Security Risk Strategy

We help executives, board of directors and senior management teams to define risk appetite and security risk strategy.  

Service overview: Security Risk Strategy service involves in developing risk appetite statement, risk management policy, standard, and common security risk framework (CSRF) that outlines risk assessment, treatment, acceptance, communication, and risk monitoring.

Methodology: Two weeks long engagement leverages ISO 31000 and NIST framework to develop and communicate security risk strategy artifacts.


1. Risk Appetite Statement that defines acceptable risk levels with thresholds 

2. Security Risk Policy and Standard to set the management tone for the risk

3. Common Security Risk Framework that provides details on how risk assessment and risk treatment will be done, who will approve and accept the risk, how the risk will be communicated and monitored.

4. Recommendations to embed risk management framework and mitigation plans in tactical and operational plans.

Threat Risk Assessment (TRA)

Key supporting enabler that empowers management to make informed risk based decisions about information assets.

Service overview: TRA identifies potential risks to the critical organizational assets, evaluating business impacts and implementing controls for the identified threats to minimize the risk.

Methodology: We use ISO 31000 standard and NIST frameworks for conducting the TRA. We identify assets that need to be protected, perform threat modelling to identify threats, conduct vulnerability assessment to identify existing vulnerabilities, define likelihood and impact to identify inherent risk. After identifying the inherent risk, we review current protective technology and compensating controls to assess residual risk. 


1. Threat Risk Assessment. (TRA) report that provides executive summary, prioritized list of identified risks, recommended protect, detect, respond and recover controls to reduce or transfer the risk.

2. Meeting with business teams to present the risk and Q&A.

Cyber Insurance Risk

We help underwriters evaluate the risk level of the insured. 

Service overview: Cyber Insurance Risk Assessment identifies and quantifies an organization’s risk level based on their people, process, and technology for insurance underwriting.

Methodology: 3 days engagement combines the cyber insurance risk assessment based on 20 different risk domains and provides a weighted risk score similar to well known personal credit score that can be used to determine the risk posture for each risk domain and the company as a whole.


1. Cyber Insurance Risk Assessment Report that provides executive summary, current risk levels by domain, overall risk scoring, strategic recommendations for improvement

2. Meeting with underwriting teams to present the risk ratings and Q&A

IoT Risk Assessment

We help project teams  evaluate the risk level of the Internet of Things (IoT) initiatives. 

Service overview: IoT Risk Assessment identifies and quantifies risks associated with IoT implementations that includes IoT device, integration and device manufacturer risk posture.

Methodology: We use an IoT Risk Assessment framework that leverages NIST, ENISA, OWASP and ISO 27000 standard and frameworks.


1. IoT risk assessment report that provides executive summary, prioritized list of identified IoT risk, recommendations for the controls to protect, detect, respond and recover activities.

2. Vendor, manufacturer, and supplier risk assessment for the IoT device.

3. Meeting with business teams to present the risk associated with and Q&A.