Cybersecurity Assessment
Fusion Computing’s CISSP-led 168-point security evaluation against CIS Controls v8.1. You get a written report with risk scores, a vulnerability scan, and a prioritized remediation roadmap, delivered in 5 business days.
CIS v8.1 evaluation
assessment leadership
remediation roadmap
For Canadian businesses with 10–150 users. Offices in Toronto, Hamilton, and Vancouver.
According to CIRA’s 2025 Canadian Cybersecurity Survey, 24% of Canadian organizations were ransomware victims in the past 12 months and 43% reported being targeted by a cyberattack. The Canadian Centre for Cyber Security’s 2025-2027 Ransomware Threat Outlook ranks ransomware as the top cybercrime threat to Canadian critical infrastructure. A documented assessment is the entry point for closing the gaps insurers and regulators now require.
Quick Answer: A cybersecurity assessment is a structured evaluation of your security posture against an established framework (CIS Controls v8.1, NIST CSF 2.0, or ISO 27001). For a Canadian SMB, a typical assessment takes 3-5 business days, covers 150-200 control points, and produces a written report with risk scores, gap analysis, and prioritised remediation roadmap. Expect to invest $3,000-$8,000 CAD for a mid-market assessment; compliance-driven assessments (PCI DSS, SOC 2) cost $10,000-$30,000.
Key takeaways:
- Three assessment types: quick-scan (1-2 days, $1,500-$3,000), standard CIS v8.1 (3-5 days, $3,000-$8,000), and compliance-driven (2-4 weeks, $10,000-$30,000).
- Deliverables should include a risk-scored findings matrix, prioritised remediation roadmap, and executive-summary slide deck — not just a PDF dump.
- A good assessor explains trade-offs (not just “fix everything”) and assigns realistic ownership and timelines.
- Re-assess annually for a stable business, or after any major change: M&A, cloud migration, office move, staff turnover at admin level, or security incident.
Assessment type comparison
| Type | Duration | Cost (CAD) | Best for |
|---|---|---|---|
| Quick-scan | 1-2 days | $1,500-$3,000 | Cyber-insurance renewal, board-level briefing |
| CIS Controls v8.1 | 3-5 days | $3,000-$8,000 | Standard SMB baseline, annual security review |
| NIST CSF 2.0 | 5-10 days | $5,000-$15,000 | Mid-market, regulated industries |
| PCI DSS / SOC 2 readiness | 2-4 weeks | $10,000-$30,000 | Payment processing, SaaS vendor audits |
Named one of Canada’s 50 Best Managed IT Companies two years running (2024 & 2025). See our certifications →
What’s in the written report
Most assessments surface a watching gap rather than a tooling gap. For background on what the watching layer typically looks like, see our guide to managed detection and response (MDR) for Canadian SMBs, including pricing bands and the 8-point provider evaluation checklist.
A cybersecurity assessment is a structured evaluation of your security posture. It identifies vulnerabilities, tests your existing controls, and produces a remediation plan ranked by actual risk. Our CEO holds the CISSP certification and a Master of Science in CS/AI, so every assessment is reviewed by senior security leadership.
The report maps your environment against CIS Controls v8.1, the framework auditors, insurers, and compliance officers reference. Here’s what it covers:
- CIS Controls v8.1 gap analysis: 168-point evaluation across endpoints, identity, email, backup, network, and compliance.
- Vulnerability scan results: External and internal scanning that flags unpatched systems, open ports, and misconfigurations.
- Prioritized remediation roadmap: Findings ranked by severity and business impact, not a 90-page PDF nobody reads.
- Compliance mapping: Alignment to PIPEDA, PHIPA, CyberSecure Canada, and industry-specific requirements.
Timeline: 2-hour initial session, then a written report delivered within 5 business days. See what Fusion’s managed cybersecurity includes.
Who this cybersecurity assessment is for
Not every business needs the same trigger. These are the situations where we see the most urgency:
- Post-incident: You’ve had a breach, ransomware scare, or near-miss and need to know what’s still exposed.
- Compliance-driven: Your auditor, insurer, or board wants documented proof that controls are in place.
