Insightsverifying-what-matters

Verifying what matters: why assurance beats assumption

By Mollis Group6 min read
AssuranceCyberGovernance

The gap nobody owns

In every organisation we walk into, there is a gap. It sits between the policies leadership signed off, the controls the engineers deployed, and the reality of how systems actually behave in the field.

Nobody is paid to own that gap. Auditors check the paperwork. Engineers check their own code. Vendors check what they sold you. The space in between — the integration, the assumptions, the drift — belongs to no one.

That is where incidents happen.

Assumption is not a control

We often hear the phrase "we assume that's covered." It's the most expensive sentence in security. Assumptions are not controls. They are unverified beliefs about the behaviour of systems and people, dressed up in the language of certainty.

Independent assurance is the opposite: evidence over belief. It is the discipline of asking, without prejudice, whether the thing you think is true is actually true.

If a control has never been tested end-to-end, it is a hypothesis, not a defence.

What good assurance looks like

Good assurance is not another audit. It is not a compliance checklist. It is a structured, adversarial, evidence-first examination of the systems and behaviours that matter most to your business.

  • Scope is set by risk, not by convenience. We start with what would hurt most if it failed.
  • Evidence is observed, not asserted. We watch the system behave, we don't take a screenshot of the policy.
  • Findings are actionable. Every finding maps to a decision an owner can make on Monday morning.

Where to start

If you're building an assurance function from scratch, three questions cut through most of the noise:

  1. What are the five decisions that would hurt us most to get wrong?
  2. For each one, what evidence do we currently rely on?
  3. Who verified that evidence, and when?

If you can't answer the third question with a name and a recent date, you're relying on assumption. That's the gap. That's where we start.


Mollis provides independent assurance across cyber security, critical communications and secure environments. If you want to close the gap between policy and reality, we should talk.

Next step

Verify what matters, before it's tested.

Book a 30-minute conversation with Mollis. No pitch. We'll help you name the assumptions worth verifying first.