Last updated: July 2026

HKMA C-RAF Compliance Consulting

Looking for an HKMA C-RAF Compliance Consulting Company in Hong Kong? Pass the Assessment Without a Year-Long Project.

We are an HKMA C-RAF compliance consulting company for Hong Kong Authorized Institutions. The Inherent Risk Assessment and Maturity gap assessment land in about 2 weeks, remediation runs in phases your team can actually absorb, and we coordinate and run iCAST ourselves where your institution is designated higher-risk - no separate vendor to manage.

Every engagement is led personally by a former Microsoft Security Consulting team member. Fixed-price proposal within 48 hours. You review the gap assessment report before you pay.

Gap assessment in about 2 weeks Fixed-price proposal in 48 hours Pay after you review the report 234 assessments, 14 countries
HKMA C-RAF compliance consulting company helping Hong Kong Authorized Institutions demonstrate cyber resilience

What Does an HKMA C-RAF Compliance Consulting Company Do?

An HKMA C-RAF compliance consulting company prepares your Authorized Institution to complete the Cyber Resilience Assessment Framework the Hong Kong Monetary Authority issues under its Cybersecurity Fortification Initiative (CFI 2.0). That means running the Inherent Risk Assessment, closing gaps against the Maturity Assessment your risk profile requires, and coordinating iCAST testing where your institution is designated higher-risk.

C-RAF is a supervisory requirement, not a pass or fail certificate - there is no C-RAF certification to hang on the wall. The goal is demonstrable cyber resilience: evidence and controls strong enough to satisfy the HKMA, reassure your board, and hold up under supervisory review. ISO 27001 makes a useful shared control base, since much of the underlying control work overlaps. That is exactly what this engagement is built to produce.

What Is HKMA C-RAF, and Who Must Comply

C-RAF is the Cyber Resilience Assessment Framework, issued by the Hong Kong Monetary Authority under CFI 2.0. It applies to Authorized Institutions - banks and other licensed financial institutions supervised by the HKMA - and gives them a structured way to assess and demonstrate cyber resilience.

C-RAF is a supervisory framework rather than a pass or fail certification. The objective is to demonstrate cyber resilience to the HKMA, and ISO 27001 alignment provides a useful shared control base for institutions that also hold or are pursuing that certification.

Licensed banks authorized by the HKMA under the Banking Ordinance
Restricted licence banks and deposit-taking companies
Virtual banks operating under an HKMA banking licence
Higher-risk Authorized Institutions designated for iCAST under CFI 2.0
Banking groups whose technology risk is supervised by the HKMA
Institutions preparing for HKMA supervisory review or board assurance on cyber resilience

The Three Components of C-RAF

We assess and remediate all three components, including coordinating iCAST for institutions the HKMA designates as higher-risk.

Inherent Risk Assessment

Component 1

A structured assessment of your institution's inherent technology and cyber risk, covering factors such as connection types, delivery channels, technologies in use, and the products and services offered. This sets the baseline that determines how much maturity and testing HKMA expects from you.

Maturity Assessment

Component 2

A detailed assessment of your cyber resilience maturity across control domains, benchmarked against the maturity level your inherent risk profile requires. This is where most of the gap-finding and remediation work happens.

iCAST

Component 3, higher-risk institutions

Intelligence-led Cyber Attack Simulation Testing. A red-team style exercise that simulates real adversary tactics against your institution, required for institutions HKMA designates as higher-risk under the inherent risk assessment.

Our HKMA C-RAF Compliance Consulting Process

Five stages from first call to HKMA readiness. The difference from most C-RAF consultants is stage three: we implement the controls with you, in phases, instead of handing back a checklist.

1

Scoping and Inherent Risk Assessment

We assess your connection types, delivery channels, technologies, and products and services to determine your inherent risk profile, the same starting point HKMA expects under C-RAF.

2

Maturity gap assessment (about 2 weeks)

We test your current environment against the maturity level your inherent risk profile requires and hand you a prioritized gap report across every applicable control domain.

