Security Risk Assessment

An information security risk assessment is a structured and disciplined process that integrates risk management activities into the enterprise system development life cycle (SDLC) and enables risk managers to make informed decisions.

Commitment to a risk management framework and robust risk principles are critical for a successful risk management programme.

The US National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) is such a framework that can be used together with NIST CSF as well as ISO27K, COBIT and ISA Security Control Frameworks.

Why Would You Need This Service?

Making informed risk decisions involves risk-decision fidelity and steps to determine risk acceptance. A good process for making risk decisions includes a mixture of:

  • Objective data;
  • Pass/fail test results;
  • Mitigations;
  • Qualitative analysis;
  • Subjective data;
  • A healthy portion of intuition.

Assessing the effectiveness of your business’s security controls is crucial to understanding the risk and the likelihood of these risks becoming security issues. This is a continuous process as shown in the risk management framework lifecycle diagram above. Having an up-to-date view of all your information security risks enables your business to prioritise these so that the most important risks can be addressed before they occur for better mitigation.

How We Deliver This Service

An Information Security Risk Assessment can be carried out as part of a broader enterprise or security architecture engagement including developing baseline and target architecture for business, data, application and technology architectures. Security architecture and specifically an information security risk assessment can be undertaken on their own at the start of an engagement to explore security risk.

For example, the information security department may have a specific issue with security compliance or a data breach that requires an external security specialist to undertake a risk assessment or the enterprise architecture function in a business may require specific security architecture services to address risk or a longer-term security strategy and roadmap.


Information Security Framework: NIST, ISO27K, COBIT, ISA etc;

Information Security Control Patterns: a collection of patterns, chosen to provide a baseline against which the assessment is made;

Security Risk Assessment: deep-dive analysis of the baseline controls and their effectiveness in terms of impact to confidentiality, integrity and availability;

Security Risk Assessment Report: summary of findings, including gap analysis and full assessment of risks, impacts and likelihood and recommendations for control improvement and risk mitigation;

Security Roadmap: a forward view of control improvements prioritised by risk, impact and likelihood.

Typical Outcomes

  • An understanding of the strengths and weakness of your organisation’s information security controls prioritised by business impact;
  • A holistic view of information security controls and the understanding of information security risks that need to be mitigated;
  • The information required to start to close the gaps between current and target security posture.

Case Studies

Contact Us to Get Started

We will come back to you to discuss your situation as soon as possible

    Need help with your project?