What We Deliver
Risk assessments and security audits answer different questions. A risk assessment asks: what could go wrong, how likely is it, and what would the impact be? An audit asks: are the controls you said you have actually in place and working? Both questions matter. We do both, and we do them in a way that produces findings you can act on rather than reports that validate existing assumptions.
Our risk assessments produce a risk register built on your actual operating context — your assets, your processes, your dependencies, your regulatory environment. Our audits examine control effectiveness against specific frameworks (NIS2, GDPR, ISO 27001) and produce findings grounded in evidence, not self-assessment questionnaires.
How We Work
A risk assessment begins with asset identification and classification. We work with your teams to build an inventory of information assets, systems, and processes, assign business criticality ratings, and map dependencies. This foundation prevents the common failure mode of risk assessments that miss the things that actually matter because nobody documented them.
Threat and vulnerability analysis follows. We apply sector-specific threat intelligence to your asset profile, identify the vulnerabilities that create realistic risk exposure, and evaluate existing controls against each threat scenario. The risk treatment step then produces a prioritized action plan — accept, mitigate, transfer, or avoid — with rationale for each decision.
Audit engagements follow a structured methodology against the target framework. For NIS2, we assess your governance structure, risk management practices, incident detection and reporting capabilities, supply chain security, and business continuity posture. For GDPR, we examine your data inventory, lawful basis documentation, consent mechanisms, data subject request processes, and processor agreements. Findings are graded by severity with clear remediation guidance attached.
Typical Engagement
A standalone risk assessment for a mid-sized organization typically runs three to four weeks. A compliance audit against a specific framework (NIS2, GDPR, ISO 27001) runs two to three weeks. Combined engagements are common — particularly for organizations approaching a compliance deadline or preparing for an external certification audit.
Expected Outcomes
You receive a risk register with quantified exposure, a prioritized remediation plan, and where applicable a compliance gap report against the relevant framework. For NIS2 entities, our audit output provides the documented evidence base for regulatory reporting requirements. For organizations under GDPR, the audit produces the records of processing activities and control evidence needed for supervisory authority engagement.