Skip to main content
Image coming soon

The Consulting-Grade IAM Maturity Assessment

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

The Consulting-Grade IAM Maturity Assessment

Build IAM assessments that survive client scrutiny and close to a signed Phase 2 engagement.

You can map controls. You can list gaps. The harder skill is turning those findings into a deliverable the client CISO reads, trusts, and signs a follow-on engagement to fix.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

Cybersecurity IAM consultants at advisory firms run current-state assessments that technically cover the right ground: IGA coverage, PAM scope, directory services posture, MFA adoption. The problem is the deliverable that follows. Risk ratings that lack framework backing. Roadmap priorities that conflict with each other. Findings that the client security team disputes in the review meeting because they are not sourced to NIST 800-53, CIS Controls, or the client's own compliance obligations. The assessment report goes into a drawer. Phase 2 never gets scoped. The methodology here teaches the craft of the deliverable itself: how consultants structure current-state findings so they survive stakeholder challenge, score risk in a way clients accept, and sequence the roadmap so the first phase delivers a credible win.

What you walk away with

  • Conduct a structured IAM current-state assessment that maps identity governance, PAM, directory services, and authentication against NIST 800-53 AC and IA control families.
  • Score IAM control gaps using a risk rubric that stands up to client challenge and CISO scrutiny.
  • Build an IAM roadmap deliverable with phased priorities, effort estimates, and compliance impact mapped to the client's regulatory posture.
  • Present findings in a format that moves clients from assessment to Phase 2 scope without rework.
  • Build a reusable assessment template across IGA, PAM, and directory domains that applies across different client environments.

The 12 modules

Module 1. Scoping the IAM Assessment Engagement
Most IAM assessment overruns happen at scope. This module covers how to define the assessment boundary with the client: which identity domains are in scope (IGA, PAM, directory, federation, MFA), what the client's compliance obligations are (SOX, SOC 2, ISO 27001, NIST CSF), and how to establish the maturity framework that will anchor every finding. You leave with a scoping worksheet that prevents scope creep and misaligned expectations from week one of the engagement.
Module 2. Identity Inventory: Building the Current-State Map
A credible assessment starts with a complete identity inventory. This module walks through how to extract user population data, application entitlement lists, service account registers, and privileged account records from client environments. Covers the data collection artefacts clients can actually provide (AD exports, IGA reports, PAM vault exports), how to handle gaps, and how to normalize disparate sources into a single current-state map that every subsequent finding cites as its evidence base.
Module 3. Mapping to NIST 800-53 AC and IA Control Families
The NIST 800-53 AC (Access Control) and IA (Identification and Authentication) control families are the most common framework reference in enterprise IAM assessments. This module covers how to map observed IGA, PAM, and directory configurations to specific controls, what evidence each control requires, which controls clients routinely under-implement, and how to document the mapping in a way that survives an auditor review. Includes a pre-built control mapping spreadsheet template.
Module 4. Identity Governance Assessment: IGA Platform Analysis
Enterprise IGA platforms each implement provisioning, certification, and separation-of-duties controls differently. This module covers how to assess IGA maturity independent of the specific platform: what provisioning completeness looks like, where access certification gaps appear, how SOD rulesets map to business processes, and what a consulting-grade IGA gap analysis includes that a vendor-led review typically misses. The output is a gap table tied to control references the client can act on.
Module 5. Privileged Access Audit Methodology
PAM assessments require more than confirming that a vault is deployed. This module covers the audit methodology: privileged account discovery completeness, vault coverage gaps, session recording policy, credential rotation cadence, emergency access procedures, and how PAM controls map to NIST 800-53 AC-17 and AC-6 least-privilege requirements. Includes a PAM audit checklist and the finding format that gets client approval without being disputed at the review session.
Module 6. Directory Services and Federation Assessment
Active Directory, Azure AD, and federation services form the identity fabric most enterprise IAM assessments are built on. This module covers how to assess directory posture: privileged group membership sprawl, stale account populations, Kerberos delegation misconfigurations, federation trust configurations, conditional access policy coverage, and MFA adoption rates across user populations. Documents the specific directory indicators that correlate with breach exposure and that client security leads recognise immediately.
Module 7. Risk Scoring: Building a Rubric Clients Accept
Risk ratings without a sourced rubric are the most common point of client pushback in IAM assessment reviews. This module covers how to build a scoring model clients accept: severity categories tied to control failure impact (confidentiality, integrity, availability), likelihood scoring that references threat actor behaviour, risk multiplication that accounts for compensating control presence, and the final risk matrix format that the client CISO can sign off on without renegotiating every individual rating.
Module 8. Compliance Posture Mapping: SOX, SOC 2, and ISO 27001
Most enterprise IAM assessment clients have compliance obligations that shape which gaps matter most. This module covers how to map IAM control gaps to SOX IT General Controls (access provisioning, privileged access, access reviews), SOC 2 CC6 logical access criteria, and ISO 27001 Annex A access control requirements. Shows how compliance posture mapping changes roadmap sequencing and gives the client a direct line from IAM findings to their next audit cycle.
Module 9. The IAM Roadmap Deliverable Format
The gap analysis is not the deliverable the client acts on. The roadmap is. This module covers the structure of an IAM roadmap that drives client decisions: how to group findings into workstreams (IGA remediation, PAM expansion, directory hygiene, authentication uplift), how to sequence initiatives by compliance urgency and effort, how to write milestone descriptions that a client steering committee can track, and how to format the roadmap so it functions as the Statement of Work for Phase 2.
Module 10. Prioritization: Quick Wins vs Strategic Initiatives
Clients want to know what to fix first. This module covers the prioritization framework used in professional IAM advisory engagements: how to identify low-effort, high-visibility quick wins that build client confidence in the consulting team, how to sequence strategic initiatives that require budget and organizational change, how to handle conflicting priorities between security posture improvement and compliance deadline pressure, and how to document the prioritization rationale so it holds up in steering committee review.
Module 11. Presenting Findings: From Report to CISO Buy-In
IAM findings documents and CISO presentations require different structures. This module covers how to adapt the assessment report for executive presentation: what belongs in the executive summary vs the technical appendix, how to frame risk in business impact language rather than control language, how to handle the CISO's challenge of individual findings during the review session, and how to close the presentation with a recommended Phase 2 scope the client can approve in the meeting.
Module 12. Building to Phase 2: Sustaining the Engagement
The assessment ends. The engagement does not have to. This module covers how to structure the Phase 2 scope document from within the assessment deliverable: how to frame remediation effort estimates the client can budget, how to position the consulting team as the implementation partner for the highest-priority initiatives, how to write the Phase 2 proposal narrative that references the assessment findings, and how to maintain client momentum between the assessment report and the Phase 2 kick-off.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

