Last updated: July 2026
Looking for an HKMA C-RAF Compliance Consulting Company in Hong Kong? Pass the Assessment Without a Year-Long Project.
We are an HKMA C-RAF compliance consulting company for Hong Kong Authorized Institutions. The Inherent Risk Assessment and Maturity gap assessment land in about 2 weeks, remediation runs in phases your team can actually absorb, and we coordinate and run iCAST ourselves where your institution is designated higher-risk - no separate vendor to manage.
Every engagement is led personally by a former Microsoft Security Consulting team member. Fixed-price proposal within 48 hours. You review the gap assessment report before you pay.

What Does an HKMA C-RAF Compliance Consulting Company Do?
An HKMA C-RAF compliance consulting company prepares your Authorized Institution to complete the Cyber Resilience Assessment Framework the Hong Kong Monetary Authority issues under its Cybersecurity Fortification Initiative (CFI 2.0). That means running the Inherent Risk Assessment, closing gaps against the Maturity Assessment your risk profile requires, and coordinating iCAST testing where your institution is designated higher-risk.
C-RAF is a supervisory requirement, not a pass or fail certificate - there is no C-RAF certification to hang on the wall. The goal is demonstrable cyber resilience: evidence and controls strong enough to satisfy the HKMA, reassure your board, and hold up under supervisory review. ISO 27001 makes a useful shared control base, since much of the underlying control work overlaps. That is exactly what this engagement is built to produce.
What Is HKMA C-RAF, and Who Must Comply
C-RAF is the Cyber Resilience Assessment Framework, issued by the Hong Kong Monetary Authority under CFI 2.0. It applies to Authorized Institutions - banks and other licensed financial institutions supervised by the HKMA - and gives them a structured way to assess and demonstrate cyber resilience.
C-RAF is a supervisory framework rather than a pass or fail certification. The objective is to demonstrate cyber resilience to the HKMA, and ISO 27001 alignment provides a useful shared control base for institutions that also hold or are pursuing that certification.
The Three Components of C-RAF
We assess and remediate all three components, including coordinating iCAST for institutions the HKMA designates as higher-risk.
Inherent Risk Assessment
A structured assessment of your institution's inherent technology and cyber risk, covering factors such as connection types, delivery channels, technologies in use, and the products and services offered. This sets the baseline that determines how much maturity and testing HKMA expects from you.
Maturity Assessment
A detailed assessment of your cyber resilience maturity across control domains, benchmarked against the maturity level your inherent risk profile requires. This is where most of the gap-finding and remediation work happens.
iCAST
Intelligence-led Cyber Attack Simulation Testing. A red-team style exercise that simulates real adversary tactics against your institution, required for institutions HKMA designates as higher-risk under the inherent risk assessment.
Our HKMA C-RAF Compliance Consulting Process
Five stages from first call to HKMA readiness. The difference from most C-RAF consultants is stage three: we implement the controls with you, in phases, instead of handing back a checklist.
Scoping and Inherent Risk Assessment
We assess your connection types, delivery channels, technologies, and products and services to determine your inherent risk profile, the same starting point HKMA expects under C-RAF.
Maturity gap assessment (about 2 weeks)
We test your current environment against the maturity level your inherent risk profile requires and hand you a prioritized gap report across every applicable control domain.
Phased remediation
We implement the missing controls with your team, phase by phase, rather than handing you a document and disappearing - closing the gap between your current and required maturity level.
iCAST coordination
For institutions HKMA designates as higher-risk, C-RAF requires intelligence-led Cyber Attack Simulation Testing. We run this testing ourselves as part of the engagement rather than outsourcing it to a separate firm you have to manage.
Board reporting and HKMA readiness
We prepare the board assurance pack and get your institution ready to demonstrate cyber resilience to the HKMA, without a year-long project or a scramble before your next supervisory review.
