Services Custom Assessment
Custom Assessment · Tailored scope

Custom Assessment.

Sometimes the requirement in front of you doesn't fit neatly into Core, HIPAA, FTC Safeguards, or NIST CSF. A specific contract clause. A blend of frameworks. A PCI-adjacent concern. A niche regulatory driver. When that's where you are, we build the assessment around your actual situation, with the scope defined together in discovery and written into the engagement letter before any work begins.

Schedule an assessment How we scope it
01 / Who this is for

When the box doesn't fit, we build the box.

A Custom Assessment is for businesses whose compliance need is real and specific but doesn't map cleanly onto one of our standard frameworks. The work is the same as any Complyn assessment, scoping, discovery, assessment, findings, roadmap. What changes is that we define the measuring stick with you instead of pulling a single framework off the shelf.

A good fit if
  • A contract or customer requires you to assess against a specific list of controls or a named subset of a framework
  • Your situation calls for a blend of frameworks rather than any single one
  • You have PCI-adjacent concerns: you touch cardholder data or payment processes without being a full PCI program
  • A niche regulatory driver or industry requirement applies that our standard offerings don't cover
  • You need a scoped, one-off assessment of a particular system, process, or business unit
Look elsewhere if
  • You want a general security baseline with no specific driver (Complyn Core is built for exactly that)
  • Your need maps cleanly to HIPAA, FTC Safeguards, or NIST CSF (a standard assessment will be faster and more affordable)
  • You need full PCI DSS certification with a Qualified Security Assessor and a formal Report on Compliance (that requires a licensed QSA)
  • You want ongoing support rather than a scoped engagement (our Advisory retainer is the better fit)
02 / How we scope it

Defined together. Written down.

A custom engagement only works if both sides agree on exactly what's being assessed before any work starts. We get there with a short, deliberate scoping process, and nothing is left open-ended.

  1. 01

    Discovery call

    A free thirty-minute call to understand what's driving this: the contract, the framework blend, the regulatory requirement, the specific system or process. We ask the questions that surface what actually needs to be assessed and what success looks like for you.

  2. 02

    Collaborative scope definition

    We propose a specific scope: which controls, standards, or requirements we'll assess against, which systems and people are in scope, and what we'll deliver. We refine it together until it matches your situation exactly. No generic template, no assessing things that don't matter to your driver.

  3. 03

    Engagement letter

    The agreed scope, deliverables, timeline, and a fixed price are documented in a written engagement letter. Pricing is quoted here, after discovery, once we know what the work actually involves. No work starts until you sign and return it. What's in and what's out is in writing.

  4. 04

    Assessment, findings, and roadmap

    From there, the engagement runs like any Complyn assessment: discovery of documents and short interviews, control-by-control assessment against the agreed scope, a written findings report ranked by risk, and a roadmap conversation to walk through it. Independent throughout. Nothing to sell you afterward.

03 / What you receive

A real report. A real conversation.

However the scope is defined, the deliverables follow the same dependable shape as every Complyn assessment. You always know what you're getting.

01

Written findings report

A complete written assessment against the agreed custom scope, organized by area and scored consistently. Each finding includes what we observed, why it matters, the relevant requirement, and a specific recommendation. Yours to share with the customer, regulator, insurer, or partner driving the requirement.

02

Risk-ranked roadmap

Findings ranked by risk, with realistic time and effort estimates. What to do now, what can wait, and what's optional, built around your actual business and the requirement you're working to satisfy, not a generic checklist.

03

Roadmap conversation

Once you've read the report, we sit down to walk through the findings, answer questions, and align on next steps. You leave knowing exactly what to do, in what order, and why it matters for your specific driver.

04

Follow-up support

For thirty days after the roadmap conversation, you can reach us by email or through the Complyn Client Portal with follow-up questions at no charge. We want the engagement to land, even when the scope was one of a kind.

04 / Built to last

Your engagement doesn't end when the report is delivered.

Most compliance work disappears into an inbox. We do it differently. Every Complyn client gets access to the Complyn Client Portal, a dedicated space where your reports, files, and conversations stay organized and accessible for up to three years after the engagement ends.

Three years of access, no extra fee. The platform exists to make compliance something you can return to, not something you have to rebuild every time.

What you get

  • A direct messaging channel to your Complyn team
  • Every report and deliverable we've produced for you, easily accessible and downloadable for three years
  • Our library of compliance framework documentation and implementation guides
  • A secure file exchange for documents that shouldn't move by email
  • Billing history and invoice access in one place
  • Works on any device, anywhere
05 / Common questions

Things people ask about Custom Assessment.

How do I know if I need a Custom Assessment instead of a standard one?

If you can point to a specific driver that a single named framework doesn't cleanly cover, a Custom Assessment is probably the right call. Common examples: a contract clause that lists particular controls, a customer or partner that wants assurance against a blend of standards, PCI-adjacent concerns when you don't take cards directly but touch the data, or a niche regulatory requirement. If you're not sure, the discovery call sorts it out. Often we'll find a standard framework fits after all, and we'll tell you so rather than sell you a custom engagement you don't need.

How is the scope decided?

Collaboratively, in discovery, and then in writing. We start with a free discovery call to understand the driver, the systems and data involved, and what success looks like for you. From there we propose a specific scope, including which controls or standards we'll assess against and what we'll deliver. Nothing is open-ended. The agreed scope is documented in the engagement letter before any work begins, so there are no surprises about what's in and what's out.

Can you blend more than one framework?

Yes, and that's one of the most common reasons businesses come to us for a Custom Assessment. Maybe a customer contract references both NIST CSF and a specific subset of HIPAA, or you need to satisfy an insurer's controls list that borrows from several standards. We map the requirements into a single coherent assessment so you get one report and one roadmap, not three overlapping ones.

Is a Custom Assessment still independent and fee-only?

Always. Custom scope doesn't change how we work. We don't sell security tools, we don't take vendor commissions, and we don't double as a managed service provider. The findings reflect your actual risk and the requirement driving the engagement, not anything we'd profit from recommending. Independence is the whole product, on every engagement we run.

How much does a Custom Assessment cost?

Because the scope is defined collaboratively, pricing is quoted after the discovery call rather than listed in advance. Once we understand the driver, the systems in scope, and what you need to deliver, we provide a written scope and a fixed price in the engagement letter. No hidden fees, no commissions, no scope creep without your approval. Schedule an assessment to start the conversation.

Have a requirement that doesn't fit the mold?

Tell us what's prompting this and what you're working to satisfy. We'll review your request, define a scope together, and set up a free thirty-minute discovery call. No obligation, no scare tactics, no high-pressure sales pitch.

Schedule an assessment