3

Phased remediation

We implement the missing controls with your team, phase by phase, rather than handing you a document and disappearing - closing the gap between your current and required maturity level.

4

iCAST coordination

For institutions HKMA designates as higher-risk, C-RAF requires intelligence-led Cyber Attack Simulation Testing. We run this testing ourselves as part of the engagement rather than outsourcing it to a separate firm you have to manage.

5

Board reporting and HKMA readiness

We prepare the board assurance pack and get your institution ready to demonstrate cyber resilience to the HKMA, without a year-long project or a scramble before your next supervisory review.

HKMA C-RAF Readiness Timeline

A realistic timeline for a Hong Kong Authorized Institution starting from a first engagement. Actual remediation length depends on your starting maturity and how many gaps the assessment finds.

PhaseTimingOutcome
Scoping and Inherent Risk AssessmentWeek 1Defined risk profile and the maturity level HKMA expects from your institution
Maturity gap assessmentWeeks 1-2Prioritized gap report against the required maturity level
Phased remediationWeeks 2-10 (scope-dependent)Controls implemented with your team, phase by phase
iCAST coordinationScheduled where applicableIntelligence-led testing coordinated and run for higher-risk institutions
Board reporting and HKMA readinessFinal weeksBoard assurance pack delivered, ready for HKMA supervisory discussion

How Much Does HKMA C-RAF Compliance Cost?

We publish our starting price rather than making you sit through a sales call to find out. Fixed-price proposals within 48 hours of your strategy call. No hourly billing, no surprises.

C-RAF Gap Assessment

Inherent Risk Assessment plus Maturity Assessment gap analysis, delivered in about 2 weeks.

From $3,000per engagement
  • Inherent Risk Assessment
  • Maturity Assessment gap analysis
  • iCAST applicability review
  • Prioritized remediation roadmap
  • Board-ready summary
Book Free Strategy Call

Zero-risk: you review the report before you pay.

Most Popular

Full Readiness + Phased Remediation

End to end: from gap assessment to HKMA supervisory readiness.

Custom quotefixed price
  • Everything in the Gap Assessment
  • Hands-on, phased control implementation
  • iCAST coordination for higher-risk institutions
  • Board assurance reporting pack
  • Support through HKMA supervisory review
Book Free Strategy Call

Zero-risk: you review the report before you pay.

Why Choose Atlant Over Other C-RAF Consultants

Most HKMA C-RAF consultants sell you a document and a monthly retainer. Here is how we are different.

Atlant SecurityTypical C-RAF Consultant
Who does the workA former Microsoft security consultant, personallyJunior or offshore staff you never meet
Time to gap assessmentAbout 2 weeksMonths of scoping calls before you see a finding
PricingFixed-price proposal within 48 hours - you review the report before you payOpen-ended hourly billing
Control implementationHands-on - we implement with your teamA checklist and advice, then you are on your own
iCAST testingWe run it ourselves, coordinated within the same engagementOutsourced to a third party you must coordinate separately
Vendor neutrality100% independent - zero software commissionsOften recommends the GRC or security tool they resell
Every engagement is led personally by a former Microsoft Security Consulting team member - never delegated to junior staff
234 security assessments delivered across 14 countries since 2013
Inherent risk and maturity gap assessment delivered in about 2 weeks, not months of scoping calls
Fixed-price proposals within 48 hours - you review the report before you pay
100% vendor-neutral - we take zero commissions from any software vendor
Hands-on control implementation, not a checklist handed back to you
We run the iCAST intelligence-led testing ourselves
ISO 27001 alignment used as a shared control base to cut duplicate remediation effort
Alexander Sverdlov - Founder of Atlant Security and lead HKMA C-RAF compliance consultant

Every HKMA C-RAF Engagement Is Led by Alexander Sverdlov

Former Microsoft Security Consulting team member. CISSP certified. Alexander has personally led 234 security assessments across 14 countries since 2013. At Atlant Security, the senior consultant who scopes your C-RAF engagement is the same person who runs the iCAST testing and implements the controls with your team - never handed to junior staff.

