NCUA · ISE / ACET Readiness
Be examined the way you rehearsed
NCUA's Information Security Examination procedures define what examiners will ask. We run your program against them before the examiners do — so exam week holds no surprises.
The landscape
ISE is the exam. ACET is the mirror.
NCUA examines credit unions through its Information Security Examination (ISE) procedures — tiered so that expectations scale with asset size and complexity, from SCUEP-scoped reviews for smaller institutions upward. The ACET self-assessment (built on the FFIEC Cybersecurity Assessment Tool lineage) remains the most useful mirror: it measures inherent risk and control maturity in the same language examiners were trained on.
The trap is treating either as paperwork. An ACET score nobody acts on is worse than none — it's documented awareness of gaps you didn't close. Our readiness work turns the assessment into a working queue: each gap owned, scheduled, and evidenced.
Our approach
Assess honestly, remediate visibly
We baseline your inherent risk profile and control maturity, validate the answers against what's actually deployed (not what the policy says), and build the remediation roadmap in priority order — quick wins first, structural fixes scheduled. Then we keep the evidence binder living: policies dated, testing documented, findings tracked, so the next exam starts from readiness instead of archaeology.
How it runs
The engagement
Delivered fixed-scope, or operated continuously through our vCISO and Resident Engineering models.
What you get
- Completed and validated ACET/ISE-aligned maturity baseline
- Gap analysis with prioritized, owned, scheduled remediation roadmap
- Evidence organization mapped to ISE request-list structure
- Pre-exam readiness review and leadership briefing
- 01
Baseline
Weeks 1–2Inherent risk profile and control maturity assessment, validated against deployed reality — interviews, configuration review, and documentation sweep.
- 02
Gap-to-roadmap
Weeks 3–4Every gap gets an owner, a priority, and a date. Quick wins execute immediately; structural work is scheduled and budgeted.
- 03
Evidence build
OngoingArtifacts organized the way examiners request them — so responses take minutes, not archaeology.
- 04
Pre-exam rehearsal
Before the cycleA dry run against ISE procedures with leadership briefed on posture, open items, and the narrative.
Your next exam is already on the calendar.
A 45-minute conversation tells you where you stand — and what to fix first.
Explore
Also from Principle Security
Part 748 Program
The written, board-approved security program 12 CFR 748 Appendix A requires — designed aro…
NCUA programIncident Reporting
Since September 2023, reportable cyber incidents must reach NCUA within 72 hours of reason…
Case studyFrom no CISO to examiner-ready
A federal credit union's four-quarter program, delivered by resident engineers.