Google Workspace Tenant Assessment —
Fixed-Scope, 30 Days
Eight-domain assessment of your Google Workspace tenant — security, OAuth apps, external sharing, group hygiene, license waste, MDM coverage, Vault and DLP, and identity / SSO posture. Executive summary, technical findings, and 90-day roadmap. Certified Google Cloud Partner.
What's Assessed
Every Workspace tenant assessment covers the same eight domains — sized to your tenant, your compliance regime, and the specific trigger (audit prep, insurance renewal, Gemini readiness, or M&A).
Security Center & Alerts
Security center dashboards, investigation tool coverage, alert center triage discipline, and audit log retention. We baseline your detection and response posture against Google's recommended defaults and your compliance regime.
OAuth Apps & Third-Party Access
Inventory of every connected OAuth third-party app, scopes granted, last-used signal, and risk tier. Common finding: long-tail of high-scope apps users connected years ago that nobody is reviewing.
External Sharing & Drive Posture
External sharing policy, link-sharing audit across Drive, public-link discovery, shared drive governance, and trust rules. Hunts for orphaned data exposure and inconsistent shared drive permissions.
Group Hygiene & Lifecycle
Group inventory, ownership coverage, dynamic group health, group-based access control consistency, and orphaned-group identification. The often-overlooked surface where access drift accumulates.
License Utilization & Waste
Edition assignment by persona, utilization vs assigned, suspended accounts holding licenses, Gemini and AppSheet usage, Frontline candidates, renewal calendar, and modeled savings across the estate.
Mobile Device Management Coverage
MDM enrollment posture across iOS, Android, ChromeOS, Windows, and macOS. Company-owned vs BYOD coverage, work profile enforcement, and integration with Context-Aware Access.
Vault Retention & DLP Rules
Retention rule inventory, legal hold posture, eDiscovery readiness, custodian preservation discipline, and DLP rule coverage across Gmail, Drive, and Chat. Mapped to your compliance regime.
Identity, SSO & Cloud Identity Posture
Cloud Identity configuration, SSO inventory, 2-Step Verification enforcement coverage, Advanced Protection program adoption, Context-Aware Access policy review, and federation patterns with external IdPs.
Every signal we look at
- ✓Security center, investigation tool, and alert center configuration and use
- ✓OAuth third-party app inventory, scope review, and consent governance
- ✓External sharing posture across Drive, link-sharing audits, public-link hunt
- ✓Group hygiene, ownership, lifecycle, and group-based access control
- ✓License utilization vs assigned across all Workspace editions and add-ons
- ✓MDM coverage and policy across iOS, Android, ChromeOS, Windows, and macOS
- ✓Vault retention rules, legal hold posture, and eDiscovery readiness
- ✓DLP rule coverage and policy review across Gmail, Drive, and Chat
- ✓Identity posture — Cloud Identity, SSO inventory, 2SV / Advanced Protection adoption
- ✓Context-Aware Access policy inventory and gap analysis
- ✓Admin hygiene — super-admin count, role delegation, audit log retention
- ✓Compliance mapping against SOC 2, HIPAA, GLBA, PCI DSS, or CMMC controls
Three Artifacts, Plus a Read-Out
Every assessment produces the same three artifacts — built for three different audiences, designed to land at the same time, with a read-out that aligns IT and leadership on what happens next.
Executive Summary
Plain-English read-out for leadership and the board — risk posture, top three priorities, modeled savings, and the 90-day roadmap on a single page. Designed for the audit committee or executive team that needs the picture without the jargon.
Technical Findings Report
Per-domain findings with source-of-truth references for every finding, screenshots from the admin console, severity ranking, and reproduction steps. The artifact your IT team uses to actually fix things — and the evidence package your auditors will ask for.
90-Day Roadmap
Prioritized remediation plan sequenced into quick wins (week 1–2), medium-term hardening (month 1–2), and strategic investments (month 3+). Mapped to your compliance regime, your renewal calendar, and your team's available capacity.
30 Days, Written Deliverable
Fixed scope, fixed fee, read-only access. Kickoff Monday, evidence package and read-out at week 4.
Kickoff & Read-Only Access
Kickoff with your IT leadership, scoped read-only access to your tenant via delegated admin roles, compliance regime confirmation, and stakeholder interviews to capture the business context around the tenant.
Discovery & Evidence Capture
Automated and manual discovery across all eight domains. Evidence captured in standardized templates — policies, assignments, signals, audit logs — with source-of-truth references for every finding.
