CBN CSAT readiness for banks pursuing compliance.
Domain controls 1 through 7, with audit-ready evidence.
We help banks pursuing CBN compliance get from self-assessment ambiguity to audit-ready evidence against the Cybersecurity Assessment Tool. The deliverable is a maturity scoring against domains one through seven, a sequenced remediation plan, and the evidence pack the CBN examiner asks for on arrival.
The framework is precise. The evidence is the work.
The CBN Cybersecurity Assessment Tool — issued under the CBN Cybersecurity Framework and Guidelines for Other Financial Institutions, with subsequent circulars tightening expectations through 2024 — is the document the supervisor uses to score your maturity. Seven domains: cyber risk management and oversight, threat intelligence and collaboration, cybersecurity controls, external dependency management, cyber incident management and resilience, and the two cross-cutting domains of governance and training. Each domain decomposes into declarative statements scored across five maturity levels — baseline through innovative.
The pattern we see across banks pursuing compliance is not absence of controls. It is fragmentation. A SIEM here, a vulnerability programme there, third-party assessments in a procurement folder, an incident playbook in the SOC drive — and no single artefact that maps the lot to the CSAT statements. The examiner does not score what you have. The examiner scores what you can produce on demand against the framework's specific language.
The work is consolidation. We map existing controls to CSAT statements, identify domains scoring below the target maturity, and produce the evidence pack — control narratives, supporting artefacts, test results, board minutes, training rosters — indexed to the framework so an examiner can navigate it without a guide. This is the approach we recommend; it shortens the on-site portion of the audit substantially and removes the most common source of finding letters.
From fragmented controls to a defensible score.
- 01
Inherent risk profile establishment.
CSAT scoring is conditioned on the bank's inherent risk profile — technology mix, delivery channels, online presence, organisational complexity, external threats. We document the profile against the framework's risk-rating scale before maturity scoring begins. The same control evidence reads differently against different risk profiles.
- 02
Domain-by-domain maturity scoring.
We work through domains one through seven, statement by statement, scoring current maturity against the five-level scale. The output is a heat map, a gap register keyed to each declarative statement, and a target-state recommendation that sequences remediation against examiner expectations.
- 03
Evidence pack consolidation.
For every declarative statement at the target maturity level, we produce or curate the supporting evidence — policy clauses, control test results, exception logs, vulnerability scan outputs, third-party assessments, board approval records. The pack is indexed by domain and statement number. The examiner finds artefacts in seconds.
- 04
Third-party and concentration risk mapping.
Domain four (external dependency management) is where most banks score below target. We build the vendor inventory keyed to criticality and data sensitivity, document concentration risk for shared providers, and apply the framework's flow-down expectations to contracts. This domain has tightened in recent CBN circulars.
- 05
Remediation roadmap with examiner sequencing.
Not every gap is equal. We sequence remediation by domain weight, examiner focus areas in the current supervisory cycle, and operational feasibility. The roadmap is dated, owned, and reportable to the board and the supervisor.
The framework, anchored in clause.
The CSAT sits beneath the CBN Risk-Based Cybersecurity Framework. The seven domains read as: Cyber Risk Management & Oversight (Domain 1), Threat Intelligence & Collaboration (Domain 2), Cybersecurity Controls (Domain 3, the largest), External Dependency Management (Domain 4), Cyber Incident Management & Resilience (Domain 5), Governance (cross-cutting), and Training & Culture (cross-cutting).
Domain 3 — Cybersecurity Controls — contains the most declarative statements and is where assessment fatigue sets in. Sub-areas include preventive controls (identity and access, data protection, secure configuration), detective controls (continuous monitoring, threat detection, vulnerability management), and corrective controls (patch management, response automation). Domain 5 maps to the CBN circular on incident notification, which compels reporting of material cyber incidents to the supervisor within prescribed windows.
- Domain 1 — governance, strategy, risk management, resources, training
- Domain 3 — preventive, detective, and corrective controls (the largest domain)
- Domain 4 — external dependency due diligence and concentration risk
- Domain 5 — incident response, business continuity, supervisor notification
- Maturity ladder — baseline, evolving, intermediate, advanced, innovative
The end state we drive toward.
Maturity at or above the target level for every domain, an evidence pack the examiner can navigate without help, third-party risk under active monitoring rather than annual review, and a board that can speak to the framework in its own language.
- ≥ Intermediate
- Target maturity across domains
- 100%
- Statements with evidence indexed
- Quarterly
- Board cybersecurity reporting
- <30 days
- Critical vendor risk turnaround
Illustrative, drawn from published architectures and forthcoming engagements. Specific maturity targets are conditioned on the bank's inherent risk profile and the prevailing CBN supervisory cycle.
Where this work connects on the site.
- 01
- 02
- 03
Scoped CSAT readiness assessment.
Send us your most recent self-assessment (or the fact that you do not have one), your inherent risk profile if documented, and the supervisory letters from the last cycle. We come back with a fixed-scope assessment proposal and a sample maturity heat map inside ten working days.