OT/ICS Gap Assessment Report — Sample

About this sample: This document represents the output of the thinking. The value is in the conversations that produced it — the site walk, the stakeholder interviews, the engineering judgements made along the way. What you are reading is the record. The work that matters happened before the first page was written.

Engagement Details

Client Organisation

████████████ Ltd

Site / Facility

████████ Plant, UK

Assessment Type

OT/ICS Gap Assessment

Framework Applied

IEC 62443 / NIST CSF 2.0

Target Maturity Level

IEC 62443 ML-2

Lead Engineer

[Named Engineer]

Report Structure

What This Report Contains

This Gap Assessment Report documents the findings of a structured assessment conducted against the IEC 62443 standard and NIST CSF 2.0 framework. It identifies the precise distance between your current OT/ICS security posture and the target maturity level agreed at engagement scoping.

The report is structured in four sections:

Section	Title	Contents	Audience
01	Executive Summary	Overall maturity score, top 5 findings, immediate actions	Leadership / Board
02	Assessment Methodology	Scope, framework mapping, assessment approach and limitations	Technical / Management
03	Detailed Findings	Gap register — all identified gaps with evidence, risk weighting, and operational impact	Technical
04	Visual Resilience Roadmap	Phased remediation plan — quick wins, 90-day actions, long-term programme	All

Why phased, and why visual? The Visual Resilience Roadmap is structured in phases because remediation competes with operational schedules — sequencing matters. It is visual because a complex gap closure programme needs to be communicated to stakeholders who are not security specialists. The format is a deliberate design decision, not a presentation choice.

Overall Maturity Score — IEC 62443

Current State vs Target

Security Management

1.5 / 3

Asset Management

0.8 / 3

Access Control

1.8 / 3

Network Segmentation

0.7 / 3

Incident Response

1.4 / 3

Vendor Management

2.1 / 3

Note: Scores above are illustrative sample values from a representative engagement. Your actual scores will reflect your specific environment, existing controls, and the agreed target maturity level established at scoping. All findings are evidence-based and documented with supporting observations.

Gap Register — Section 3.2 Network Architecture

Identified Gaps (Extract)

The following is an extract from Section 03 of the full report. The complete gap register contains [N] findings across all assessment domains. Each finding includes the IEC 62443 requirement reference, observed evidence, risk weighting, and a recommended treatment action.

Gap ID	Domain	Finding	Risk	IEC 62443 Ref
GA-003	Network Architecture	No documented zone and conduit model exists. OT and IT traffic traverse the same network segment without enforced boundary controls.	High	SR 5.1 / ZCR-1
GA-007	Asset Management	No complete OT asset inventory exists. Passive monitoring during assessment identified 14 devices not present in any documented register.	High	SR 7.8 / AM-2
GA-011	Access Control	Shared engineering accounts in use across multiple PLCs. No individual accountability for configuration changes. No account review process documented.	Medium	SR 1.1 / AC-3
GA-014	Patch Management	No formal OT patch management process exists. Three historian servers running OS versions with known unpatched CVEs (CVSS 7.8, 6.5).	High	SR 7.7 / PM-1
GA-019	Incident Response	Incident response plan does not address OT-specific scenarios. No escalation path defined for process-impacting cyber events. Last tested 2021.	Medium	SR 6.1 / IR-4
GA-022	Remote Access	Vendor remote access via a single shared VPN credential. No session recording, no time-limited access, no formal approval process.	High	SR 1.3 / RA-2
GA-025	Security Awareness	No OT-specific security awareness training delivered. Staff awareness assessed as low — 3 of 8 operators unaware of removable media policy.	Low	SR 2.1 / AT-1

Section 04 Extract — Visual Resilience Roadmap

Phased Remediation Overview

Phase	Timeframe	Actions	Effort
Quick Wins	0 – 30 days	Document asset inventory. Implement individual accounts on PLCs. Remove shared VPN credential.	Low
Phase 1	30 – 90 days	Design and implement zone/conduit architecture. Deploy OT patch management process. Deliver security awareness training.	Medium
Phase 2	90 – 180 days	Deploy passive OT network monitoring. Update and exercise incident response plan. Implement vendor access management platform.	High
Ongoing	180+ days	Annual reassessment. Continuous monitoring review. IEC 62443 ML-2 formal certification preparation.	Ongoing

What this enables: The full Gap Assessment Report is delivered as a branded PDF and editable document. It includes this gap register in full (all domains, all findings), the complete Visual Resilience Roadmap with effort estimates tied to your operational calendar, an executive summary slide deck, and a debrief session with your engineering and leadership teams. A 30-day follow-up review is included in the engagement.