Security Gap Analysis

Comprehensive and Cross-sectional Assessment Through Visualization, Showcasing the Maturity of an Organization’s Security Landscape

Due to increasing information security-related incidents and crimes, and the impact from establishing various guidelines, there has been more companies considering information security measures as a “management issue” and not an IT issue. As a result, many companies find themselves in the situation such as not knowing how mature their security measures are or how much time and cost they should expend for security. In order to make information security-related investments meaningful, it is necessary to accurately identify the areas in which backing is required. Thus, it is essential to comprehensively visualize, understand, and prioritize the status of your organization's security measures.

NRISecure’s Security Gap Analysis service uses the framework “NRI Secure Framework (NSF)” based on know-how that has been cultivated through many years of consulting and external standards. It provides security measures for the organization with comprehensive and cross-sectional visualization of situations from a third-party standpoint. Not only security risk assessments, we can provide proposals on specific measures and support for creating medium/long-term roadmaps on plans for security measure implementations.

This service supports not only individual companies but also those that have many subsidiaries. It is possible to compare within group companies and overseas offices according to common standards.

NSF is being utilized in multiple industries such as finance, manufacturing, energy, trading, real estate, and logistics. (number of past achievements: 200 and more)


<5 Realms of NSF>

Human and organizational measures, policy, structure, etc.
Risk and incident management, BCP, etc.
Understanding and complying with regulations, contracts, etc.
Physical measures, equipment, facilities, etc.
Technical measures, configuration management, account management, vulnerability management, data management, log management, etc.


1. Specialist consulting team with abundance of knowledge and experience in information security

For over 20 years, NRISecure has supported information security measures for more than 2,000 companies, mainly within the financial industry, government agencies, logistics, manufacturing, pharmaceuticals, telecommunications, media, service industries, etc. With abundant experience and knowledge, NRISecure can provide practical advice for medium/long-term roadmap for security control implementation.

NRI Group’s standard project management framework can be utilized to improve project quality, proactively promote project management to avoid unexpected workloads, while reducing additional costs and preventing project delays.

2. Excellent and unique framework

Information security control implementation requires approaches from various aspects such as human, physical, and organizational, not only technical. In this service, NRISecure conducts evaluations using a standardized framework that is set independently, based on the accumulated knowledge that NRISecure developed from implementing security measures for many companies.

The NRISecure Framework, NSF, formulates assessment items with continuous updates by interpreting security frameworks, best practices*, as well as cybersecurity threats and trends, from major domestic and overseas security frameworks.

(*) Examples of security frameworks and guidelines referenced by NSF


Category Framework/Guideline Description
Management General ISO/IEC 27001 ISMS requirements and implementation guidance
Sector-specific METI Cybersecurity Management Guidelines Guideline for business owners
METI Information security management guidelines for the use of cloud computing services  
Technology General CIS Controls Top 20 controls
IPA 10 Major Security Threats Cyber security threats facing Japanese companies
Sector-specific NIST Cyber Security Framework 5 high-level functions
JSSEC Security Guideline for using Smartphones and Tablets  
Industry-specific FISC Security guidelines on computer systems for banking and related financial institutions For financial institutions
PCI DSS For credit card operators

3. Prioritization of security measures and visualization of ROI

Against increasing security threats such as targeted attacks and internal fraud, the NRI team will diagnose the current situation from various angles by interviewing related parties and quantitatively evaluate “tolerance”, which indicates how much defense measures are taken within the organization. Specifically, the evaluation will be conducted for the means of early detection when a threat emerges and the measures required to minimize the impact for the risk. Comprehensive visualization will be provided for the status of preventive and discoverable measures against security threats in the five aspects of NSF: Governance, Risk, Compliance, Physical, and Technical.


Based on the results from grasping the situation and visualization, NRI will present the security level required for each organization in the form of “minimum level of measures to be taken” or “level of measures that the organization should aim at”. Regarding security investment, NRI will not only point out deficiencies, but also provide comprehensive visualizations, such as evaluating duplicate and excess measures.


4. Outstanding comparison

By using the standardized framework “NSF”, it is possible to compare the security levels of each organization and location across a unified standard.

Furthermore, security control implementation status will be compared with data from domestic and overseas companies collected in NRI surveys, revealing where the organization is positioned as security maturity in the industry and where to improve.


5. Proposal on mid/long-term implementation plan and implementation support

NRISecure provides recommendations of security controls and medium-to-long term roadmaps for effective and practical security control implementations. This is provided while aligning with the IT strategy set by the organization's management policy and business plan.


Project Overview

The project consists of 3 phases including 10 steps.