Security risk assessment

Most security risk assessments deliver a heavyweight document and a remediation list that loses momentum within weeks of delivery. The document is comprehensive; nothing changes; the next assessment finds the same risks.

Our risk-assessment practice is built around the conviction that the value of an assessment lies in the conversation it provokes with the senior leadership, not in the document itself. We deliver a short narrative report with the material findings, the risk register in a format your security committee can update quarterly, and a one-page board summary.

We work to the ISO 27005:2022 risk-assessment process, calibrated against the threat picture for your sector and your regulatory environment. Where the regulatory environment requires a specific methodology — NIS2 Article 21, DORA Article 6, sector-specific guidance — we align the approach without imposing the full methodological overhead on assessments that do not need it.

The output is engineered to be maintained. Risk registers should be living artefacts updated by your security team after delivery; documents that require a consultant to update have already failed.

Typical deliverables

• Narrative risk-assessment report (typically 12-20 pages, not 200)
• Maintained risk register in a format compatible with your GRC tooling
• One-page board summary with the material findings
• Remediation roadmap with effort estimates and dependencies
• Handover session with your security team

Engagement model

Risk assessment engagements typically run six to ten weeks depending on organisational scope. We scope the engagement collaboratively in a first meeting, deliver a written proposal with effort and timeline before any contract is signed, and stage the work to allow checkpoints at the midpoint.

Get in touch

To discuss whether this service is a fit for your organisation, contact us at office@ellipseproject.com or use the contact form.