- Switching MSPs: You’re leaving your current provider and want an independent baseline before onboarding someone new.
- Insurance requirements: Your cyber insurance renewal requires a current cybersecurity assessment or risk evaluation.
Fusion Computing has supported Canadian businesses since 2012. Assessments are available across all provinces, with offices in Toronto, Hamilton, and Vancouver. Toronto cybersecurity assessment | Vancouver cybersecurity assessment
“An assessment isn’t a sales pitch. It’s a baseline. We walk through your environment, map the gaps against CIS Controls, and give you a prioritized list of what to fix first. About 40% of the time, businesses discover they’re paying for tools they’re not actually using.”
Mike Pearlstein, CISSP, CEO of Fusion Computing
What happens next
Three steps. No obligation at any point.
- Free 30-minute consultation: We’ll discuss your environment, your concerns, and whether a full assessment makes sense.
- 168-point cybersecurity assessment: On-site or remote. 2-hour session covering endpoints, identity, email, backup, network, and compliance.
- Written report in 5 business days: Risk scores, gap analysis against CIS Controls v8.1, and a prioritized remediation roadmap. The findings are yours to implement with any provider.
Typical cost: $2,500 to $6,500 CAD depending on organization size, number of endpoints, and cloud scope. Businesses with fewer than 25 users typically fall at the lower end. See Fusion’s broader IT business consultation.
Vulnerability assessment vs. cybersecurity assessment
The terms get used interchangeably, and the distinction matters when you scope a project. A vulnerability assessment is a focused exercise: scan your environment, surface unpatched systems, exposed services, weak configurations, and outdated dependencies, then deliver a CVSS-scored list of what to remediate. A cybersecurity assessment is the broader framework review: it includes the vulnerability scan, but adds policy, identity, backup, incident response, vendor management, and compliance evaluation. If a control is missing entirely, a vulnerability scanner will not catch it; a cybersecurity assessment against CIS Controls v8.1 or NIST CSF 2.0 will.
Most Canadian SMBs need both layers in one engagement. The vulnerability scan answers “what is exploitable on our network today?” The framework review answers “are we defensible against the threats we actually face, and do we meet PIPEDA, PHIPA, or cyber-insurance requirements?” Skipping the framework review is the most common reason a clean vulnerability scan still produces a six-figure breach: the gap was not in patching, it was in the absence of a documented incident response plan, or no MFA on a privileged service account, or a vendor with unrestricted network access.
Industry guidance: The Canadian Centre for Cyber Security recommends framework-based assessment for any organization handling personal information or operating critical infrastructure, not vulnerability scanning alone. CIS Controls v8.1 maps directly to NIST CSF 2.0 and ISO 27001, so a single CIS-based assessment satisfies most insurer and regulator requirements simultaneously. Source: cyber.gc.ca, Baseline Cyber Security Controls for Small and Medium Organizations.
Our approach: Every Fusion Computing cybersecurity assessment includes both layers. The 168-point evaluation against CIS Controls v8.1 covers the framework review; an authenticated and unauthenticated vulnerability scan runs in parallel during week one. Findings from both feed a single risk-ranked remediation roadmap. You leave with one report, not two, and one prioritized list, not a stack of disconnected scanner output.
168-Point Assessment. CISSP Leadership. No Obligation.
30-minute consultation to start. Written report in 5 business days.
What a Fusion cybersecurity assessment looks like
A Fusion cybersecurity assessment is a CISSP-led, 5-day engagement that maps a Canadian SMB’s control posture against the CIS Controls v8.1 Implementation Group 1 and 2 safeguards and the Canadian Centre for Cyber Security Baseline Controls for Small and Medium Organizations. The output is a 20-to-25-page audit report with an identity-attack-surface map, an endpoint and network posture scorecard, a SOC 2 readiness gap, and a 30/60/90-day remediation roadmap costed in Canadian dollars. The methodology is the same one Mike defends in board and insurer review meetings.
