISO 27001 and NIST demand. 

Solution

We designed and built a control assessment capability that moves organisations from an informal awareness of their security controls to a structured, scored, and auditable understanding of what those controls cover and how well they are working. 

The solution is built around three interconnected capabilities: a comprehensive control inventory seeded from established frameworks, a control mapping layer that links each control to the assets it protects, and an effectiveness evaluation process that scores controls on a defined scale and logs those scores for use in risk calculations. 

1. Pre-seeded control library drawn from established frameworks including ISO 27001 and NIST, providing organisations with a structured starting point rather than a blank inventory 
2. AI-assisted control recommendations that suggest additional controls relevant to the organisation's specific assets and identified threats, surfaced through an AI assistant within the platform 
3. Control categorisation by type covering technical, administrative, and physical controls for clarity and consistent classification across the inventory 
4. Control mapping that associates each control to specific assets or asset groups it protects, creating a direct and auditable linkage between the asset register and the control environment 
5. Control effectiveness evaluation allowing compliance officers and security teams to assess each control across implementation completeness, operational effectiveness, and asset or threat coverage 
6. Scored effectiveness model using a defined 0 to 100 percent scale, where each control receives a logged effectiveness score used directly in the platform's risk calculations 
7. AI-based gap analysis that identifies where control coverage is weak or absent and recommends new controls or improvements based on assessed gaps 
8. Predictive control monitoring capability using AI to analyse control assessment data over time and identify controls likely to degrade or require reinforcement before failure occurs 

Technical Highlights

1. Framework-seeded control library: The platform is pre-populated with standard controls drawn from ISO 27001, NIST, and equivalent frameworks, reducing setup time and ensuring the inventory reflects recognised industry baselines from the outset. 
2. AI control recommendation engine: An AI assistant analyses the organisation's asset inventory and identified threats to recommend controls that are relevant to the specific environment, moving beyond generic lists to context-aware suggestions. 
3. Asset-to-control mapping layer: Each control is linked directly to the assets or asset groups it protects, creating a traceable coverage map that makes gaps visible and supports both operational decision-making and audit evidence production. 
4. Structured effectiveness scoring: Control assessments are conducted against defined criteria and recorded on a 0 to 100 percent effectiveness scale, producing consistent, comparable scores that feed into the platform's risk calculation engine. 
5. Predictive control analytics: AI analysis of control assessment data over time identifies patterns that indicate controls are likely to weaken or fail, enabling proactive reinforcement before gaps materialise into risk exposures. 
6. Audit-ready evidence logging: Every effectiveness assessment is logged within the platform, providing a structured, timestamped evidence trail that supports compliance reviews without requiring retrospective reconstruction of records. 
7. Integrated risk calculation input: Control effectiveness scores are connected directly to the platform's risk scoring framework, ensuring that the strength or weakness of each control is reflected accurately in the organisation's overall risk position. 

Impact

1. Faster inventory establishment: Pre-seeded framework controls and AI recommendations give security teams a structured, relevant starting point, significantly reducing the time required to build a complete and categorised control inventory. 
2. Clear coverage visibility: Control mapping to assets makes it immediately apparent which assets are covered, which are not, and where control gaps present the greatest exposure, enabling targeted remediation rather than broad guesswork. 
3. Quantified control performance: A scored effectiveness model replaces informal assessments with consistent, logged evaluations that give security teams a reliable picture of how well each control is performing against its intended purpose. 
4. Proactive gap management: AI-driven gap analysis and predictive monitoring shift control management from a reactive posture to an anticipatory one, allowing organisations to address weaknesses before they translate into audit findings or security incidents. 
5. Stronger compliance evidence: Logged assessment scores, asset mappings, and framework-aligned control records give organisations the structured evidence base that auditors require, reducing the effort involved in demonstrating compliance readiness. 
6. More accurate risk calculations: Because control effectiveness scores feed directly into the platform's risk engine, the organisation's risk position reflects the actual state of its controls rather than assumptions, producing assessments that decision-makers can act on with confidence.