Request a Demo
Request a Demo
ESMA™ Security Maturity Assessment | 8 Domains, 94 Controls, Two-Week Delivery | AiCyberWatch

ESMA

See exactly where you stand.

AiCyberWatch's proprietary security maturity assessment. Eight domains. Ninety-four controls. Five-level maturity scale. Two weeks from kickoff to executive readout. Tool-instrumented technical discovery paired with structured stakeholder interviews — every score backed by verifiable evidence, not self-reported questionnaire responses. The most rigorous, visually defensible maturity assessment a CISO can put in front of their board.

Talk to us about ESMA™ → See ESMA inside D³E
D1 Network D2 Endpoint D3 Identity D4 Data D5 Cloud D6 AppSec D7 OT/IoT D8 Governance ESMA 8 DOMAINS 94 CONTROLS

What ESMA Does

The clearest picture of your security posture you'll ever see.

Most security leaders know they have gaps. They cannot prove it. They cannot prioritise it. They cannot present it to a board in a form that drives investment. ESMA™ exists to solve that problem with executive-grade precision.

It is not a vulnerability scan. It is not a penetration test. It is not a compliance checklist. ESMA™ is a structured maturity assessment, eight domains, ninety-four controls, five-level scoring conducted by senior security consultants with operational experience defending enterprises across BFSI, Fintech, Healthcare, Manufacturing, Energy, and Government. Our assessors combine automated technical discovery passive network analysis, cloud configuration auditing, identity security assessment, application vulnerability scanning, encryption validation with structured stakeholder interviews across eight roles. Every score is backed by verifiable technical evidence, not self-reported questionnaire responses. The output is a visual, defensible, board-ready picture of where your security capability stands today and where it should land in twelve months.

Why CISOs Run It

Three triggers. Three deliverables. Three reasons.

01

Pre-Board Reporting

Maturity scorecard with 12-month delta

Replaces qualitative narratives with measurable progression — a metric the board can hold you to. Maturity progresses; absence-of-incidents does not.

02

Regulator Readiness

Heatmap and evidence pack mapped to DPDP / SEBI CSCRF / IEC 62443

Auditors recognise the structure. You walk into the audit room with the evidence already organised. No last-minute scramble.

03

Post-Incident Clarity

Domain-level findings with prioritised remediation roadmap

The first thing a board asks after an incident: "How did this happen and what else are we exposed to?" ESMA answers both — quickly, defensibly.

The Assessment

Eight domains. Ninety-four controls. One picture.

Every dimension of an enterprise security capability is assessed across eight domains, structured to mirror how modern security operations are actually run — and how regulators actually audit them. Each domain is scored on a five-level maturity scale and presented with a domain-level radar chart, a control-by-control heatmap, evidence-based findings, and prioritised recommendations.

94
Granular controls assessed·8 domains·5-level maturity
D1 12 CONTROLS
Network Security
Firewall management, segmentation, IDS/IPS, monitoring, VPN, DNS security, wireless security, NAC, and emerging perimeter controls.
PASSIVE NETWORK SCAN FIREWALL AUDIT
D2 12 CONTROLS
Endpoint Protection
EDR/XDR, hardening, patch management, application whitelisting, removable media controls, MDM, browser security, encryption.
EDR POSTURE REVIEW PATCH AUDIT
D3 12 CONTROLS
Identity & Access
MFA, PAM, identity governance, password policy, SSO, service accounts, conditional access, directory security.
IDENTITY ASSESSMENT PAM REVIEW
D4 12 CONTROLS
Data Protection
Classification, DLP, encryption at rest and in transit, backup and recovery, retention, database security, DPDP-aligned privacy.
ENCRYPTION VALIDATION DLP REVIEW
D5 12 CONTROLS
Cloud Security
CSPM, cloud IAM, cloud network controls, logging, container security, cloud encryption, multi-cloud governance.
CSPM SCAN CLOUD IAM AUDIT
D6 12 CONTROLS
Application Security
Secure SDLC, code review, dependency management, web application firewalls, API security, runtime protection.
APPSEC SCAN API REVIEW
D7 10 CONTROLS
OT / IoT Security
Asset inventory, network segmentation per Purdue Model, IEC 62443 alignment, ICS protocol monitoring, secure remote access.
PASSIVE OT OBSERVATION PURDUE MAPPING
D8 12 CONTROLS
Governance & Compliance
Policy framework, risk management, compliance mapping, third-party risk, security awareness, incident response governance.
POLICY REVIEW EVIDENCE AUDIT
12 + 12 + 12 + 12 + 12 + 12 + 10 + 12 = 94 GRANULAR CONTROLS

How We Score

Five levels. One language your board will understand.

