Gap Assessments

We offer a host of different gap assessments and cybersecurity services for your organization.  Our goal is to help you prepare for an official audit from an authorized Certified 3rd Party Audit Organization (C3PAOs).  Security practitioners helping organizations prepare for future audits are excluded from being able to actually perform and audit or be on an audit team.  That is why we want to find the gaps in your program ahead of time.  If H2Cyber finds a control not in place the impact is negligible as we are there to help you uncover potential discrepancies.  If a C3PAO finds a control not in place or not meeting the control objective, it would be officially recorded on an official audit report.

CMMC / NIST 800-171

CMMC is designed for Government contractors (prime and subs) to protect Controlled Unclassified Information (CUI).  There are currently three levels across 17 domains.

We can also help you complete your Contractor Self-Assessment scoring template against NIST 800-171 for upload into the SPRS system.  Remember it is critical to have a System Security Plan (SSP) when uploading your score.  Without an SSP you score incomplete.


The NIST Cybersecurity Framework (CSF) is designed as a voluntary framework to help organizations operating within one of the 16 areas of critical infrastructure (i.e., financial services, critical manufacturing, etc.).

This framework is gaining traction around the world based on its core functions; Identify, Protect, Detect, Respond and Recover.  There are 23 control areas consisting of 171 controls. 

ISO 27001

ISO 27001 is an international standard designed to protect organizational information as well as systems by focusing on how to manage information security.

Used by both small and larger organizations ISO 27001 and has 14 control areas consisting of 114 controls.


PCI is designed to protect cardholder (credit card) data.  Anyone that stores, processes, or transmits credit cards is required to be PCI compliant.  As a merchant handling credit cards, you fall into one of four levels.  The levels are based on the number of transactions you perform.

Regardless of merchant level everyone has to adhere to the same 12 requirements consisting of 251 controls.  The only difference from a small mom and pop shop to a large business is the level to which you have to attest.

CIS v8

The Center for Information Security (CIS) published the Critical Security Controls (CSC) previously known as the SANS Top 20.  It is a general-purpose framework built by CIS for cybersecurity best practices.

The CIS consists of 18 control areas consisting of 153 controls.  The 18 control areas are high priority items regardless of company size or maturity in order to help reduce the risk of a cyber-attack.


The SOC 2 is designed for service organizations that store client information.  There are two types of SOC 2 audits Type 1 and Type 2 which both consist of several Trusted Service Criteria (TSC) areas such as Security, Availability, Process Integrity, Confidentiality, and Privacy.

Security is the only mandatory trust criteria for obtaining a SOC 2.  The business can choose to add additional areas in scope, but it is not required.  An official SOC 2 can only be issued from an authorized CPA firm via the AICPA. 


HIPAA is comprised of different legislature to protect health information within the Healthcare ecosystem.  There are two types of organizations regulated by HIPAA; Covered Entities (i.e., physicians, nursing homes, insurance companies, etc.) and Business Associates (i.e., lawyers, IT consultants, accountants, etc.) which can be any third-party service that create, receives, maintains, or transmits protected health information.

There are two sets of requirements, those for security which consists of 6 control areas and those for privacy which consists of 13 control areas.

23 NYCRR 500

Also known as NYDFS is designed for those that are licensed through the State of New York’s Department of Financial Services (i.e., Financial Advisors, Broker-Dealers, RIAs, Banks, Insurance Companies, etc.).  There are a total of 16 control areas consisting of 45 controls.

We can help determine if you have an exemption and file your annual attestation.  It is important to note that even if you have an exemption, it only alleviates you from some of the controls, not all of them.


Designed to protect investors and ensure market integrity the Office of Compliance and Inspection (OCIE) oversees those operating within financial services (i.e., Investment Advisors, Broker-Dealers, etc.).  There are a total of 6 control areas consisting of 34 controls.

In addition to the requirements from the SEC you likely also have requirements from FINRA.  We are familiar with the FINRA exam process and have participated in several Cybersecurity sweeps and examinations.

vCISO Service

Many organizations find it extremely difficult to compete for cybersecurity talent let alone fund the compensation package for a full time Chief Information Security Officer (CISO).  A full time CISO with previous experience typically costs between $380 to $420k.

This is why vCISO services are becoming more popular.  A vCISO is a highly qualified on-demand security practitioner that has built and managed a cybersecurity program within an organization while maintaining an executive level position.  These are seasoned individuals that know people, process, and technology and can navigate through the increasing number of cybersecurity regulations.

Regardless of your size, we have the right cybersecurity services for your organization.

Flexible Hours

Ability to allocate a bucket of hours on a monthly basis based on the needs of your business.

Seasoned Expert

Manage and/or mentor staff performing Information Security or compliance functions.

Incident Response Assistance

Someone in your corner to help navigate you through the process of an incident and what to expect.

Exam Support

Ability to help speak on behalf of your cybersecurity posture to regulatory bodies.

Questionnaire Support

Respond to vendor and partner questionnaires related to the state of cybersecurity for your business.

Executive Representation

Augments your existing leadership team with someone that is able to communicate cybersecurity risks.

Device Monitoring Service

Our device monitoring services is designed for Start-ups and Small Businesses that don’t have the resources to hire a full time IT staff nor have the time to setup a centralized approach to manage the devices but most importantly ensure they are monitored 24 hours a day, 7 days a week.

If you are a Mid-sized company looking for something similar reach out to H2Cyber as we have partners that handle our larger customers. 

AI Based Anti-virus

Powered by Cylance Protect’s Artificial Intelligence engine designed for malware prevention, memory protection, script control and device (USB) control.

Endpoint Detection & Response (EDR)

Coupled with Cylance Protect, Cylance Optics delivers the ability to proactively detect and automate response minimizing your attack surface.

Patch Management

Powered by Syxsense Manage your device will be continuously monitored to ensure they have the most recent security patches released by the vendor.

Vulnerability Scanning

Powered by Sysxense Secure your devices will be regularly scanned to identify weaknesses within the configuration of your device.

Security Operations Center

H2Cyber and Solutions Granted staff monitor your devices around the clock (24×7) to alert on critical items identified via Cylance and correlated within the aiSIEM.

Monthly Status Reports

Each month you will be provided a report on the health of your devices under management as it relates to both Cylance and Syxsense products.