SERVICE

Risk Assessment

In this 3-week sprint, we combine proven risk management methods with the requirements of ISO 27001

Risk Register in 3 Weeks

The goal is to develop a complete threat and risk profile for a defined scope over three phases (one per week), fully aligned with ISO/IEC 27001 requirements.The result: a compliant risk register with prioritized risks and a structured risk treatment plan.

WEEK 1

Context Definition & Asset Identification

In the first week, we lay the foundation for a solid risk analysis. Together, we define the scope, identify critical information assets, and capture initial potential threats – in a structured and practical way.
Activity
Scope Definition & Framework
  • Alignment with your ISMS scope according to ISO 27001: defining organizational and technical boundaries
  • Involving relevant stakeholders (CISO, asset owners, IT leadership, business units)
  • Setting objectives, responsibilities, and milestones
Inventory of Critical Assets
  • Identification of all information assets (data, systems, processes) within the defined scope
  • Classification of assets by business relevance, confidentiality, and integrity
  • Documentation using lists or templates (e.g., asset catalog based on Annex A)
Initial Threat Analysis
  • Workshop: collaborative brainstorming of potential attackers, motives, and attack scenarios for each asset (C/I)
  • Creation of an initial threat list documenting potential threats per asset
  • Comparison with existing policies and controls to identify initial gaps
Hide Details
  • Different entries for tenants, branches or companies
  • Control user access of each workspace
  • Share Assets between workspaces

WEEK 2

Risk Identification & Technical Vulnerability Analysis

In week 2, we connect potential threats with concrete vulnerabilities in your IT environment. Using technical assessments and structured evaluations, we create a prioritized risk profile – traceable, transparent, and fully ISO 27001-compliant.
Activity
Threat & Vulnerability Mapping
  • In-depth workshop: linking the threat list from Week 1 with existing knowledge about known vulnerabilities
  • Initial qualitative assessment of likelihood and potential impact for each risk
Optional: Technical Scans & Asset Inventory
  • External scans: identifying vulnerabilities in publicly accessible systems
  • Internal scans: basic network and host scans within the defined IT scope
  • Consolidation of scan results: classification based on CVSS scores or comparable metrics
  • Documentation using lists or templates (e.g., asset catalog aligned with Annex A)
Risk Assessment
  • Evaluation of scan results combined with threat scenarios
  • Quantitative or semi-quantitative risk evaluation (likelihood × impact)
  • Creation of a risk matrix: visualizing all identified risks by priority
  • Development of an ISO 27001-compliant risk register
Hide Details

WEEK 3

Risk Register & Treatment Plan with Roadmap

In week 3, we turn insights into action. We develop an ISO 27001-compliant risk treatment plan, create an actionable roadmap with resource planning, and deliver all results in audit-ready format – including a management presentation and clear KPIs for ongoing success.
Activity
Development of the Risk Treatment Plan
  • Workshop: Definition of technical, organizational, and procedural controls in accordance with ISO 27001 Annex A
  • Differentiation between: Immediate actions (quick wins), mid-term and long-term measures such as process adjustments, tool implementations, or training programs
Roadmap & Resource Planning
  • Final evaluation of all risk scenarios based on risk tolerance criteria and business impact
  • Creation of an action roadmap, defining responsibilities, timelines, and required budgets
  • Definition of key success factors, including measurable KPIs (e.g. reduction of open risks, control implementation rate)
Consolidation & Documentation
  • Finalization of the ISO 27001-compliant risk treatment plan (including risk scorecard and action list)
  • Creation of a consolidated risk & threat report: management summary, detailed risk analysis, and actionable recommendations
  • Finalization of all documents in audit-ready format
Final Presentation & Handover
  • Management presentation of key results: risk matrix, risk register, and roadmap
  • Discussion of how to transition the developed content into your ongoing ISMS operations (e.g. integration into your ISMS tool)
  • Recommendations for regular reviews and continuous improvement
  • ISO 27001:2022-compliant Risk Register
  • Consolidated Risk & Threat Report
  • Risk Matrix & Risk Scorecard
  • Action Roadmap / Risk Treatment Plan
  • Audit-ready documentation (Excel, PDF, integration-ready templates)
Note
Each workshop is professionally facilitated and documented to ensure that all results are clearly recorded and traceable.
Hide Details
  • Different entries for tenants, branches or companies
  • Control user access of each workspace
  • Share Assets between workspaces

OPTIONAL

Add-on Services

For even deeper insights, we offer optional services that enhance the sprint with data-driven inputs or regulatory depth. Whether technical scans, data analysis, or additional compliance requirements – these modules make your risk analysis even more robust and future-ready.
Activity
Technical Foundation for Risk Analysis: Vulnerability Scans & Data Insights
If needed, we complement the manual risk analysis with automated vulnerability scans of your IT landscape and analysis of existing data.

The goal: to detect potential system and application vulnerabilities early and provide solid technical findings to support the workshop discussions.

Modern vulnerability scanners examine your systems for known security issues and prioritize them based on severity.

Optional: With Microsoft Purview, you gain structured insights into data classifications, flows, and potential privacy or compliance risks – enabling a fast overview of your threat landscape and focused actions where it matters most.

The results feed directly into the Risk & Threat Report, enriching the workshop-based evaluation with data-driven insights.
Expandable to Additional Compliance Requirements
If needed, the Threat Modeling & Risk Assessment Sprint can be extended to include further regulatory requirements – such as BSI IT-Grundschutz, the EU NIS2 Directive, DORA, or other relevant standards.
Hide Details

Service & Pricing Overview

Transparent services at a fixed price – with no hidden costs.Our risk assessment delivers solid, well-founded insights to guide your next ISMS steps.

Service
Price (excl. VAT)
Threat Modeling & Risk Assessment Sprint
One-time fixed price
€16,970
  • Kick-off & preparation
  • Facilitated workshops
  • Consolidated Risk & Threat Report
  • Development of a Risk Scorecard– Prioritized action roadmap
  • ISO/IEC 27001:2022-compliant Risk Register(optionally extendable to BSI IT-Grundschutz & NIS2)
  • Deliverables in Excel format & integration into ISMS tool
Additional Sprint Days
€1,250 / per day
In-depth workshops, deep dives, follow-up sessions
Application Security Scan
fixed price per scan per application
€1,750
  • Application analysis or extended scan runs
  • Detection and prioritization of critical vulnerabilities
Recurring Scan Subscription
Annual fixed price
per application

€5,950
  • Four standardized repeat scans per year
  • Trend analysis included
Fixed price
Includes preparation, execution, and documentation of the 15-day ISO 27001 risk assessment sprint.
Optional Add-On Days
Additional analyses or workshops can be flexibly booked at the agreed daily rate – providing extra depth when needed.
Single Scan
Covers full preparation, execution, and a results report with concrete recommendations.
Subscription Model
Continuous monitoring of your applications – no upfront costs and ongoing transparency.
Scope of Analysis
Depends on the agreed sprint duration.
Ready to take the next step?
Book a free strategy session with us – no obligation, no pressure.
Contact Us