Every control is scored on a five-level maturity scale calibrated to NIST CSF tier definitions. The scale is deliberately structured so the same vocabulary works across technical reviewers, executive stakeholders, and external auditors. No translation required.

Level 1
1
Initial

Ad-hoc. Controls exist informally if at all. No documentation. Outcomes depend on individual heroics.

Level 2
2
Managed

Controls implemented but inconsistently. Documentation partial. Coverage gaps known but un-remediated.

Level 3
3
Defined

Controls implemented consistently. Documentation complete. Coverage understood and gaps tracked.

Level 4
4
Quantitatively Managed

Controls measured. Effectiveness tested. Outcomes correlated to business risk.

Level 5
5
Optimising

Controls continuously improved. Threat-informed. Predictive rather than reactive.

Calibrated to·NIST CSF Tiers·ISO 27001 Annex A·SEBI CSCRF·DPDP Act

Standards & Methods

Built on the standards your auditors already trust.

The D³E methodology and the ESMA™ control framework are derived from globally recognised security standards and aligned to Indian regulatory regimes. Every score is anchored to a published reference your auditor, your regulator, and your board are reading the same vocabulary we are.

NIST CSF 2.0
CORE FUNCTIONS · MATURITY TIERS
ISO/IEC 27001:2022
ANNEX A CONTROLS · ISMS
CIS Controls v8
IG1 · IG2 · IG3 SAFEGUARDS
NIST SP 800-53 Rev 5
CONTROL CATALOGUE
MITRE ATT&CK
DETECTION COVERAGE MAPPING
OWASP Top 10 & ASVS
APPLICATION SECURITY
IEC 62443 / Purdue
OT/IoT & INDUSTRIAL CONTROL
DPDP · SEBI CSCRF · CERT-In
INDIAN REGULATORY ALIGNMENT

How we collect evidence

Evidence-based, not opinion-based.

ESMA™ is engineered as a tool-instrumented assessment. Senior consultants direct the engagement, but every control score is anchored to verifiable technical evidence collected through three converging tracks. Self-reported questionnaires alone are not accepted as evidence.

TRACK 01
Automated technical discovery

Passive network analysis, cloud configuration auditing, identity security assessment, application vulnerability scanning, and encryption validation — run under formal scan authorisation across agreed scope.

TRACK 02
Structured stakeholder interviews

Eight role-based interview tracks — CISO, CIO, network, identity, cloud, application, OT/operations, governance/DPO — using a standardised question bank calibrated to each domain.

TRACK 03
Documentary & evidence review

Policy artefacts, console screenshots, configuration exports, audit reports, and operational telemetry — reviewed against the 94-control inventory before scores are calibrated.

Every score in your ESMA™ Scorecard is backed by verifiable technical evidence not what someone said in an interview, but what the tool, the configuration, or the artefact actually showed.

Deliverables

What you receive

Every ESMA™ engagement delivers five distinct artefacts, each designed for a different audience and a different conversation. No single document tries to be everything to everyone that is the point.

SCORECARD 3.4/5 Defined → Quantitatively Managed D1D2 D3D4 D5D6 D7D8 Current Target Y+1
DELIVERABLE · 01

Security Posture Scorecard

A visual single-page summary: overall maturity score, domain-level radar chart with current and target overlays, top three strengths, top five gaps, and the maturity level achieved. Designed to be the first slide in your next board pack.

DELIVERABLE · 02

Security Posture Heatmap

A single-page colour-coded grid covering all 94 controls organised by domain, with maturity scoring rendered in the brand's red-amber-yellow-teal-gold gradient. The "one-glance" executive view, exactly where you stand on every control, in one image.

HEATMAP — 94 CONTROLS D1D2D3D4 D5D6D7D8 L1 L2 L3 L4 L5
A I C Y B E R W A T C H ESMA™ Assessment Report Confidential — Client 35–50 PAGES
DELIVERABLE · 03

Written Assessment Report

A comprehensive report typically 35-50 pages, depending on environment complexity covering executive summary, methodology, overall posture, domain-by-domain findings, evidence reviewed, prioritised recommendations, and full appendices. Written to be readable by both technical and executive audiences.

