lockpoint
ENDEHR

Home / Services / Clarity Assessment

The entry point Fixed price · Fixed scope · Yours to keep

First, know what you actually run.

The IT & Security Clarity Assessment maps every tool, account, vendor, and admin right in your company, runs a formal risk assessment over what it finds, prices the waste, and hands you a costed plan. €4,000–6,000, fixed. If we never speak again afterwards, you still own every page of it.

Book the assessment What you receive

Who it’s for

Order it when the question is “where do we actually stand?”

Before a deadline

DORA, NIS2, ISO 27001, or a client DDQ is coming.

The asset and access map is the foundation every one of those frameworks demands. It’s formatted to serve directly as your DORA ICT asset register, so compliance work starts from fact, not guesswork.

Before a decision

You’re about to commit: a provider, a platform, a budget.

Renewing an MSP contract, choosing a cloud direction, approving next year’s IT spend. The report tells you what you have and what it should cost before you sign anything, including with us.

Because it feels off

Nobody can draw the architecture, and you know it.

Slow onboarding, a cloud bill nobody can explain, one admin who holds everything. The assessment turns the feeling into a named, ranked, costed list.

What we examine

Six lenses over one estate.

Read-only access and structured interviews. We change nothing during the assessment; we look at everything. Each lens is scored against a published yardstick: the Clarity Baseline.

  • Identity & access. Every account, every admin right, every leaver who still has one. The question we always ask: when someone leaves, how long until their access is fully revoked?
  • Devices. What’s managed, what’s not, what walks out of the building unencrypted.
  • SaaS & licenses. The full tool list, who owns each one, what it costs, and which ones duplicate each other.
  • Cloud. AWS, GCP, Azure, and hybrid configuration reviewed against CIS Benchmarks, with spend mapped to actual use.
  • Vendors & contracts. The register your procurement team wishes existed: owners, costs, renewal dates, and who has access to what.
  • Compliance posture. Where you stand against the obligations that apply to you: DORA, NIS2, ISO 27001, SOC 2, and the DDQs your clients send.

What you receive

A report you can hand to an auditor, a board, or our competitors.

THE MAP

What you run

Complete asset and access map, formatted to serve as your DORA ICT asset register. The real architecture diagram, drawn from evidence. A vendor register with owners, costs, and contract dates.

Asset mapArchitectureVendor register
THE NUMBERS

What it costs you

Waste analysis with names attached: duplicate tools, unused licenses, oversized cloud spend. About 30% of typical IT budgets does nothing useful. We show you your number and where it hides.

Waste analysisCloud spendLicense audit
THE PLAN

What to do about it

Risk report ranked by real exposure, not theoretical severity. A costed remediation plan in priority order. Execute it with us, hand it to your current provider, or keep it in a drawer. It’s yours.

Risk assessmentCosted planNo lock-in

The report, shown

“Clarity” is a word until you see the page.

Two spreads from a sample report, illustrative numbers. Left: the risk picture, your current state against the benchmark each domain is scored on. Right: our written opinion on what to fix first, and why that order.

Identity & access Devices SaaS Cloud Vendors Compliance where you are benchmark target (CIS · ISO 27001 · automation grade)
Spread 1 / the risk pictureillustrative sample

Spread 2 Our opinion, in writing

The spider chart names the gap; the priority list is the professional opinion you’re paying for. Every gap becomes a finding ranked by exposure against effort, with the reasoning written down, so your team or your board can disagree with us on the merits.

Want to know what each domain is scored against? Read the Clarity Baseline →

The priority list / fix in this orderillustrative
1 Revoke orphaned admin accounts Highest exposure on the list, lowest effort to close. Former staff with live admin rights is the finding auditors and attackers share a taste for. days
2 Wire offboarding to HR via SCIM Stops the orphan problem from regrowing. Everything else inherits a clean identity layer. weeks
3 Close cloud config gaps vs CIS Material exposure, moderate effort. Sequenced after identity because hardening an estate with broken access control hardens the wrong thing. weeks
4 Consolidate duplicate tooling Cost, not risk. Funds the rest of the plan; three tools become one with a named owner. quarter
5 Build the evidence layer Last, deliberately: policies and registers written against the fixed environment, so the paperwork describes something true. quarter

What happens after

Three honest exits.

Exit 1 · Execute with us

The plan becomes the programme.

Most clients continue into Automation and Security: co-managed beside your team or fully managed by ours. The assessment price tells us both exactly what that will cost before anyone commits.

Exit 2 · Take it elsewhere

Your provider executes, with a tighter brief.

Some clients keep their existing IT partner and use the report to fix the contract, cut the duplicate spend, and set measurable expectations. We’d rather lose the build than pad the report.

Exit 3 · Do nothing yet

You still own the facts.

The register, the diagram, and the plan don’t expire. When the DDQ or the deadline arrives, you start from a map instead of a blank page.

Why fixed price matters: an assessment priced by the day has an incentive to grow. This one is €4,000–6,000, scoped in writing before we start, with the band set by company size and estate complexity.

Next step

One fixed price between you and knowing exactly where you stand.

Book a thirty-minute call with an engineer. We’ll tell you which end of the price band you’re on and what access we’d need.

Book the assessment