Engagement manager flags that IAM findings lack framework references before client delivery.
Client security team disputes risk ratings in the review session, asking for sourced justification.
Assessment report is delivered but client does not progress to Phase 2 scoping.
Associate asked to lead the IAM maturity workstream without a proven deliverable structure to follow.

What you get with this course

  • 12 text-based modules in the Art of Service learning environment, covering the full IAM assessment lifecycle from scope definition to Phase 2 handoff.
  • Downloadable templates: IAM current-state worksheet, NIST 800-53 AC and IA control mapping spreadsheet, PAM audit checklist, risk scoring rubric, roadmap prioritization matrix.
  • Worked examples for each assessment domain: identity governance, PAM, directory services, federation, and compliance posture mapping.
  • The hand-built implementation playbook delivered alongside course access: a ready-to-use assessment methodology document formatted for consulting engagement delivery.

What you will have in hand by Day 1, Week 1, Month 1

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

Before and after

Before

IAM gap analyses get disputed in client review sessions. Roadmaps lack the structure clients need to approve Phase 2. Risk ratings feel subjective without a defensible framework reference.

After

Current-state findings are mapped to NIST 800-53 with specific control references. Risk ratings are scored on a rubric the client CISO accepts. The roadmap is formatted so the final meeting closes to a signed Phase 2 scope.

What happens if you do not address this

IAM assessments that fail at the deliverable stage do not convert to follow-on work. The technical skill in the room is the same. The difference is the consulting methodology: how findings are structured, how risk is scored, and how the roadmap is formatted. Without that methodology, technically strong work stays in a drawer.

Who it is for

Cybersecurity IAM consultants at advisory firms, typically Associate to Senior Associate level, who run client-facing identity assessments across IGA, PAM, directory services, and authentication. They know how to configure IAM tools and understand IAM architecture. The gap they are building is the consulting craft: structured deliverables, framework-backed findings, and roadmaps that close into signed engagements.

Who this is NOT for. IAM engineers doing in-house implementations with no client deliverable requirement. Security architects designing reference architectures. Anyone whose primary output is configuration, not assessment and recommendation.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. 12 modules, each designed to be completed in a single sitting. Most learners complete the full course in three to four focused sessions. Templates and the implementation playbook are immediately usable in active engagements.

Why $199 is the right number

Internal methodology training at advisory firms covers firm-specific frameworks but rarely teaches the underlying assessment craft. Vendor certifications teach tool operation, not consulting deliverable structure. Conference content covers architecture trends. This course covers the gap between knowing IAM and delivering IAM assessments that clients trust and act on.

FAQ

Does this course cover specific IAM tools like SailPoint, CyberArk, or Okta?
The assessment methodology is tool-agnostic: the control mapping, risk scoring, and deliverable formats apply regardless of which platform the client uses. Modules on IGA and PAM reference common platforms as examples to illustrate platform-independent assessment patterns.
Is this relevant for associates earlier in their consulting career?
Yes. The methodology is designed for associates who are building their assessment craft. The templates and rubrics are ready to use from the first engagement after completing the course. More senior consultants use it to standardize approach across the team.
What compliance frameworks does the course cover?
NIST 800-53 AC and IA control families are the primary reference framework throughout. The compliance posture mapping module covers SOX IT General Controls, SOC 2 CC6 logical access criteria, and ISO 27001 Annex A. The risk scoring rubric is designed to accommodate any framework-based assessment requirement.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

!