Who this is for
Organizations at every maturity level. First-timers formalizing what has lived in people’s heads. Established programs that need an independent, annual, or post-change assessment: new systems, acquisitions, cloud migrations, new facilities, or a significant incident. Regulated businesses whose framework mandates periodic risk assessment, which is nearly all of them: NIST 800-171, GLBA, FFIEC, HIPAA, and ISO 27001 each demand it. Companies pursuing or maintaining ISO 27001 certification, where the risk assessment is the engine of the entire management system. Institutions and districts holding student data with no one formally accountable for it. And leadership teams that want an outside set of eyes before committing budget, because internal assessments have a way of finding what is comfortable.
The problem
Most organizations sit at one of two failure points. The immature ones manage risk by anecdote: the last incident, the loudest vendor, the scariest headline, which produces spending on the wrong things and silence on the real exposures. The mature ones often have the opposite disease: an aging register that gets rolled forward every year, scored by the same people who own the risks, drifting further from the actual environment with each cycle. Regulators, certifying bodies, and insurers require risk assessments precisely because unexamined and self-examined risk is where breaches live. Either way, the test is the same: an assessment that does not change a decision was not an assessment. It was a receipt.
What is included
- Methodology matched to your obligations: NIST SP 800-30 for NIST and CMMC environments, ISO 27005 for ISO 27001 programs, FFIEC-aligned approaches for financial institutions, HIPAA Security Rule risk analysis for healthcare, or CIS RAM where it fits, without forcing one template onto every client.
- Scoping interviews with leadership and control owners, aimed at the business, not just the network.
- Threat and vulnerability identification across technical, administrative, and physical controls.
- Likelihood and impact analysis calibrated to your actual consequences: contracts at risk, downtime cost, regulatory exposure, certification status, reputational harm.
- Risk ranking with treatment recommendations: accept, mitigate, transfer, or avoid, each with a rationale you can defend to an examiner or certification auditor.
- For established programs: independent validation or refresh of your existing register, including challenge of stale scores and inherited assumptions.
- An executive readout in business language, findings presented live with questions answered in the room.
What you walk away with
- A findings report written for decision-makers, not just technicians.
- A living risk register in a methodology your assessor, examiner, or certification body recognizes, whether created fresh or rebuilt from what you have.
- A remediation roadmap ranked by effort and impact, ready to budget from.
- Completed risk assessment evidence for your auditor, examiner, certifying body, or insurer.
FAQs
Q. Which methodology will you use for us?
The one your obligations point to. NIST SP 800-30 for defense and NIST-based programs, ISO 27005 for ISO 27001 environments, FFIEC guidance for banks and credit unions, HIPAA Security Rule risk analysis for healthcare, CIS RAM where a control-driven approach fits. If you face multiple frameworks, we run one assessment structured to satisfy all of them, which is cheaper than three assessments and more coherent than one forced fit.
Q. We already have a risk register. Do we start over?
No. An existing register is an asset, and an independent refresh is often more valuable than a rebuild: we validate the scoring, retire what no longer reflects the environment, add what has emerged, and challenge the assumptions that got inherited year over year. You keep continuity; the register regains credibility.
Q. How often should we do this?
Annually is the cadence most frameworks and certification bodies expect, plus after major changes: new systems, acquisitions, facility moves, or significant incidents. The first assessment is the heavy lift; refreshes are faster because the register already exists.
Q. Is this a penetration test?
No. A penetration test attacks your systems to find technical weaknesses; a risk assessment evaluates your whole exposure, including the administrative and physical controls a pen test never touches. Many clients do both, and the risk assessment tells you whether a pen test is even the priority yet.