Scope and methodology
- Endpoint posture: Microsoft Defender for Endpoint, SentinelOne, or Sophos MDR coverage; BitLocker; local-admin sprawl; patch lag against CIS v8.1 safeguard 7
- Identity attack surface: M365 stale accounts, mailbox auto-forward rules, MFA coverage, Conditional Access policy review, Entra ID sign-in risk, privileged-role inventory
- Network segmentation: firewall (Fortinet, Sophos, Meraki, Palo Alto) ruleset review, guest / IoT VLAN isolation, VPN posture, east-west traffic visibility
- Data classification and DLP: Microsoft Purview sensitivity-label coverage, SharePoint oversharing scan, PHI / PII / trust-account data location map
- Incident readiness: tabletop rehearsal status, IR retainer, evidence-collection runbook, insurer notification chain, CCCS contact
- SOC 2 readiness gap: control inventory against the SOC 2 Trust Services Criteria for service organizations under US-prime contract pressure
- PIPEDA + provincial privacy alignment: breach-notification readiness, records-of-processing log, PHIPA / FIPPA / Quebec Law 25 overlay where applicable
- Shadow-IT and SaaS-vendor inventory: third-party-risk register, vendor DPA evidence, sub-processor map
What’s in the report
- Executive summary: 1-page board readout with risk rating, top-5 exploitable gaps, and a single-page identity-attack-surface map
- Technical findings: 20-25 pages of evidence-backed observations mapped to CIS v8.1 safeguards and CCCS baseline controls
- Remediation roadmap: 30/60/90-day prioritization with effort estimate, dependency map, and owner column
- Cost estimate: line-item budget for tooling, professional services, and ongoing 24/7 SOC / MDR run-rate
- SOC 2 readiness scorecard: gap list against the SOC 2 Trust Services Criteria for the next examiner cycle
- Insurer-evidence packet: MFA coverage, EDR coverage, backup immutability, IR retainer — the controls that drive cyber-coverage premium
- Incident-response runbook outline: containment, evidence preservation, OPC and provincial notifications, customer comms template
Fusion managed cybersec vs the alternatives
| Fusion managed cybersec | Reactive cyber provider | In-house security person | |
|---|---|---|---|
| SOC monitoring | ✓ 24/7 SOC + Huntress MDR | × Alerts you after-the-fact | × Can’t watch all night |
| Containment SLA | ✓ <15 min isolation | × Hours to days | — If they’re awake |
| Pricing model | ✓ Fixed monthly per user | × IR retainer + breach hourly | — Salary |
| Annual cost (25-user SMB) | ~$39K–$54K all-in | $10K retainer + IR spikes | $120K–$160K loaded |
| EDR + MDR stack | ✓ Huntress + SentinelOne | × Legacy AV only | — Whatever they pick |
| CISSP-led program | ✓ Yes, in-house | × Rare | — If you pay $140K+ |
| Compliance evidence | ✓ SOC 2 / PIPEDA / CIS exports | × Self-collect during audit | — Spreadsheet evidence |
| Phishing simulations | ✓ Quarterly, tracked | × Annual at best | — If on their list |
| Vulnerability management | ✓ Continuous scanning + patch | × Once a year scan | — Backlog grows |
| Incident response playbook | ✓ Documented + tabletop tested | × Sold as add-on | — Lives in one head |
| Backup + DR validation | ✓ Tested quarterly | × Configured, untested | — Hope it works |
| Replace someone | ✓ Team continuity | × Switch providers | × 6-month rehire risk |
Fusion MSSP vs building your own SOC
| Fusion MSSP | Hire 1 security analyst | Build 3-person SOC | |
|---|---|---|---|
| Direct annual cost (25 users) | ~$39K–$54K | $110K–$140K loaded | $340K–$420K + tooling |
| 24/7 SOC coverage | ✓ Built in | × One person, 40 hours | — 3 people can’t cover 24/7 alone |
| SIEM + EDR tooling cost | ✓ Included in MRR | × +$30K–$60K/yr | × +$60K–$120K/yr |
| Threat intel access | ✓ Multi-tenant signal | × Public feeds only | — Paid feeds at scale |
| CISSP coverage | ✓ In-house | × Rare at this salary | — If you hire a senior |
| Time-to-detect new threat | ✓ Minutes via MDR | × Hours–days | — Hours if alerted |
| Compliance evidence | ✓ Continuous export | × Last priority | — Quarterly if staffed |
| Replacement risk if quits | ✓ Zero | × 4–9 months to refill | — Painful, survivable |
| Recruiting cost (cyber talent) | ✓ $0 | $15K–$30K per hire | $50K–$90K total |
| Knows your business intimately | — QBR-based | ✓ Yes — legitimate edge | ✓ Yes |
| Audit-ready posture | ✓ Continuous | × Annual scramble | — If GRC role hired |
Recent engagements
Real Fusion cybersecurity engagements with measured outcomes.
