IT Risk Assessment
Know your risk
before you pick
a framework.
Most compliance engagements go wrong because the scope wasn't right from the start. An IT Risk Assessment maps your control environment, rates risk across six domains, and tells you exactly where to focus — before you spend a dollar on framework readiness work.
4–6 weeks · Framework-agnostic
4–6 weeks
Fixed-fee project
Any org pre-framework
Risk register & roadmap
What we assess
Six domains.
Full picture.
We assess your IT control environment across the same six domains your auditors will test — regardless of which framework you ultimately pursue. Nothing is skipped, nothing is assumed.
AC
Access & Identity
Who has access to what, and is that access appropriate? We assess provisioning, de-provisioning, privileged accounts, and authentication controls.
CM
Change Management
How are changes to systems and infrastructure authorised and tested? We evaluate whether changes can be deployed without appropriate oversight.
CO
IT Operations
Backup and recovery, incident management, job scheduling, and monitoring. The operational controls that keep systems reliable and auditable.
SD
System Development
How new systems and significant changes are designed, tested, and released. We assess whether SDLC controls are documented and consistently applied.
SE
Security & Infrastructure
Network segmentation, endpoint protection, vulnerability management, and logging. We evaluate the technical controls underpinning your entire control environment.
VR
Vendor & Third-Party Risk
Critical dependencies on cloud providers, SaaS tools, and outsourced functions. We assess whether third-party risk is understood, managed, and contractually addressed.
What you get
Five deliverables.
All actionable.
IT Risk Register
A documented inventory of IT risks rated by likelihood and impact, ready to feed into any framework's risk assessment requirement.
Risk Heat Map
A visual representation of your risk landscape, showing which domains carry the highest inherent risk before controls are applied.
Gap Analysis Report
A domain-by-domain review of current control coverage versus what's required for your target framework (or frameworks).
Framework Recommendation
A clear recommendation on which framework to pursue first, in what order, and why, based on your risk profile and business drivers.
Prioritised Roadmap
A sequenced remediation roadmap: what to fix first, what can wait, and what you'll need for the frameworks on your horizon.
FAQ
Common
questions.
Do I need an IT Risk Assessment if I already know which framework I need?
Not always. If you have a clear directive (e.g., your biggest customer is asking for SOC 2), you can go straight to that service. But if you're unsure of scope, want to understand your control gaps before committing, or need to sequence multiple frameworks, an IT Risk Assessment removes the guesswork and often saves time and cost downstream.
How is this different from a readiness assessment?
A readiness assessment is framework-specific: it tests your current state against one framework's requirements. An IT Risk Assessment is framework-agnostic: it maps your entire IT control environment, rates risks across all domains, and then tells you which framework your risk profile points to. Think of it as the step before the readiness assessment.
What does the 4–6 week timeline look like?
Week 1–2: kickoff, document collection, and stakeholder interviews. Week 2–3: domain walkthroughs across your IT environment. Week 3–4: risk rating, gap analysis, and framework mapping. Week 5–6: final report, heat map, and roadmap delivery. Timelines can compress if your team has documentation ready and availability is good.
Will you work alongside our existing IT or security team?
Yes, the assessment is collaborative by design. We need your IT, engineering, and operations teams available for walkthroughs. We do the documentation and analysis; your team provides context on how controls actually operate in practice.
Know where you stand.
Then commit.
Book a scoping call. We'll discuss your current state, the business drivers behind your compliance work, and send a fixed-fee proposal within 48 hours.
Fixed-fee proposal in 48 h · Framework-agnostic