Service
Risk analysis
We name the risks before they materialise and put a value on their impact on your company. You get a clear order of action: what to secure first and what can wait.
- ISO/IEC 27001
- 3000+ workstations
- Since 2017
Risk analysis is a project that turns vague security fears into concrete numbers and decisions. It shows which threats genuinely endanger your company, how much they would hurt and where money spent on protection pays back the fastest.
Scope of the analysis
From assets and threats through to a ready risk treatment plan.
-
Asset inventory
We establish what your company really protects: data, systems, processes and people. Without this list, any risk assessment hangs in the air.
-
Threat identification
We name the threats and vulnerabilities for each asset: failures, attacks, human error, suppliers, loss of access.
-
Impact assessment
We put a value on the financial, legal and operational consequences and the likelihood. Risk gets a value, not just a label.
-
Treatment plan
For each significant risk we point to a decision: mitigate, transfer, accept or avoid, with a concrete action.
-
Risk register
We hand over a register ready to keep running, aligned with the ISO 27001 approach and NIS2 requirements.
Why intuition is a poor adviser in security
Without an analysis, companies invest in security wherever the media happened to make noise or where something has already gone wrong. An expensive tool gets bought while a key system sits with no backup, and half the company has access to finance. The money goes, the risk stays.
Risk analysis reverses that logic. Instead of reacting to impressions, we look at what would really hurt the company and how likely it is. As a result, the security budget goes first to where it protects the most value, and the decisions can be justified to the board with numbers.
The foundation for ISO 27001 and NIS2
Risk analysis is not an academic exercise. It is a requirement written directly into ISO/IEC 27001 and the NIS2 directive. If a company plans certification or falls under NIS2, it will have to carry one out anyway, and without it there is no rational way to choose safeguards.
We run it so that the result keeps serving you. The risk register becomes the basis for the statement of applicability under ISO 27001 and the starting point for the risk management measures required by NIS2. We do the work once, and the whole security system benefits from it.
How we run the analysis
Following a recognised methodology, with a result the board can understand.
- 1-3 weekstypical analysis time
- registerof valued risks
- planfor risk treatment
- methodologyaligned with ISO 27001
- Setting the context. We get to know your company, its processes and what is critical to it. We match the risk assessment criteria to reality, not to a template.
- Workshops with your team. We identify threats together with the people who know the systems and processes. They see the vulnerabilities best.
- Valuation and priorities. We assess likelihood and impact and rank the risks. A clear order emerges of what to deal with first.
- Plan and handover. We hand over the risk register and treatment plan and discuss the results with the board, so the decisions are informed.
How we bill
We quote this service individually after a scope survey.
Frequently asked questions
How long does a risk analysis take?
Usually one to three weeks, depending on the size of the company and the number of assets covered. Once we agree the scope, we give a specific deadline.
Is an analysis needed for ISO 27001 and NIS2?
Yes. Both ISO/IEC 27001 and the NIS2 directive require risk management based on an analysis. The result of our analysis serves directly as the basis for both.
Who takes part on the company side?
We need people who know the processes and systems, usually from IT and the key departments. The workshops take a limited amount of time, and most of the analytical work is on our side.
What do I get at the end?
A register of valued risks and a treatment plan with concrete decisions and priorities. You know what to secure first and why, and the document can be kept running afterwards.
Let us talk about your project
Answer 2 questions about your company. You will see a simple estimate right away, and we will prepare a full proposal within 24 business hours.
- 2 minutes, no commitment
- You talk to an engineer, not a salesperson
- No spam, one contact about your quote