Cyber Risk Assessment

A risk assessment is the process of identifying, analysing and evaluating risk. In other words, it identifies gaps between people and processes, as well as gaps in technology itself, and proposes remedies to minimise the risks associated with those gaps. It is the only way to ensure that the cyber security controls you choose are appropriate to the risks your organisation faces.
It is also possible that you could underestimate or overlook risks that could cause significant damage to your organisation. As the UK government’s Cyber Security Breaches Survey 2017 noted: “overall, businesses that hold electronic personal data on customers are more likely than average to have had breaches (51% versus 46%). Nonetheless, breaches are still prevalent among organisations whose senior managers consider cyber security a low priority (35%), and in firms where online services are not at all seen as core to the business (41%).”
What does a cyber risk assessment include?
A cyber security risk assessment identifies assets that could be affected by a cyber attack and then identifies the risks that could affect those assets.
A risk estimation and evaluation is usually performed, followed by the selection of controls to treat the identified risks. It is important to continually monitor and review the risk environment to detect any changes in the context of the organisation, and to maintain an overview of the complete risk management process.
The organisation conducting the risk assessment seeks to understand the relative significance and interaction of different sets of systems: applications, computer terminals, data, storage and communication mechanisms. To meet such requirements, organisations should perform security risk assessments that employ the lifecycle risk assessment approach and include all stakeholders to ensure that all aspects of the IT organisation are addressed, including hardware and software, employee awareness training and business processes.
IT Governance cyber risk assessment service
Our team of qualified cyber security advisers will provide business-driven consultation on the overall process of assessing information risk. They will offer support, guidance and advice in the following areas:
- Identifying the assets that require protection.
- Identifying relevant threats and weaknesses.
- Identifying exploitable vulnerabilities.
- Assessing the level of threat posed by threat agents.
- Determining the business impacts of risks being realised.
- Producing a security risk assessment.
- Advising on a risk acceptance threshold or level of acceptance.
- Advising on suitable control implementation.
Cyber risk assessment should be a continual activity. A comprehensive enterprise security risk assessment should be conducted at least once a year or when significant changes occur to the business, the IT estate, or legal environment to explore the risks associated with the organisation’s information systems. An enterprise security risk assessment can only give a snapshot of the risks of the information systems at a particular point in time.
For whom is the cyber risk assessment service designed?
A risk assessment consultancy can be performed on organisations of any size – small medium and large enterprises – where the IT infrastructure includes a combination of complex legacy systems and newer operating systems whose interoperability is not always seamless.
It is particularly useful to public-sector organisations such as the NHS, HMRC, local councils and other government agencies that provide multiple services across different channels to diverse groups of users – the interchange of personal data across different platforms requires greater vigilance and methods of protection.
A requirement of good governance
A cyber risk assessment is an explicit requirement of the most important standards and regulations, and, at the very least, it is indirectly implied in others. Some of these standards and regulations include:
- ISO 27001 (ISMS)
- GDPR
- PCI DSS
- NIS Directive
- HMG Security Policy Framework (SPF)
- 10 Steps to Cyber Security
- 14 Steps to Cloud Security
- 20 Critical Controls for Cyber Defence
Risk assessment software
The risk assessment software tool vsRisk™ has been proven to save huge amounts of time, effort and expense when tackling complex risk assessments, Fully compliant with ISO 27001, vsRisk streamlines the risk assessment process to deliver consistent and repeatable cyber security risk assessments every time.
The latest version of vsRisk includes three new functionalities: custom acceptance criteria, a risk assessment wizard and control set synchronisation. You can also now export the asset database in order to populate an asset management system or register.
Click here for more information about vsRisk >>

Why choose IT Governance?
IT Governance specialises in providing best-practice action plans, consultancy services, risk assessment, risk management and compliance solutions with a special focus on cyber resilience, data protection, cyber security and business continuity.
In an increasingly punitive and privacy-focused business environment, we are committed to helping businesses protect themselves and their customers from the perpetually evolving range of cyber threats. Our deep industry expertise and pragmatic approach help our clients improve their defences and make key strategic decisions that benefit the entire business.
Additionally, IT Governance is duly recognised under the following frameworks:
- UK government CCS-approved supplier of G-Cloud 9 services.
- CREST certified as ethical security testers.
- Cyber Essentials Plus certified, the UK government-backed cyber security certification scheme.
- ISO 27001 certified, the world’s most recognised cyber security standard.
Speak to an expert
For more information on how IT Governance can help with your Cyber Risk Assessment please contact us by using the methods below.

