How I Completed an ISRA & Gap Analysis Alone Using Critical Thinking + AI as an Assistant

Christopher FinnertyChristopher Finnerty
6 min read

Hey everyone, and welcome back to The CyberFreshy Files!

As you know, I’ve been on a journey into InfoSec, and I'm excited to share a major milestone: On July 1st, I officially started my new role as an Information Security Specialist. This is my first post in the new role, and it’s all about my first big project.

When you're the only one on your team who knows security, everything falls on your shoulders—the policies, the assessments, the compliance posture. That was my reality, and it forced me to think differently about how I approach InfoSec projects. This isn't just about learning the right tools or memorizing a framework; it's about leading the charge when no one else knows what "done" looks like.

My latest challenge? Completing a full Information Security Risk Assessment (ISRA) and a Gap Analysis.

The Challenge: From Checkboxes to Corporate-Grade

Let’s be honest, an ISRA and a Gap Analysis sound intimidating. They aren’t just a checklist you can tick off; they require structure, accuracy, and clear communication with leadership. As the sole security person, I could have delivered a quick, bare-bones report, and no one would have been the wiser. But that's not how I operate. I needed to make it corporate-ready not just for my team, but for myself. It was about setting a personal standard and delivering a professional product as if I were already working for the biggest company in the world.

The task felt immense. Where do I even start? How do I ensure I'm not missing a critical step? And how do I present this to non-technical stakeholders in a way that’s professional and impossible to ignore?

My Approach: AI as an Assistant, Not a Replacement

This is where the real "CyberFreshy" mindset came into play. Instead of letting the lack of resources stop me, I decided to use modern AI tools as a force multiplier—my personal assistant on this solo mission.

I didn't ask AI to do the work for me. That would defeat the entire purpose and lead to an inaccurate, risky assessment. Instead, I used it as a guide, a sounding board, and a writing partner. My process looked something like this:

  • Ask for a Template: I started by asking the AI for a professional template for an ISRA and a Gap Analysis, based on the NIST CSF. This gave me the structure I needed, built on a well-known and respected framework.

  • Request an Example: I then asked it to show me an example of what a filled-out version would look like, using a hypothetical scenario. This helped me understand the kind of detail and phrasing that was expected.

  • Do the Real Work: With the template and example in hand, I got to work. I sat down and meticulously filled out the assessment with my own knowledge of our environment, our assets, and our specific risks. This was the most important step—the core of the work was all me.

  • Refine and Polish: Once I had my rough draft, I fed it back to the AI. This part is crucial: I didn't put the entire, sensitive document into the tool. Instead, I took specific descriptions or sections and asked for help. I would even sanitize the text by replacing sensitive info with placeholders like [vulnerability 1] or [system name]. I then asked the AI to review the language, suggest more corporate-friendly phrasing, and help me present my findings in a clearer, more professional way.

The Critical Thinking Layer: My Secret Sauce

This is the part that truly leveled up the work. AI doesn't know my specific environment, my team's unique challenges, or the nuance of my responsibilities. That’s where my critical thinking came in.

Beyond my InfoSec training, I had invested some personal time into a critical thinking course I found online. I wasn’t doing it for a certificate or a grade—I did it to sharpen my mind. It gave me the perspective to see the difference between a claim, a fact, and a bias. Those skills are crucial in everyday life, but they’re especially important when you’re building a security posture from the ground up. I knew this was a skill that would help me be the best I can be, and it’s a lesson that's more valuable than any piece of paper.

I had to:

  • Validate: Was the AI’s template and example truly relevant to my needs? Did it align with our business and industry?

  • Adapt: I had to adjust the template and language to perfectly reflect our real-world situation, from the specific software we use to the human element risks we face.

  • Refine: I used the AI’s suggestions as a starting point, not a final answer. The reasoning, the judgments, and the final decisions were all my own.

The tool helped me with the language, but the security mindset, the data-driven insights, and the final judgment were all me.

The Outcome: Credibility and Action

The final deliverables were better than I ever could have produced alone. They weren't just a basic assessment; they were a corporate-grade report that was easy for leadership to understand. They could see exactly where we stood, what our biggest risks were, and what needed to be done. The report was professional, well-structured, and clear.

The best part? After I used the AI to review my final draft, it gave me feedback that reinforced my entire approach. It said my thinking on these subjects was already "really good," and that it was simply helping me "write it in a more corporate and proper way." That felt like a massive win. It proved I wasn't just leaning on the tool; I was leading it.

But the real moment of truth came when I shared a sanitized version with a CISO mentor I’d connected with on LinkedIn. At first, he simply said it was "very good." When I told him it was my first time ever doing a project like this, he was genuinely shocked.

He told me my report was "professional grade" and something he would expect to receive from a seasoned veteran. He was super impressed, saying my approach was a "perfect blend of new tech tools, my own knowledge, and using those tools not to get the knowledge for you but to bridge the gap between knowledge and implementation."

That validation meant the world to me. It's why I work so hard—not to get praise, but because I love the process of becoming better every day. He told me I would do big things one day, and I really hope I can. It's all about loving to learn and improving with every project, no matter how big or small.

Reflection: A New Way to Work

This experience taught me a profound lesson: being a security professional today isn't just about technical skills. It's about judgment, communication, and leveraging every tool available to sharpen your work. You don't need to be a large team to deliver high-quality results.

Done right, AI doesn’t make you lazy; it makes you sharper. It doesn't replace your intelligence; it augments it. But that only works if you lead with critical thinking and own the responsibility for the outcome.

This is the future of InfoSec, and I’m figuring it out one byte at a time.

What about you? Have you used AI tools in a new way at work? I’d love to hear your experiences and how you're using modern tech to tackle big challenges.

Stay fresh, stay secure,

– CyberFreshy

0
Subscribe to my newsletter

Read articles from Christopher Finnerty directly inside your inbox. Subscribe to the newsletter, and don't miss out.

one man teamCyberFreshyinfosec#cybersecurityAICritical ThinkingCareer development NIST CSF

Written by

Christopher Finnerty
Christopher Finnerty