The 90-day NESA problem
Most NESA conversations start with an audit notice and a calendar that no longer has slack in it. The internal team has 90 days to close gaps that built up over years. The right question is not "how do we comply" — it is "what is the smallest amount of work that gets us to a defensible posture in time."
Phase 1 — Weeks 1 to 2: gap assessment, no theatre
Map your current controls to the IAS framework honestly. Score every domain red, amber or green. Resist the temptation to colour-grade yourself green where you are amber. The auditor will not.
Output of this phase: a one-page gap heatmap, a prioritised remediation list with effort estimates, and a named owner for each control.
Phase 2 — Weeks 3 to 8: close the structural gaps
Three areas almost always need work in a first NESA cycle. They are the ones we recommend tackling first because they take time and cannot be faked: asset and vendor inventories, privileged access controls, and tested business continuity plans.
Asset inventory: an actual inventory, not the spreadsheet from 2022. Vendors with access to your environment count. Privileged access: vault the credentials, enable session recording, restrict standing access. Business continuity: a tabletop exercise with the actual incident response team, not a plan in SharePoint that no-one has opened.
Phase 3 — Weeks 9 to 11: control evidence and documentation
The auditor will spend most of their time asking for evidence. Pre-build the evidence packs — control narratives, configuration screenshots, log samples, exception registers. Run a mock audit internally before the real one. The mock audit will find at least three things you missed.
Phase 4 — Week 12: rehearsal and audit
Final week is rehearsal. The team that will sit in the audit room should know the control narratives without reading from notes. Auditors respect confidence and specificity. They mark down ambiguity.
What to defer
Aspirational controls — automation, advanced threat hunting, fully integrated GRC platforms — do not move the needle in a 90-day window. They are the right work for the next cycle, not this one. Defer them.
The version of this story where you are not panicking starts twelve months earlier. If that is your timeline, that is a different article. If you have 90 days, focus on the structural three and stop.