Threat and Risk Management — ENISA
-
Scope & Framework
Definition of Scope & Framework
-
Risk Acceptance
Risk Acceptance (optional process)
-
Need
The Need for ISMS
-
Critical success factors
Critical success factors for ISMS
-
Framework
The ISMS Framework
-
Submit & Update
Submitting & Updating Methods and Tools
-
Template
Template of Risk Management – Risk Assesment Methods
-
Submit & Update
Submitting & Updating Methods and Tools
-
Template
Template of Risk Management – Risk Assesment Tools
-
Comparability / Interoperability
Comparability / Interoperability of methods and tools
-
Identification of combinations
Identification of combinations of methods
-
Demonstrators and awareness
Generation of demonstrators and awareness material
-
Software base
Generation of an installed software base
-
Risk Management Integration
Integration of Risk Management with other processes/disciplines
-
Planning & Initiation
Integration of Processes – Planning and Initiation
-
Quality Assurance
Integration of Processes – Quality Assurance
-
Design (conceptual)
Implementation of Business Governance – design level (conceptual)
-
Design (process flow)
Implementation of Business Governance – design level (process flow)
-
Execution (conceptual)
Implementation of Business Governance – Execution level (conceptual)
-
Execution (process flow)
Implementation of Business Governance – Execution (process flow)
-
Modeling Tool
The Modelling Tool ADOit 3.0®
-
Scope
IT Continuity: Scope
-
Assumptions
IT Continuity: Assumptions
-
Approach
IT Continuity: Approach
-
Structure
IT Continuity: Structure & Targets
-
Define Framework
Define BCM Framework
-
Conduct BI Analysis
Conduct Business Impact Analysis
-
Design Approach
Design BCM approach
-
Deliver BCP
Deliver BCP Plan
-
Sustain BCM
Sustain BCM programme
-
IT RM & BC
Relationship between IT Risk Management & Business Continuity
-
Initiate BCM
Initiate a BCM Programme
-
Identify Organisation
Identify the Organisation
-
Management
Business Continuity Management Team
-
Steering Committee
Business Continuity Steering Committee
-
Senior management team
Senior management team (Gold team)
-
Incident management team
Incident management team (Silver team)
-
Business unit management team
Business unit management team (Bronze team)
-
Example
Example of how the three-tier incident response would operate
-
Define drivers
Define BC drivers
-
Assessment
Assess Risks and Impacts
-
Analysis
Analyze Results
-
Prioritise recovery
Prioritise recovery/define critical resource requirements
-
Assess Risks & Impact
Determine recovery options
-
Analyze Results
Agree recovery strategy
-
IT Reqs & Gap Analysis
IT Requirements & Gap Analysis
-
Determine test
Determine type of test
-
Report test
Deliver debrief and test report
-
Sustain BCM
Sustain BCM Programme
-
Usage
Usage of this section
-
Scope
Scope: relevant documents
-
Normative Framework
Template and structure of the normative framework
-
eBusiness
E-Business
-
RM/RA Standards
Risk Managemet / Risk Assessment Standards
-
Downloads
Downloads related to RM Laws & Regulations
-
Risk Management and Risk Assessment for SMEs
Risk Management and Risk Assessment for SMEs scrutinized- how appropriate is the ENISA simplified security approach?
-
ENISA approach to Business Continuity for SMEs
Deliverable 2010: A Business Continuity Approach for SMEs
-
Ad-hoc Working Group on Risk Assessment and Risk Management
Ad-hoc Working Group on Risk Assessment and Risk Management
-
WG 2007-2008
Ad-hoc Working Group on Risk Assessment and Risk Management (WG-RARM)
-
WG 2006-2007
Ad-hoc Working Group on Risk Assessment and Risk Management
-
WG 2005-2006
Ad-hoc Working Group on Risk Assessment and Risk Management
-
Ad hoc ENISA Working Group on National Risk Management Preparedness
The present page is the central location of information about the Terms of Reference for the ENISA Working Group on National Risk Management Preparedness (WG NRMP) and the generated deliverable.
-
Working Group on Economics of Security
ENISA aims at collecting and analysing existing knowledge available in the area of Economics of Security. Besides an open consultations to collect relevant information on relevant topics, literature, open issues and relevant stakeholder groups…