DELIVERABLE · 04

12-Month Improvement Roadmap

Recommendations prioritised across four time horizons - Immediate (0-30 days), Short-term (1-3 months), Medium-term (3-6 months), Long-term (6-12 months) — with effort indicators, expected maturity uplift per recommendation, and dependencies mapped between actions.

12-MONTH ROADMAP 0-30D 1-3M 3-6M 6-12M MFA rollout Patch P1 CVEs PAM deployment DLP — Tier 1 Cloud CSPM OT segmentation Zero Trust roll-out CSCRF audit EFFORT Low Med High EXPECTED UPLIFT +0.4+0.6+0.5+0.3
A I C Y B E R W A T C H ESMA™ Readout Executive Presentation 3.4 /5 SLIDE 4 / 16
DELIVERABLE · 05

Executive Presentation Deck

A 16-slide presentation deck designed for a 45-minute leadership readout. Co-branded for internal presentation, structured to walk a board through findings, recommendations, and roadmap without requiring the CISO to translate technical detail in real time. Includes speaker notes.

Engagement Timeline

How it runs. Two weeks. Six stages.

ESMA™ is engineered for executive-grade rigour at executive-grade speed. Fourteen working days is the standard delivery window, long enough for tool-instrumented technical discovery across every domain, short enough that your team's calendar absorbs it without disrupting business operations.

DAYS
1–2

Kickoff & Scoping

Stakeholder alignment, scope confirmation, scan authorisation, CISO and CIO interviews.

▸ INTERVIEWS · AUTHORISATION
DAYS
3–5

Network · Endpoint · Identity

Technical discovery: network architecture review, endpoint posture, identity and access security assessment.

▸ AUTOMATED DISCOVERY
DAYS
6–8

Cloud · Application · Data

Cloud configuration auditing, application vulnerability assessment, encryption and data protection validation.

▸ AUTOMATED DISCOVERY
DAYS
9–10

OT/IoT & Governance

OT/IoT observation (where in scope), governance and policy review, remaining stakeholder interviews.

▸ OBSERVATION · INTERVIEWS
DAYS
11–12

Scoring & Recommendations

Scoring calibration across assessors, evidence-weighted findings validation, prioritised recommendation development.

▸ ANALYSIS · QA
DAYS
13–14

Deliverables & Readout

Scorecard, heatmap, written report, roadmap, and executive deck finalised. Internal QA. Leadership presentation.

▸ DELIVER · PRESENT

Timeline shown is indicative for a standard engagement (14 working days). Actual duration may vary based on the size and complexity of the environment, number of sites, OT scope, and stakeholder availability.

Engagement Timeline

How it runs. Two weeks. Six stages.

ESMA™ is engineered for executive-grade rigour at executive-grade speed. Fourteen working days is the standard delivery window, long enough for tool-instrumented technical discovery across every domain, short enough that your team's calendar absorbs it without disrupting business operations.

DAYS
1–2

Kickoff & Scoping

Stakeholder alignment, scope confirmation, scan authorisation, CISO and CIO interviews.

▸ INTERVIEWS · AUTHORISATION
DAYS
3–5

Network · Endpoint · Identity

Technical discovery: network architecture review, endpoint posture, identity and access security assessment.

▸ AUTOMATED DISCOVERY
DAYS
6–8

Cloud · Application · Data

Cloud configuration auditing, application vulnerability assessment, encryption and data protection validation.

▸ AUTOMATED DISCOVERY
DAYS
9–10

OT/IoT & Governance

OT/IoT observation (where in scope), governance and policy review, remaining stakeholder interviews.

▸ OBSERVATION · INTERVIEWS
DAYS
11–12

Scoring & Recommendations

Scoring calibration across assessors, evidence-weighted findings validation, prioritised recommendation development.

▸ ANALYSIS · QA
DAYS
13–14

Deliverables & Readout

Scorecard, heatmap, written report, roadmap, and executive deck finalised. Internal QA. Leadership presentation.

▸ DELIVER · PRESENT

Timeline shown is indicative for a standard engagement (14 working days). Actual duration may vary based on the size and complexity of the environment, number of sites, OT scope, and stakeholder availability.

