lockpoint
ENDEHR

Home / Services / Clarity Assessment / The Baseline

Methodology Published yardsticks, not opinion of the day

What “good” means when we say it.

Every score in a Clarity Assessment is measured against something you can look up. No proprietary black box, no vibes. This page lists the yardsticks, the house rules we add on top, and how the two become a priority order.

The yardsticks

Six measures, all of them checkable.

ConfigurationPublic standard

CIS Benchmarks

The consensus hardening standard for operating systems, cloud platforms, and SaaS. Your AWS, GCP, Azure, and M365 configuration is compared line by line against the relevant benchmark, and the gaps are listed, not summarized.

CloudEndpoints
GovernancePublic standard

ISO 27001 Annex A

The control set behind the world’s most-requested security certification. We score which controls exist, which exist only on paper, and which are missing, so a later certification project starts from a known position.

ControlsISMS
RegulatoryEU law

DORA & NIS2 mappings

If you’re in scope, findings are mapped to the articles a supervisor would cite: ICT asset register, third-party register, incident reporting readiness. The assessment output is formatted to serve as the DORA register directly.

DORANIS2
ArchitectureVendor-published

Vendor reference architectures

AWS, Google, and Microsoft each publish how their own platforms should be built. We hold you to the vendor’s published architecture, not to a reseller’s bundle, which is easy for us to do because we sell none of them.

AWSGCPAzure / M365
OperationsLockpoint scale

Automation grade

Our house scale for the joiner-mover-leaver lifecycle and device management, from grade 0, everything by hand, to grade 4, zero-touch. Most firms we assess sit at 1. The scale is published below so you can place yourself before we do.

SCIMMDMOffboarding
DesignLockpoint rules

Clean design principles

The rules an estate has to satisfy before anyone should automate or certify it. They’re short, they’re strict, and they’re listed in full further down this page.

House rules

The automation grade

Where does a new hire’s laptop come from?

One question places most companies on this ladder. The grade measures how much of the identity and device lifecycle runs without a human clicking.

GRADE 0 by hand, by memory GRADE 1 documented, still manual GRADE 2 scripted, per-system GRADE 3 integrated: SCIM + MDM GRADE 4 zero-touch, from HR data most firms we assess the target band

“When someone leaves, how long until their access is fully revoked? Grade 1 answers in weeks. Grade 4 answers in minutes, with a log.”

Shadow IT

The tools nobody admits to are still your liability.

Every estate has software that finance pays for and IT has never heard of, or that a team adopted with a credit card three years ago. A DDQ answered without finding it is a DDQ answered wrong.

  • We cross-reference three sources: identity provider sign-in data, finance and expense records, and what your teams tell us in interviews. Tools that appear in one list but not the others are the finding.
  • Each discovery gets a verdict: adopt it properly (owner, SSO, contract), replace it with something already licensed, or cancel it. No tool stays unowned.
  • Why it matters beyond tidiness: shadow tools hold company data outside your offboarding, your backups, and your DDQ answers. They are the gap between what you attest and what is true.

Clean design principles

The house rules every target architecture must pass.

  • Every tool has one job and a named owner. Two tools doing the same job is a decision waiting to be made; we make it.
  • Access derives from HR data, not from memory. Joiners, movers, and leavers change in one system and everything else follows.
  • Nothing privileged without a log. Admin rights are gated, time-boxed, and recorded, including ours.
  • The architecture fits on one page. If it can’t be drawn, it can’t be defended, in an audit or an incident.
  • Anything you can’t explain, you can’t attest. Every DDQ answer must trace to a system someone on your side understands.
  • Prefer removal over addition. A finding that can be solved by deleting something is solved by deleting something.

From score to priority

The math is simple. The judgment is the product.

Each domain gets a current grade and a target grade from the yardsticks above. Each gap becomes a finding with two properties: exposure, what it costs you if it stays, and effort, what it takes to close. High exposure and low effort goes first. The written reasoning for every ranking is in the report, so your team, or your board, can disagree with us on the merits.

What we deliberately don’t do: score against a framework that doesn’t apply to you, pad the findings list to justify a bigger engagement, or rank by what would be most profitable for us to fix. The baseline is public so that you can hold us to it.

Next step

Now you know what the score means. Get yours.

The Clarity Assessment runs every yardstick on this page against your estate. €4,000–6,000, fixed, yours to keep.

Book the assessment Back to the assessment