Connect on LinkedIn

Pursuing C-RAF and ISO 27001 Together?

ISO 27001 makes a useful shared control base for C-RAF, since much of the underlying control work overlaps. If your institution holds or is pursuing ISO 27001, we map both frameworks in one engagement to cut duplicate remediation effort.

Learn about ISO 27001 Readiness

Stop Guessing at HKMA Scrutiny. Get Demonstrably Resilient.

Book a free 30-minute strategy call with Alexander. We will discuss your institution, timeline, and exactly what it takes to satisfy the HKMA and your board without a year-long project. Fixed-price proposal within 48 hours.

Zero-risk: you review the report before you pay.

Schedule Your Free HKMA C-RAF Strategy Call

Need a Broader IT Security Audit Alongside C-RAF?

Many institutions pair the HKMA C-RAF engagement with a full IT security audit or a standalone penetration test to satisfy both regulatory expectations and board assurance in the same cycle.

IT Security Audit Penetration Testing

For small projects and ad-hoc work outside our pre-agreed packages or retainers, our standard hourly rate is $460.

HKMA C-RAF Compliance FAQ

What is HKMA C-RAF?
HKMA C-RAF is the Cyber Resilience Assessment Framework, issued by the Hong Kong Monetary Authority under its Cybersecurity Fortification Initiative (CFI 2.0). It gives Authorized Institutions a structured way to assess and demonstrate their cyber resilience, built around an Inherent Risk Assessment, a Maturity Assessment, and, for higher-risk institutions, intelligence-led Cyber Attack Simulation Testing (iCAST).
Who must comply with HKMA C-RAF?
C-RAF applies to Authorized Institutions, meaning banks and other licensed financial institutions supervised by the HKMA. If your institution holds an HKMA banking licence or is otherwise an Authorized Institution, C-RAF applies to your technology and cyber risk management under CFI 2.0.
What are the three components of C-RAF?
C-RAF has three components. The Inherent Risk Assessment measures your institution's baseline technology and cyber risk profile. The Maturity Assessment measures the maturity of your controls across relevant domains against the level your risk profile requires. iCAST, intelligence-led Cyber Attack Simulation Testing, is required for institutions the HKMA designates as higher-risk.
What is iCAST?
iCAST stands for intelligence-led Cyber Attack Simulation Testing. It is a red-team style exercise that simulates real adversary tactics, techniques, and procedures against your institution, required under C-RAF for Authorized Institutions HKMA classifies as higher-risk based on the Inherent Risk Assessment. Atlant Security runs iCAST testing ourselves rather than outsourcing it to a separate firm.
How much does HKMA C-RAF compliance cost?
A standalone HKMA C-RAF gap assessment, covering the Inherent Risk Assessment and Maturity Assessment, starts from $3,000. Full phased remediation, including iCAST coordination where applicable, is priced to the scope of your institution and the gaps found, with a fixed-price proposal delivered within 48 hours of your strategy call. You review the gap assessment report before you pay for the next phase.
How long does HKMA C-RAF compliance take?
The Inherent Risk Assessment and Maturity gap assessment together typically take about 2 weeks. Phased remediation then runs over the following weeks depending on how many gaps are found and the size of your institution, with iCAST scheduled within that window for institutions designated as higher-risk.
Is HKMA C-RAF mandatory?
C-RAF is a supervisory framework issued by the HKMA, not a pass or fail certificate like an ISO audit. In practice, Authorized Institutions are expected to complete the assessment and demonstrate cyber resilience to the HKMA as part of ongoing supervision. The commercial reality is that a credible C-RAF outcome is expected for board assurance and HKMA supervisory review.
Do you run the iCAST testing yourselves?
Yes. For institutions designated as higher-risk under the Inherent Risk Assessment, we run the intelligence-led Cyber Attack Simulation Testing (iCAST) ourselves as part of the same engagement, rather than handing you off to a separate vendor you would need to coordinate and manage independently.

Related: IT Security Audit - Penetration Testing - ISO 27001 Readiness - All Services