Governance. Risk. Compliance. Cybersecurity.
MAST Consulting Group - Governance, Risk, Compliance and Cybersecurity Logo
Timeline

Timeline — Cybersecurity Advisory & Assurance

A realistic week-by-week view of how Cybersecurity Advisory & Assurance runs. Timelines compress for smaller scopes and extend for multi-entity or multi-site programmes; this baseline assumes a mid-size enterprise.

  • ISO/IEC 27001 Certified
  • ISO/IEC 27701 Certified
  • ISO 9001 Certified

Delivered by an ISO/IEC 27001, 27701 & 9001 certified organisation

Week-by-week plan

WeekPhaseKey activitiesOutput
Weeks 1–3AssessMaturity assessment against NIST CSF 2.0 and CIS Controls.Signed-off assess pack and gate review
Weeks 4–6Strategy3-year roadmap with quantified business cases.Signed-off strategy pack and gate review
Weeks 7–9TestPenetration testing, red team, social engineering.Signed-off test pack and gate review
Weeks 10–12OperatevCISO, SOC, threat intel, incident response retainer.Signed-off operate pack and gate review
12-week delivery plan

Gantt-style timeline titled "12-week delivery plan" over 12 Weeks with 4 phases: Assess from Week 1 to 3; Strategy from Week 4 to 6; Test from Week 7 to 9; Operate from Week 10 to 12.

Assess
Signed-off assess pack and gate review
Strategy
Signed-off strategy pack and gate review
Test
Signed-off test pack and gate review
Operate
Signed-off operate pack and gate review

What accelerates the timeline

  • Executive sponsor engaged from day one with weekly steering attendance.
  • Existing asset inventory, network diagrams and HR org chart available.
  • GRC tooling already deployed or selected (Vanta, Drata, Archer, ServiceNow).
  • Workforce available for awareness training within the engagement window.
Conditions that compress delivery

Checklist titled "Conditions that compress delivery" with 4 items, every item marked complete: Executive sponsor engaged from day one with weekly steering attendance.; Existing asset inventory, network diagrams and HR org chart available.; GRC tooling already deployed or selected (Vanta, Drata, Archer, ServiceNow).; Workforce available for awareness training within the engagement window..

  • Executive sponsor engaged from day one with weekly steering attendance.
  • Existing asset inventory, network diagrams and HR org chart available.
  • GRC tooling already deployed or selected (Vanta, Drata, Archer, ServiceNow).
  • Workforce available for awareness training within the engagement window.

What typically extends it

  • Multiple legal entities, brands or geographies in scope.
  • Significant cloud migration running in parallel.
  • Open audit findings or regulator enforcement requiring remediation first.
  • Mergers, divestitures or system replacements mid-engagement.
Next: Pricing & Engagement