HKMA C-RAF Readiness Timeline
A realistic timeline for a Hong Kong Authorized Institution starting from a first engagement. Actual remediation length depends on your starting maturity and how many gaps the assessment finds.
| Phase | Timing | Outcome |
|---|---|---|
| Scoping and Inherent Risk Assessment | Week 1 | Defined risk profile and the maturity level HKMA expects from your institution |
| Maturity gap assessment | Weeks 1-2 | Prioritized gap report against the required maturity level |
| Phased remediation | Weeks 2-10 (scope-dependent) | Controls implemented with your team, phase by phase |
| iCAST coordination | Scheduled where applicable | Intelligence-led testing coordinated and run for higher-risk institutions |
| Board reporting and HKMA readiness | Final weeks | Board assurance pack delivered, ready for HKMA supervisory discussion |
How Much Does HKMA C-RAF Compliance Cost?
We publish our starting price rather than making you sit through a sales call to find out. Fixed-price proposals within 48 hours of your strategy call. No hourly billing, no surprises.
C-RAF Gap Assessment
Inherent Risk Assessment plus Maturity Assessment gap analysis, delivered in about 2 weeks.
- Inherent Risk Assessment
- Maturity Assessment gap analysis
- iCAST applicability review
- Prioritized remediation roadmap
- Board-ready summary
Zero-risk: you review the report before you pay.
Full Readiness + Phased Remediation
End to end: from gap assessment to HKMA supervisory readiness.
- Everything in the Gap Assessment
- Hands-on, phased control implementation
- iCAST coordination for higher-risk institutions
- Board assurance reporting pack
- Support through HKMA supervisory review
Zero-risk: you review the report before you pay.
Why Choose Atlant Over Other C-RAF Consultants
Most HKMA C-RAF consultants sell you a document and a monthly retainer. Here is how we are different.
| Atlant Security | Typical C-RAF Consultant | |
|---|---|---|
| Who does the work | A former Microsoft security consultant, personally | Junior or offshore staff you never meet |
| Time to gap assessment | About 2 weeks | Months of scoping calls before you see a finding |
| Pricing | Fixed-price proposal within 48 hours - you review the report before you pay | Open-ended hourly billing |
| Control implementation | Hands-on - we implement with your team | A checklist and advice, then you are on your own |
| iCAST testing | We run it ourselves, coordinated within the same engagement | Outsourced to a third party you must coordinate separately |
| Vendor neutrality | 100% independent - zero software commissions | Often recommends the GRC or security tool they resell |

Every HKMA C-RAF Engagement Is Led by Alexander Sverdlov
Former Microsoft Security Consulting team member. CISSP certified. Alexander has personally led 234 security assessments across 14 countries since 2013. At Atlant Security, the senior consultant who scopes your C-RAF engagement is the same person who runs the iCAST testing and implements the controls with your team - never handed to junior staff.
Connect on LinkedInPursuing C-RAF and ISO 27001 Together?
ISO 27001 makes a useful shared control base for C-RAF, since much of the underlying control work overlaps. If your institution holds or is pursuing ISO 27001, we map both frameworks in one engagement to cut duplicate remediation effort.
Learn about ISO 27001 ReadinessStop Guessing at HKMA Scrutiny. Get Demonstrably Resilient.
Book a free 30-minute strategy call with Alexander. We will discuss your institution, timeline, and exactly what it takes to satisfy the HKMA and your board without a year-long project. Fixed-price proposal within 48 hours.
Zero-risk: you review the report before you pay.
Schedule Your Free HKMA C-RAF Strategy Call
Need a Broader IT Security Audit Alongside C-RAF?
Many institutions pair the HKMA C-RAF engagement with a full IT security audit or a standalone penetration test to satisfy both regulatory expectations and board assurance in the same cycle.
For small projects and ad-hoc work outside our pre-agreed packages or retainers, our standard hourly rate is $460.
HKMA C-RAF Compliance FAQ
What is HKMA C-RAF?
Who must comply with HKMA C-RAF?
What are the three components of C-RAF?
What is iCAST?
How much does HKMA C-RAF compliance cost?
How long does HKMA C-RAF compliance take?
Is HKMA C-RAF mandatory?
Do you run the iCAST testing yourselves?
Related: IT Security Audit - Penetration Testing - ISO 27001 Readiness - All Services