Core to the assessment process are business and technical workshops. These workshops should not be considered an audit, and instead are intended to be collaborative and educational. These workshops are used to gain insight into upcoming projects, pain points, and educate the teams regarding security technologies and concepts.
The business workshop typically takes two (2) hours (in 1 or 2 sessions) with the goal of understanding the alignment of your business and IT needs (and direction), processes and procedures (including effectiveness), risk management, organizational structure, staffing, budget, and roadmap brainstorming. Stakeholders typically involved in these workshops include IT directors and executives such as CIO, CISO, and CFO.
The technical workshop is interactive and typically takes six (6) hours spread out over several days. The technical workshops work through 130 safeguards of the 18 CIS Controls and are used to provide context into any gaps within business and technical processes, as well as any vulnerabilities to the organization. Typically, these workshops involve staffing from security and infrastructure teams. Participation from both technical and management resources are important to understand how the IT and security teams interact with the business.