How It Fits

Standalone-valuable. Methodology-anchored.

ESMA is the first phase of the D³E methodology and a complete audit on its own.

Most clients first encounter ESMA as a standalone engagement. The board wants a maturity number. The auditors want evidence. The new CISO wants a 90-day baseline. ESMA delivers all three, with no methodology buy-in required and no commitment beyond the assessment itself. For organisations that want more than a snapshot, ESMA becomes the front door to the full D³E methodology — same scorecard, same gaps, same roadmap, all flowing into Design, Defend, and Evolve. Nothing is duplicated. Nothing is wasted.

Path 01 · Standalone

ESMA Standalone

Independent maturity audit. Two weeks. Five deliverables. No methodology commitment.

Run it once, take the findings and roadmap, execute internally. Or use the deliverable to brief your existing security partner. Or run it annually as a board-level posture metric.

Best for: regulator readiness · post-incident review · pre-board reporting · audit prep · M&A due diligence
Talk to us about ESMA →
Path 02 · Full D³E

ESMA as D³E Phase 1

ESMA is the entry phase. Findings flow into Design, Defend, and Evolve as a continuous twelve-month engagement.

Same two-week assessment, but the deliverable becomes the architectural brief for your Defence Blueprint, the tuning input for your Managed SOC, and the year-zero baseline for annual progression.

Best for: sustained partnership · measurable year-over-year maturity · compounded defence
See the full D³E methodology →

Industry-Specific Fit

ESMA mapped to your sector and your regulators.

The eight domains and their underlying controls are calibrated against industry-specific risk profiles. The same ESMA assessment runs differently for a private bank than for an auto-component manufacturer — same framework, different weighting, different evidence requirements, different board-relevant findings.

SectorRegulatory anchorWhere ESMA places extra emphasis
BFSI
SEBI CSCRF · RBI · DPDP
D3 Identity & Access · D4 Data Protection · D8 Governance — board-grade evidence pack.
Fintech
RBI · DPDP · PCI-DSS
D5 Cloud Security · D6 Application Security · D3 Identity & Access — fast-moving stack.
Healthcare
DPDP · HIPAA (cross-border)
D4 Data Protection · D7 OT/IoT (medical devices) · D2 Endpoint — patient-data primacy.
Manufacturing
IEC 62443 · OEM questionnaires
D7 OT/IoT · D1 Network (IT/OT segmentation) · D6 Application — Purdue-aligned.
Energy / Utilities
CEA Guidelines · IEC 62443
D7 OT/IoT · D1 Network · D8 Governance — critical infrastructure framing.
Government / PSU
CERT-In · Ministry directives
D8 Governance · D1 Network · D4 Data Protection — sovereignty-aware.

Proof

Three engagements. Three industries. One methodology.

Anonymised illustrations actual maturity deltas measured via successive ESMA™ assessments across 9-to-12-month engagements.

BFSI · Tier-2 Bank

~3,500 employees · 250+ branches

2.3 / 5 3.7 / 5 12 mo

Trigger: SEBI CSCRF deadline + post-incident review. Largest moves: Identity & Access 1.8 → 4.1 (MFA + PAM), Cloud Security 1.5 → 3.4 (CSPM), Governance 2.5 → 4.0 (CSCRF readiness). MTTD dropped from 14 hours to 22 minutes.

Illustrative · Anonymised
Healthcare · Hospital Network

5 hospitals · 1,200 beds

1.9 / 5 3.3 / 5 9 mo

Trigger: DPDP exposure + sector-wide ransomware pressure. Largest moves: Data Protection 1.6 → 3.5 (DPDP-aligned classification + DLP), OT/IoT 1.2 → 2.9 (medical-device segmentation), Endpoint 2.0 → 3.6 (EDR rollout). Two ransomware attempts blocked in Q2.

Illustrative · Anonymised
Manufacturing · Tier-1 Auto

8 plants · ~6,500 employees

2.0 / 5 3.5 / 5 12 mo

Trigger: OEM customer cybersecurity questionnaire + IEC 62443 push. Largest moves: OT/IoT 1.4 → 3.2 (Purdue model), Network 1.9 → 3.6 (IT/OT segmentation), AppSec 1.7 → 3.1 (secure SDLC). IEC 62443 alignment achieved for L3.5 zones; two OEM audits cleared.