Analysis & Roadmap
Findings analyzed, risks ranked, modeled savings calculated, and a 90-day roadmap built — quick wins, medium-term hardening, and strategic investments mapped to your compliance regime and business rhythm.
Written Deliverable & Read-Out
Executive summary, per-domain findings, evidence package, and 90-day roadmap delivered as a written report. Read-out with your IT and executive leadership to align on sequence and ownership.
Contact for pricing. No obligation after.
Every assessment is fixed-fee with a written deliverable and read-out. No embedded services bias — the assessment is the assessment. Clients who choose to execute follow-on work with ICS do so on separately-scoped engagements, and clients who execute internally get the same roadmap either way.
Request a Written Proposal →What Typically Comes After an Assessment
These are the engagements that most often scope out of assessment findings — but none are assumed or required.
Google Workspace Management
Ongoing managed operations for clients who want ICS to own tenant administration post-assessment.
Learn More →Google Workspace Licensing
Execute on the licensing findings — edition rebalancing, Gemini sizing, reseller transitions, and quarterly governance.
Learn More →Email Migration
When the assessment reveals a migration need — Workspace decom, M365 to Workspace, or tenant-to-tenant after M&A.
Learn More →Workspace Tenant Assessment — FAQ
What does the assessment actually deliver?+
Three artifacts: an executive summary for leadership, a technical findings report for IT, and a 90-day roadmap. The technical findings report covers all eight domains — security center, OAuth apps, external sharing, group hygiene, license utilization, MDM, Vault and DLP posture, and identity / SSO — with source-of-truth references for every finding. The roadmap ranks findings by risk and return, maps them to your compliance regime, and sequences them into quick wins, medium-term hardening, and strategic investments.
Do you need full super-admin access to our tenant?+
No. The assessment runs with scoped read-only access — pre-built delegated admin roles cover most of what we need (Services Admin viewer, Security Reader, Reports Viewer, User Management Reader). Where specific capabilities require write access (for example, running the security investigation tool against historical audit data), we coordinate short-window elevations that are logged and reviewed with your team.
How is this different from Google's built-in security health page?+
Google's security health page is a self-assessment summary — it flags some configuration gaps but ignores most of what matters for enterprise audit, licensing optimization, and compliance mapping. The ICS tenant assessment includes security health analysis but extends to OAuth third-party app review, external sharing audit, license utilization and waste, Vault and DLP coverage, MDM posture, identity / Context-Aware Access, compliance-specific control mapping, and admin hygiene — none of which the security health page evaluates.
We're preparing for SOC 2 / HIPAA / cyber insurance renewal. Does this help?+
Yes — it's often the trigger. Assessment findings map directly to the controls your auditor or insurer cares about, and the technical findings report frequently becomes part of the audit preparation binder. Clients on SOC 2 Type 2 regularly use the tenant assessment to pre-stage their own readiness review six months before the audit window.
Do you assess Gemini readiness as part of this?+
Yes. Gemini readiness is touched across multiple domains — DLP rule coverage, Drive sharing posture, audit log retention, persona fit against actual usage signals, and license sizing. Organizations considering a Gemini for Workspace rollout often start with the assessment so they understand the data governance work required before Gemini is safe to deploy at scale.
How is this different from the Workspace management engagement?+
The tenant assessment is a 30-day, read-only, written audit. Workspace management is ongoing — co-managed or fully managed operations against monthly retainer. Many clients start with the assessment, hand the roadmap to their internal team, and execute themselves. Others scope follow-on engagements with ICS — Context-Aware Access hardening, Vault rollout, license optimization, or ongoing managed operations.
How much does the assessment cost?+
Fixed-fee based on tenant size and compliance regime. Every proposal includes a written scope and deliverable before work starts. For most mid-market tenants the investment returns within the first round of implemented recommendations — typically through licensing optimization alone. Contact us for a written scope.
What happens after the assessment?+
Your call. Some clients hand the roadmap to their internal team and execute themselves. Others scope follow-on engagements with ICS — Context-Aware Access hardening, DLP rollout, license optimization, Vault program build, or ongoing Workspace management. There's no obligation and no embedded bias — the assessment deliverable is the deliverable.
Ready to Know What's Actually in Your Tenant?
30 days, eight domains, written evidence package. Ideal for organizations preparing for SOC 2, cyber insurance renewal, Gemini rollout, or M&A due diligence — or anyone who wants a clear-eyed read on what they own and where the risk is.