Service

Security & Compliance Health Check

Find out where you stand β€” across cloud, identity, policy, and PDPA β€” in two weeks.

Request a quote

The problem

Most Tanzanian SMEs know they should be doing more on cybersecurity β€” but don't know where to start, what's urgent, or how much of it they're already doing right. A narrow point-in-time scan tells you about one area while leaving the rest unexamined. Without a broad baseline assessment, security spending tends to go to the most visible problem rather than the most serious one. The Health Check gives you the full picture, then prioritises it β€” so your first investment goes to the right place.

Our methodology

  • Cloud security review β€” Microsoft 365 or Google Workspace configuration audit against CIS Foundations Benchmarks (conditional access, MFA, sharing settings, email security, admin roles)
  • Identity and access review β€” who has access to what, privileged account inventory, MFA coverage, stale accounts and offboarding gaps
  • Policy and governance baseline β€” do you have an Information Security Policy? Acceptable Use Policy? Incident response plan? We assess what exists and what is missing
  • Tanzania PDPA gap review β€” do you know what personal data you hold, where it lives, who can access it, and whether you have the documentation the law requires?
  • Endpoint and network basics β€” are devices managed? Is patch management happening? Are staff on personal devices?
  • Prioritised findings consolidated into a 90-day roadmap β€” quick wins (this week), short-term actions (next 30 days), and medium-term programme (60–90 days)

What you will receive

  • Health Check executive summary β€” a plain-language overview suitable for a non-technical board or owner
  • Detailed findings report across all five assessment areas
  • Prioritised 90-day remediation roadmap with effort estimates and recommended next steps
  • Quick wins checklist β€” things you can act on immediately at low or no cost
  • Recommended services roadmap β€” which Hawrat Cyber services, if any, address your highest-priority gaps

Estimated timeline

2–3 weeks. Includes a kickoff call, asynchronous evidence collection, and a findings presentation call.

Start Here

If you are not sure which security service you need, start with the Health Check.

Most businesses that come to us are in one of two situations: they have experienced a security incident and need to understand the full extent of their exposure, or they know they are behind on security but have not taken a structured look at where they stand. In both cases, the right first step is the same β€” understand the full picture before spending on remediation.

What We Assess

Cloud and identity β€” The majority of a modern SME’s critical data lives in Microsoft 365 or Google Workspace. We assess both the configuration of those environments (against CIS Foundations Benchmarks) and the identity controls that govern access β€” MFA enforcement, privileged accounts, conditional access policies, offboarding processes.

Policy and governance β€” Do you have the foundational documents your business needs? An Information Security Policy that staff have read. An Acceptable Use Policy that covers personal devices and cloud tools. An incident response plan that isn’t a blank page. We assess what exists, what is adequate, and what is missing.

Tanzania PDPA compliance gap β€” We assess your posture against the Personal Data Protection Act (2022): do you know what personal data you hold, where it is stored, who can access it, how long you keep it, and what would happen if you had a breach? This is not a full PDPA audit β€” it is a gap review that tells you whether you are materially exposed and what the priority actions are.

Endpoint and network basics β€” Are staff devices managed? Is Windows patching happening? Are there unmanaged personal devices connecting to business data? Are network boundaries defined? We look at the basics that are often overlooked.

What You Get at the End

The deliverable is not a list of problems β€” it is a decision-making tool. The 90-day roadmap tells you:

  • What to do this week that costs nothing (quick wins: enabling MFA for admins, blocking legacy authentication, fixing an open sharing setting)
  • What to address in the next 30 days (short-term actions: policies that need drafting, access reviews that need doing)
  • What to plan for 60–90 days out (programme-level work: PDPA documentation, vulnerability management, staff training)

Each action comes with an effort estimate and, where relevant, a recommendation for whether to handle it internally or engage Hawrat Cyber.

Frequently asked questions

Is this the right service to start with if I don't know what I need?

Yes β€” this is exactly what it is designed for. Many clients come to us knowing they have security gaps but uncertain about the priority or nature of those gaps. The Health Check gives you an honest baseline across the areas that matter most for a Tanzanian SME, then tells you what to fix first. It avoids the trap of spending on a narrow service while a more serious gap goes unaddressed.

How is this different from the Cloud Security Posture Assessment?

The Cloud Security Posture Assessment is a deep-dive into a single environment β€” your Microsoft 365 or Azure tenant β€” assessed in detail against CIS Benchmarks. It is the right service if your primary concern is cloud configuration and you want comprehensive findings in that area. The Health Check is broader and shallower: it covers cloud alongside identity, policy, PDPA, and endpoint basics, and delivers a cross-domain picture. Many clients start with the Health Check and then commission the Cloud Security Posture Assessment to address the cloud gaps it surfaces.

What access do you need from us?

For the cloud review, we need read-only access to your Microsoft 365 admin centre or Google Admin console β€” we will provide instructions on how to grant this safely. For the other assessment areas, we work primarily through structured interviews and a documentation request list. We do not require access to production systems or sensitive data.

Does the Health Check replace a full security assessment?

No. It is a starting point, not an exhaustive audit. It is designed to give you a clear picture of your most material gaps and a sensible roadmap for addressing them β€” not to produce a certification-ready evidence base. If your goal is ISO 27001 certification, PCI-DSS compliance, or a detailed BoT audit response, you will need the deeper engagement. The Health Check will tell you whether you are ready to start those programmes or whether you need to address foundational gaps first.

Can you just fix what you find, rather than producing a report?

Yes. Several clients commission the Health Check as the discovery phase of a broader engagement. If you want us to find the gaps and then fix them, we scope a follow-on engagement after the Health Check findings call. The roadmap we deliver makes that follow-on scope straightforward.

Related services

Cloud Security Posture Assessment

Know exactly where your Microsoft 365 and Azure environment stands.

Tanzania PDPA Compliance Pack

Get ahead of the Personal Data Protection Act β€” before regulators come to you.

Virtual CISO (vCISO) Retainer

Executive-level security leadership β€” without the full-time hire.

Vulnerability Management Program Setup

Find your vulnerabilities before attackers do β€” then fix them systematically.

Ready to get started?

All engagements begin with a free 30-minute discovery call. No commitment, no jargon β€” just an honest conversation about your situation.

Request a quote View all services