During my early years in the information security domain, one of the first problems I faced was estimating any activity’s effort. Sometimes, this estimation is more complex as the work involves all the other departments. For example, the server team, network team, etc.

Here is a basic framework that I use, and I also have trained my team on the same. In another post, I will share the detailed excel sheet and how to do an estimation.

In the first of many series, we will cover the estimation for a generic security assessment. To estimate a security assessment effort, consider the following steps:

1. Define the scope: Assess the scope of the security assessment, such as the systems, applications, and infrastructure to be tested.
2. Assess resources: Identify the resources required for the assessment, such as personnel, equipment, and tools.
3. Evaluate complexity: Consider the complexity of the systems and applications being assessed and the potential risk to the organization.
4. Use industry standards: To guide the assessment, use industry standards and methodologies, such as the NIST Cybersecurity Framework or the OWASP Top 10.
5. Review past assessments: Review previous security assessments to identify any recurring issues and areas of improvement.
6. Consider time constraints: Consider any time constraints or deadlines for the assessment, such as an upcoming audit or regulatory deadline.
7. Develop a budget: Estimate the budget required for the assessment, including personnel, equipment, and tool costs.
8. Review and adjust: Regularly review and adjust the assessment plan based on actual results and experience.

Always keep some contingency (~ 5 – 10%, depending on the information available) to plan better.