Principle Security Principle Security.

NCUA · ISE / ACET Readiness

Be examined the way you rehearsed

NCUA's Information Security Examination procedures define what examiners will ask. We run your program against them before the examiners do — so exam week holds no surprises.

The landscape

ISE is the exam. ACET is the mirror.

NCUA examines credit unions through its Information Security Examination (ISE) procedures — tiered so that expectations scale with asset size and complexity, from SCUEP-scoped reviews for smaller institutions upward. The ACET self-assessment (built on the FFIEC Cybersecurity Assessment Tool lineage) remains the most useful mirror: it measures inherent risk and control maturity in the same language examiners were trained on.

The trap is treating either as paperwork. An ACET score nobody acts on is worse than none — it's documented awareness of gaps you didn't close. Our readiness work turns the assessment into a working queue: each gap owned, scheduled, and evidenced.

Our approach

Assess honestly, remediate visibly

We baseline your inherent risk profile and control maturity, validate the answers against what's actually deployed (not what the policy says), and build the remediation roadmap in priority order — quick wins first, structural fixes scheduled. Then we keep the evidence binder living: policies dated, testing documented, findings tracked, so the next exam starts from readiness instead of archaeology.

How it runs

The engagement

Delivered fixed-scope, or operated continuously through our vCISO and Resident Engineering models.

What you get

  • Completed and validated ACET/ISE-aligned maturity baseline
  • Gap analysis with prioritized, owned, scheduled remediation roadmap
  • Evidence organization mapped to ISE request-list structure
  • Pre-exam readiness review and leadership briefing
  1. 01

    Baseline

    Weeks 1–2

    Inherent risk profile and control maturity assessment, validated against deployed reality — interviews, configuration review, and documentation sweep.

  2. 02

    Gap-to-roadmap

    Weeks 3–4

    Every gap gets an owner, a priority, and a date. Quick wins execute immediately; structural work is scheduled and budgeted.

  3. 03

    Evidence build

    Ongoing

    Artifacts organized the way examiners request them — so responses take minutes, not archaeology.

  4. 04

    Pre-exam rehearsal

    Before the cycle

    A dry run against ISE procedures with leadership briefed on posture, open items, and the narrative.

Your next exam is already on the calendar.

A 45-minute conversation tells you where you stand — and what to fix first.