Picture buying an older home. Before you go to settlement, you’ll hire a professional contractor to perform a home inspection. You expect the contractor to be knowledgeable about local building regulations and codes—such as proper layout, electrical wiring codes—and to understand what keeps a home in good working order—impermeable roof, working appliances, door locks, etc. The inspector may even obtain a copy of the building plans to compare to the current layout to see if previous owners have made modifications, additions, etc. In the end, the inspector will submit to you a list of issues that need to be addressed. Invariably with older homes, there will be some problems: codes and regulations change over time, foundations settle, water heaters break, etc. It’ll be up to you and the inspector to determine which issues are “showstoppers” for the settlement, and which can wait until after to be fixed. There is an analogous process in cybersecurity in which we inspect, aka “assess”, the organization’s System Security Plan (SSP) (i.e. the blueprints) and the current state of implementation (how the cybersecurity program is actually built and running) against the requirements in whatever cybersecurity framework is required. This is what is known as a cybersecurity controls assessment. Most of us aren’t building an IT system from scratch to process important information, we are trying to obtain compliance on an older, legacy IT system. Hence the “older home” analogy. Invariably our organizations have some gaps between our System Security Plan (SSP), the actual implementation of that plan, and the requirements themselves.