Advisory

Enterprise risk assessment aligned to your frameworks.

A rigorous risk assessment produces a register your board can rely on, your regulator will accept, and your control estate is derived from. We deliver assessments aligned to NIST, ISO 27005, and FAIR.

01 — Overview

A defensible risk assessment sits at the top of every mature compliance program — SOC 2 CC3, ISO 27001 clause 6.1, HIPAA Security Rule §164.308(a)(1)(ii)(A). We deliver one that satisfies all three.

02 — Engagement

Our approach.

  1. I

    Asset inventory

    Business-outcome-based asset inventory across systems, data, and processes.

  2. II

    Threat & vulnerability

    Structured threat modeling and vulnerability enumeration.

  3. III

    Risk analysis

    Quantitative (FAIR) or qualitative (NIST/ISO) analysis to your board's preference.

  4. IV

    Treatment plan

    Ranked treatment plan with owner, cost, and target residual.

03 — Deliverables

What you receive.

  • Asset inventory with business-outcome mapping
  • Threat model per business outcome
  • Risk register with inherent and residual scoring
  • Ranked risk treatment plan
  • Board-ready executive summary

04 — Timeline

Expected duration.

Six to ten weeks depending on organization size.

Ready to begin?

A partner-led readiness call is complimentary. We'll scope your engagement inside forty-five minutes.

Schedule the call →

05 — FAQ

Common questions.

Quantitative or qualitative — which should we choose?+

FAIR quantitative analysis is powerful when the board wants to compare cyber risk to other enterprise risk in dollar terms. Qualitative (NIST/ISO) is faster to stand up and sufficient for most first-time programs.