SERVICE

risk Assessment

In this 3-week sprint, we combine proven risk management methods with the requirements of ISO 27001
Book an initial consultation

Risk register in 3 weeks

The aim is to develop a complete threat and risk profile for a defined scope in three phases (one week each) that meets ISO 27001-compliant requirements. The end result is an ISO/IEC 27001 compliant risk register with prioritized risks and a risk treatment plan.

WEEK 1

Context definition & asset identification

In the first week, we lay the foundation for a well-founded risk analysis. Together, we define the scope, identify critical information values and identify the first potential threats — in a structured and practical way.
Show Detailscontact us
activity
Scope definition and framework
  • Alignment with your ISMS scope in accordance with ISO 27001: Defining organizational and technical limits
  • Involving relevant stakeholders (CISO, asset owner, IT management, specialist areas)
  • Set goals, responsibilities, and milestones
Inventory of critical assets
  • Recording of all information values (data, systems, processes) within the defined scope
  • Classification of assets according to business significance, confidentiality and integrity
  • Documentation in lists or templates (e.g. asset catalog after Anne
Initial threat analysis
  • Workshop: Joint brainstorming of potential attackers, motives and attack scenarios per asset (CI)
  • Preparation of an initial threat list, which records potential threats to each asset
  • Alignment with existing policies and controls to identify initial gaps
Hide Details
  • Different Entries for Tenants, Branches or Companies
  • Control user access of each workspace
  • Share assets between workspaces

WEEK 2

Risk Identification & Technical Vulnerability Analysis

In week 2, we link potential threats to specific weak points in your IT landscape. Based on technical analyses and structured assessments, a prioritized risk picture is created — comprehensible, transparent and ISO 27001-compliant.
Show Detailscontact us
activity
Threat and vulnerability link
  • In-depth workshop: Merging the threat list (week 1) with already known knowledge about vulnerabilities
  • First qualitative assessment of the probability of occurrence and impact for each risk
If applicable Technical scans & inventory (optional)
  • Carrying out scans: Identifying potential vulnerabilities in your publicly accessible systems
  • Carrying out internal scans: basic network and host scans in the defined IT area
  • Consolidation of all scan results: Classification by CVSS score or comparable key figure
  • Documentation in lists or templates (e.g. asset catalog according to Annex A)
Risk assessment
  • Evaluation of scans in combination with threat scenarios
  • Quantitative or semi-quantitative assessment of identified risks (probability of occurrence × severity of damage)
  • Preparation of a risk matrix: visualization of all identified risks by priority
  • Preparation of an ISO 27001-compliant risk register
Hide Details

WEEK 3

Risk register & treatment plan with roadmap

In week 3, we turn findings into concrete measures. We develop an ISO 27001‑compliant risk treatment plan, create an implementable roadmap including resource planning and hand over all results ready for audit — including management presentation and clear KPIs for continuous success.
Show Detailscontact us
activity
Preparation of the risk treatment plan
  • Workshop: Defining technical, organizational and procedural controls in accordance with ISO 27001 Annex A
  • Distinction between: immediate measures (quick wins) that can be implemented in the short term, medium-term and long-term measures, such as process adjustments, tool introductions or training programs
Roadmap & resource planning
  • Final evaluation of all risk scenarios according to risk tolerance criteria and business relevance
  • Preparation of an action roadmap that defines responsibilities, timelines and required budgets
  • Definition of critical success factors, including key figures (KPIs) for subsequent performance monitoring (e.g. reduction of outstanding risks, degree of compliance with controls)
Consolidation & documentation
  • Finalization of the ISO 27001-compliant Risk Treatment Plan (including risk scorecard and list of measures)
  • Preparation of a consolidated risk & threat report: management summary, detailed risk analysis and recommended measures
  • Finalization of all documents in auditable form
Final presentation & presentation of results
  • Presentation of results before management: risk matrix, risk register, roadmap
  • Coordination of how the developed content is transferred to ongoing ISMS operations (e.g. integration into your ISMS tool)
  • Recommendation guide for regular reviews and continuous improvement Deliverables at the end of a sprint
  • ISO 27001:2022 -compliant risk register
  • Consolidated Risk & Threat Report
  • Risk Matrix & Risk Scorecard
  • Action Roadmap/Risk Treatment Plan
  • Auditable documentation (Excel, PDF, integrable templates)
pointers
Each workshop is professionally moderated and documented so that all results are recorded comprehensibly.
Hide Details
  • Different Entries for Tenants, Branches or Companies
  • Control user access of each workspace
  • Share assets between workspaces

OPTIONAL

Optional bookable services

For even deeper insights, we offer additional services that support the sprint based on data or expand it in regulatory terms.
Whether it's technical scans, data analyses or additional compliance requirements, these modules make your risk analysis even more well-founded and future-proof.
Show Detailscontact us
activity
Technical underpinning of risk analysis: vulnerability scans and data analysis
If necessary, we supplement the manual risk analysis with automated vulnerability scans of your IT landscape or by evaluating existing information. The aim is to identify potential vulnerabilities in systems and applications at an early stage and to provide well-founded technical findings for the workshops.

Modern vulnerability scanners scan your systems for known vulnerabilities and prioritize them based on their severity level.

Optional: With Microsoft Purview, you gain structured insights into data classifications, flows, and potential data protection and compliance risks — for a quick overview of your attack surface and targeted measures at critical points.

The results flow directly into the Risk & Threat Report and supplement the assessments from the workshops with data-based facts
Expandable to further compliance requirements
On request, the Threat Modelling & Risk Assessment Sprint can be extended to include additional regulatory requirements — e.g. for BSI IT Basic Protection, the EU Directive NIS2, DORA or other relevant standards, etc.
Hide Details

performance and price overview

Transparent services at a fixed price — without hidden costs.
Our risk assessment provides well-founded results for your next ISMS steps.

power
prize (plus VAT)
Threat Modelling & Risk Assessment Sprint (flat rate)
One-time package price
16,970€
  • Kick-off & preparation
  • Moderated workshops
  • Consolidated Risk & Threat Report
  • Create a risk scorecard
  • Prioritized action roadmap
  • ISO/IEC 27001:2022 -compliant risk register (optionally expandable with BSI IT basic protection & NIS2)
  • Delivery of results as Excel & integration into an ISMS tool
Additional sprint days
1.250 €/person day
In-depth workshops, deep dives, follow-up
Security scan of an application
Flat rate per scan per application
1.750€
  • Analyses or advanced scan runs of applications
  • Identify and prioritize critical vulnerabilities
Regular scans as a subscription
Annual package price
per application
5.950€
  • Four standardized repeat scans per year
  • trend analysis
package price
Includes preparation, implementation and documentation of the 15-day risk assessment sprint in accordance with ISO 27001.
Optional additional days
Further analyses or workshops can be booked flexibly at the agreed daily rate — for more depth if required.
single scan
Includes full preparation, implementation and results report with specific recommendations.
Subscription model
Continuous monitoring of your applications — without one-time costs and with continuous transparency.
Scope of analysis
Depending on the agreed sprint duration.
Ready to take the next step?
Book a non-binding strategy meeting right here.
contact us

Enjoy security without complicating it.

© 2025 Secobo GmbH. All rights reserved.

HomecontactimprintLegal notices