MENU

Risk Assessment

Risk assessment provides a detailed qualitative assessment of information security risks across your organisation. This has proven to be a highly effective service for organisations that are looking to build maturity through a more detailed and structured approach.

We use a qualitative approach utilising OCTAVE® Allegro framework in order to ensure a consistent, repeatable assessment process and reporting output for all our customers. We establish and agree the risk assessment (measurement) and risk acceptance criteria as part of engagement planning. We typically utilise the ISO 27001 control framework for commercial customers and the NZISM framework for those in Government, but will also use any other where controls provide more effective risk mitigation (NIST SP800-53 COBIT, SANS 20). We can also utilise your preferred framework as required. We will work with you to tailor control selection and pride ourselves on applying the right logic to your business.

section icon security consulting Solutions + Partners

  • Outcome

    The outcome of this service is to reduce risk by delivering a clearly weighted risk report demonstrating areas of high, medium and low risk exposures against your organisation's defined information security assets.

    The outcome of this service is to reduce risk by delivering a clearly weighted risk report demonstrating areas of high, medium and low risk exposures against your organisation's defined information security assets. As part of the service we also deliver a prioritised remediation plan. We work with your organisation to provide the following outcomes whilst aligning these to the context of your financial, business and operational planning frameworks:

    • Clear understanding of the threats, vulnerabilities and security exposures to your business and information assets
    • Relevant control selection for reduction of risk
    • Prioritised mitigation plans for maximum risk reduction impact
    • Risk treatment artifacts to facilitate effective tracking of ongoing mitigation work
  • Service Features

    This service will typically involve the following activities:

    This service will typically involve the following activities:

    • Establish scope for assessment
    • Establish the risk measurement criteria – how we will measure risk exposures as well as residual risk levels
    • Identify assets and asset containers – data/ information type and relevant classification, Information assets, location of assets both physically and logically
    • Identify threats and areas of concern – detail real-world conditions or situations that could affect identified information assets, detail motivation and potential outcomes for threat realisation
    • Identify risks and detail the impact should threat scenarios be realised
    • Analyse risks – risk impact is assessed and the measurement criteria are applied
    • Risk treatment/ mitigation – controls are selected and applied to each risk to reduce the risk to an acceptable level
    • Produce a risk summary review including detailed findings and a summary report