- Marketing Agency Cyber Recovery
Stabilized in 72 hours after a ransomware breach; gap closed in week one. - Ransomware Recovery: Back Online by Monday
100% data recovery and operations restored within 48 hours. - Co-Managed IT for a GTA Construction Firm
60% ticket-backlog cut and 97% patch compliance in 90 days.
>
Cybersecurity Assessment FAQs
What does the cybersecurity assessment cost?
Fusion’s 168-point cybersecurity assessment is typically $2,500 to $6,500 CAD, depending on environment size and scope. We’ll confirm pricing after a free 30-minute consultation. There’s no obligation to engage Fusion for remediation afterward.
How long does the assessment take?
The initial session is about 2 hours. You’ll receive a written report within 5 business days. For larger environments (100+ endpoints), the timeline may extend to 7-10 business days.
What’s included in the report?
A 168-point evaluation across endpoints, identity, email, backup, network, and compliance. The report includes risk scores, CIS Controls v8.1 gap analysis, and a prioritized remediation roadmap.
Do you need access to our systems?
Yes. We’ll need read-level access to review configurations, policies, and logs. It’s a structured intake process with a signed NDA and defined scope before anything begins.
Does the assessment cover PIPEDA and PHIPA?
Yes. We map findings to PIPEDA, Ontario PHIPA for healthcare, CyberSecure Canada, and the upcoming Bill C-8 supply-chain and incident-reporting obligations.
Assessment Services by Location
Fusion operates from 3 Canadian offices and conducts cybersecurity assessments coast to coast.
Your Cybersecurity Assessment Starts Here
168-point assessment. CISSP-certified leadership. Prioritized roadmap. No obligation.
Toronto: (416) 566-2845 · Vancouver: (604) 800-7788 · Toll-free: 1-888-541-1611
Book Your Assessment
Tell us a little about your environment and we will be in touch within 1 business day.
- ✔Reply in 1 business day
- ✔Senior engineer, not sales
- ✔No obligation
By submitting this form, you consent to Fusion Computing contacting you. We will not share your information. See our Privacy Policy.
What a cybersecurity assessment covers
A cybersecurity assessment for Canadian SMBs benchmarks your current posture against CIS Controls v8.1 and NIST CSF, identifies the top-five control gaps, and produces a costed remediation plan aligned to cyber-insurance requirements and PIPEDA/PHIPA obligations. Fusion Computing provides CISSP-led assessments at a fixed fee, typically completed in 2-3 weeks.
According to the Canadian Centre for Cyber Security’s Baseline Controls for Small and Medium Organizations, most Canadian SMBs fail the baseline on MFA coverage, patch cadence, and backup-restore testing — the same three controls that show up in post-incident root-cause analyses.
According to IBM’s 2024 Cost of a Data Breach report, organizations using a structured security framework (CIS, NIST CSF, ISO 27001) reduced breach costs by 21% versus peers operating without a framework.
The City of Hamilton’s denied $5 million cyber-insurance claim in 2024 — rejected because multi-factor authentication had not been fully implemented — is the canonical Canadian example of why assessment findings must convert to deployed controls, not just documented gaps.
According to 2024 cyber-insurance underwriting analysis, Canadian insurers now require evidence of recent third-party cybersecurity assessment as part of renewal — often with specific control-attestation requirements.
“The typical SMB cybersecurity assessment produces findings and stops there. Ours produces findings plus a costed remediation plan, a compliance mapping, and a 12-month execution calendar — so the output actually changes the security posture, not just the filing cabinet.” — Mike Pearlstein, CISSP, CEO, Fusion Computing
