Services Complyn Core
Complyn Core · Our baseline

Complyn Core.

A general-purpose cybersecurity baseline assessment for small businesses. Twenty-two controls, three weighted scoring tiers, plain-language findings. The right starting point when you don't have a specific framework mandate, but you know you need to understand where you actually stand.

Schedule an assessment What's included
01 / Who this is for

A starting point. Not a checkbox.

Complyn Core is what we recommend when you don't have a specific regulatory framework forcing your hand, but you know you need to get serious about cybersecurity. It's a baseline, not a certification. It tells you where you are.

A good fit if
  • You've been asked by an insurance carrier, vendor, or partner to demonstrate that you have a cybersecurity program in place
  • You're a small business and the framework-specific options feel like overkill
  • You want a baseline before you commit to a more rigorous framework like NIST CSF
  • You've never had a cybersecurity assessment done and need a starting point
  • You're between assessments and want a fresh look at where things stand
Look elsewhere if
  • You're a covered entity under HIPAA and need a formal Security Risk Analysis (consider HIPAA Compliance)
  • You're a non-banking financial services firm subject to the FTC Safeguards Rule (consider FTC Safeguards)
  • You need a comprehensive, federally recognized framework assessment (consider NIST CSF 2.0)
  • You need an audit that produces a certificate or attestation for a third party
02 / What's included

Twenty-two controls, organized for clarity.

Complyn Core assesses 22 controls across the areas that matter most for small businesses. Each control is scored on a three-tier scale, ranked by risk, and explained in plain language. Here's how the assessment is organized.

01

Governance and policy

Do you have written policies that match how you actually operate? Do the people who need them know they exist? We look at the foundation that the rest of your security program rests on.

  • Information security policy
  • Acceptable use policy
  • Roles and accountability
  • Risk management process
02

Access and identity

Who has access to what, how is access granted and revoked, and how do you know that access controls actually work? Most breaches start here.

  • Account management
  • Authentication and MFA
  • Privileged access
  • Access reviews
03

Endpoint and infrastructure

The systems your business runs on. Workstations, servers, networks. Are they patched, monitored, and configured to current standards?

  • Endpoint protection
  • Patch management
  • Network security
  • Configuration management
04

Data and backup

Where is sensitive data, how is it protected at rest and in transit, and what happens when something goes wrong?

  • Data classification
  • Encryption
  • Backup and recovery
  • Data retention and disposal
05

People and operations

Your staff is your strongest defense and your largest risk. How are they trained, vetted, and supported in maintaining good security practices?

  • Security awareness and training
  • Background screening
  • Vendor and third-party risk
06

Incident response and recovery

When something goes wrong, what happens? Is there a plan, has anyone tested it, and does the business know how to invoke it?

  • Incident response plan
  • Business continuity and disaster recovery
  • Logging and monitoring
03 / What you receive

A real report. A real conversation.

Every Complyn Core engagement produces the same set of deliverables. No tiers, no upsells, no surprises about what's included.

  1. 01

    Written findings report

    A complete written assessment of all 22 controls, organized by control area, scored on a three-tier scale (Mature, Developing, Not Yet Implemented). Each finding includes what we observed, why it matters, and a specific recommendation to close any gaps. The report is yours to share with insurance carriers, vendors, partners, your board, or anyone else who needs to see it.

  2. 02

    Risk-ranked roadmap

    Findings ranked by risk, with realistic time and effort estimates for each remediation. What to do this month, what to do this quarter, and what can reasonably wait. Built around your actual business, not a generic checklist.

  3. 03

    One-hour roadmap conversation

    Once you've had time to read the report, we sit down for an hour to walk through the findings, answer questions, and align on next steps. You leave knowing exactly what to do, in what order, and why.

  4. 04

    Thirty days of follow-up support

    For thirty days after the roadmap conversation, you can reach us by email or through the Complyn Client Portal with follow-up questions at no charge. We want the engagement to land.

04 / Built to last

Your engagement doesn't end when the report is delivered.

Most compliance work disappears into an inbox. We do it differently. Every Complyn client gets access to the Complyn Client Portal, a dedicated space where your reports, files, and conversations stay organized and accessible for up to three years after the engagement ends.

Three years of access, no extra fee. The platform exists to make compliance something you can return to, not something you have to rebuild every time.

What you get

  • A direct messaging channel to your Complyn team
  • Every report and deliverable we've produced for you, easily accessible and downloadable for three years
  • Our library of compliance framework documentation and implementation guides
  • A secure file exchange for documents that shouldn't move by email
  • Billing history and invoice access in one place
  • Works on any device, anywhere
05 / How long it takes

Most engagements complete in one to two weeks.

From the signed engagement letter to the delivered report. The exact timing depends on how quickly your team can return documents and make people available for short interviews. Larger or more complex businesses may take longer.

Week 1
Discovery
Document requests, intake meeting, short interviews
Week 2
Assessment
Report
Control-by-control scoring, report drafted
After
Delivery + roadmap
Report delivered, one-hour roadmap call scheduled within five business days
06 / Common questions

Things people ask about Core.

Is Complyn Core a recognized framework like HIPAA or NIST?

No. Complyn Core is our own baseline. We built it because most regulated frameworks are either too narrow for general use (HIPAA only covers healthcare) or too rigorous for a small business that's just trying to understand where they stand (NIST CSF can be overwhelming as a first step). Core is the assessment we wish existed when a business asked us for a starting point. It maps to the broad expectations behind most regulatory frameworks, but it doesn't produce a regulator-recognized certificate.

Will a Complyn Core report satisfy my insurance carrier?

In most cases, yes. Insurance carriers generally want to see that you've had an independent cybersecurity assessment, that you have a written report of findings, and that you have a documented plan to address them. Complyn Core produces all three. If your carrier has named a specific framework (HIPAA, NIST, ISO 27001), tell us in the discovery call and we can scope to that framework instead.

Can I do Core and then move to a more rigorous framework later?

Yes, and that's a common path. Many of our clients start with Core to understand where they stand, then move to a more specific framework (HIPAA, FTC Safeguards, NIST CSF) once they're ready. The work you do based on the Core report carries forward and reduces the scope of the next assessment.

Do you do remediation work, or just the assessment?

Just the assessment, by design. We don't sell security tools, we don't take vendor commissions, and we don't double as a managed service provider. Our independence is the whole product. If you want ongoing support implementing the roadmap, our Advisory retainer picks up where the assessment ends. For specific remediation work, we'll recommend vendors and partners who can help.

How much does Complyn Core cost?

Pricing depends on the size and complexity of your business. For a small business with a straightforward setup, Complyn Core is our most affordable engagement. We provide a written scope and fixed price after a free thirty-minute discovery call. No hidden fees, no commissions, no scope creep without your approval. Schedule an assessment to get a specific quote for your situation.

Ready to know where you stand?

Tell us about your business and what's prompting this. We'll review your request, propose a scope, and set up a free thirty-minute discovery call. No obligation, no scare tactics, no high-pressure sales pitch.

Schedule an assessment