HomeServicesGap Assessment

OT / ICS Gap Assessment

We look beyond the surface to find the quiet spaces where your defences are thin. Our Visual Resilience Roadmap turns complex audit data into a clear, step-by-step recovery path — not just another checklist.

Book a ConsultationAll Services

What Is an OT/ICS Gap Assessment?

A gap assessment compares your current security posture against a recognised standard — IEC 62443, NIST CSF 2.0, or NIS2 — and identifies precisely where the gaps are. In OT environments this means examining not just technology, but the policies, procedures, people, and physical controls that together determine whether your industrial processes are adequately protected.

Unlike a vulnerability assessment, a gap assessment does not require active scanning. It is a structured interview, observation, and documentation review process that produces a clear picture of where you stand and what needs to change — prioritised by operational risk, not theoretical severity.

What We Consistently Find

In every OT environment we assess, the pattern is the same: compliance frameworks have been satisfied on paper while the controls that actually matter have been deferred, misapplied, or never implemented at all. Architectural deficits, process and policy mismatches, and legacy systems that cannot be patched are not market problems — they are what we find, engagement after engagement, across sectors.

What We Assess

  • Network architecture and zone/conduit model (IEC 62443-3-2)
  • Asset inventory completeness and classification
  • Access control policies — logical and physical
  • Patch and vulnerability management processes for OT assets
  • Incident detection and response capability
  • Vendor and remote access governance
  • Security awareness and training maturity
  • Supply chain and third-party risk controls
  • Business continuity and disaster recovery for OT systems

Our 3-Phase Assessment Methodology

01
Scoping & Documentation Review
Define the assessment boundary and target frameworks. Review existing policies, network diagrams, asset registers, and previous audit outputs.
02
On-Site Interviews & Observation
Structured interviews with engineering, operations, IT, and management. Walk-through observation of control room and network environments.
03
Gap Analysis, Risk Weighting & Roadmap
Each identified gap is scored against standard requirement and operational impact. A phased Visual Resilience Roadmap is produced — not a to-do list.

Deliverables

  • Current state maturity scoring against chosen framework
  • Gap register with risk weighting and operational impact
  • Visual Resilience Roadmap — phased by effort and priority
  • Executive summary for board/management reporting
  • Debrief session with engineering and leadership teams

Frameworks Supported

  • IEC 62443 (all parts)
  • NIST CSF 2.0
  • NIS2 Directive
  • NERC CIP
  • CIS Controls v8

Typical Duration

  • Single-site: 3–5 days
  • Multi-site: scoped individually
  • Remote option available

Sample Report

See what a real Gap Assessment looks like — including methodology, gap register, and Visual Resilience Roadmap extract.

View Sample Report

Start With a Gap Assessment

The right place to begin any OT security programme. Talk to a NEXUS engineer directly.

Book a Consultation
Related Services

You May Also Need