Illustrative · Anonymised

FAQ

Questions CISOs ask before running ESMA

How is ESMA different from a vulnerability assessment or penetration test?

Vulnerability assessments and penetration tests measure technical weakness they tell you which doors are unlocked. ESMA measures organisational capability — it tells you whether you have the locks, the guards, the alarms, the response procedures, and the governance to keep the building safe over time. The two are complementary, and most mature security programmes run both. ESMA, however, is the assessment a board-room conversation requires. A vulnerability scan is not.

What's the time commitment from our team?

Roughly 14 to 22 hours of stakeholder time, distributed across the two-week engagement. The CISO commits to a kickoff call (90 minutes), a closing readout (45–60 minutes), and is interviewed for approximately 90 minutes. Other stakeholders — network admin, cloud admin, application team lead, OT lead, DPO — contribute 60–90 minutes each. Document review and console walk-throughs are largely fulfilled in parallel by your team, requiring minimal disruption once access is granted. Most of the 14 days is our team's effort, not yours.

We already run ISO 27001 / NIST CSF assessments. Why ESMA?

ISO 27001 and NIST CSF are excellent frameworks, but they are reference architectures — they do not produce a visual maturity scorecard, a colour-coded heatmap, eight domain spider charts, and a prioritised twelve-month roadmap calibrated to your sector. ESMA is structured to crosswalk against ISO and NIST, so you do not lose existing investment. Most clients who already operate ISO or NIST find ESMA produces a sharper executive narrative — and a faster path to board-relevant decisions — than re-running the parent framework.

Is the assessment data confidential?

Yes, with three layers of protection. First, every engagement is governed by a mutual NDA executed before kickoff. Second, AiCyberWatch operates under ISO 27001 controls — your evidence is handled under the same regime that protects our other clients' data. Third, all assessment data is processed and stored on India-resident infrastructure in compliance with the DPDP Act.

Can ESMA help us prepare for a SEBI CSCRF or DPDP audit?

Yes — and many engagements are triggered exactly by that requirement. ESMA's domain structure was built specifically to produce evidence that maps cleanly to SEBI CSCRF's Identify-Protect-Detect-Respond-Recover lifecycle and to DPDP Act obligations on data fiduciaries. The deliverable pack typically contains audit-ready evidence: control-level scoring, documented findings, gap remediation roadmaps, and references to the source evidence reviewed.

What happens after the readout?

Three options. (1) You take the findings and roadmap and execute internally — that is a perfectly valid outcome and we will tell you so if it fits. (2) You bring AiCyberWatch back as advisor for prioritised remediation. (3) You move to the full D³E methodology, with ESMA becoming the formal Discover phase and the engagement extending into Design, Defend, and Evolve. The decision is taken at the readout — there is no commitment baked into the assessment itself.

Can ESMA be run remotely, or does it need on-site presence?

Most ESMA engagements run hybrid — interviews and console walk-throughs conducted remotely, with optional on-site days for OT environments, large multi-site enterprises, or clients who prefer face-to-face for the executive readout. We adapt to your operational preference.

How is this different from a free questionnaire-based assessment offered by other providers?

A questionnaire is a self-report. ESMA is an evidence-based assessment. We do not score what you tell us — we score what we can corroborate from your consoles, your documents, your interviews, and our own observation. That is why ESMA produces results an auditor, an insurer, or an acquiring entity can rely on. A questionnaire produces results only the questionnaire-writer believes.

Ready to See Where You Stand

Talk to us about ESMA™

Two weeks. Five deliverables. One picture of your security posture you can defend in any room.

Engagement scoping is free. We will walk you through what ESMA covers in your specific sector, what evidence we need, what your team needs to commit, and what timeline fits your audit calendar. No automated booking, no calendar trap just a 30-minute conversation with a senior security advisor who will tell you, honestly, whether ESMA is the right starting point for what you are trying to achieve.

Speak with a CISO Advisor → Read the D³E Methodology

Or call us directly — +91-8010101070 — Mon-Fri, 9 AM to 7 PM IST

D³E™  |  ESMA™  |  Build Fearless™

AiCyberWatch  |  NGBPS Ltd  |  © 2026 All rights reserved.

Get in Touch