Seratos Consulting
  • |
  • Home
  • Information Security
    • ISMS – ISO 27001
    • Cloud Security – ISO 27017
    • Supply Chain Cybersecurity – NIST
    • Privacy Management – ISO 27701
    • Getting ready for SOC Audits
  • Risk Management
    • Adaptive Risk Management
    • Project Risk Management
  • Security for Legal Firms
  • Contact Seratos
Seratos Consulting
  • Home
  • Information Security
    • ISMS – ISO 27001
    • Cloud Security – ISO 27017
    • Supply Chain Cybersecurity – NIST
    • Privacy Management – ISO 27701
    • Getting ready for SOC Audits
  • Risk Management
    • Adaptive Risk Management
    • Project Risk Management
  • Security for Legal Firms
  • Contact Seratos
Working with us to build

Adaptive Risk Management

Comprehensive Risk Methodology

Seratos Risk Management Methodology is a documented approach in evaluating and controlling the risks associated with breaches, delays, rework or non-compliance with legal, contractual or regulatory requirements.

Effective Risk Assessment Approach

Our consultants have extensive experience and knowledge in identifying the most effective risk management approach for each operational environment in scope.

Continual Assessment Framework

Through the use of a controls baseline and optimization models we are able to provide actionable solutions for selecting and implementing security and IT controls. Our detailed risk assessment provides an in-depth cost driven analysis for a specific set of information assets and systems.

Learn more about Seratos Risk Management

    Is the risk assessment a mandatory requirement to achieve the ISO 27001:2013?

    Yes, the risk assessment activities and records are mandatory requirements to achieve the ISO 27001:2013 certification.

    How often an organization has to perform a risk assessment?

    The risk assessment has to be completed at planned intervals, at least once a year for the organizations seeking ISO 27000 certifications. In addition, risk assessments must be completed anytime a significant change impacting the assets in scope occurs.

    How do you determine the scope of the risk assessment?

    The Risk Assessment Scope is established in accordance with the requirements specified by the client or the relevant standard.

    Who is responsible to determine the scope of the assessment?

    We work with our clients to help identify the appropriate scope for the risk assessment.

    What must the risk assessment scope include?

    The risk assessment scope should be aligned with the scope of the certification and must include all the associated processes, systems and assets.

    Who is responsible to determine the processes in scope?

    After determining the initial scope, we work with our customers to identify, evaluate and document the processes and assets relevant for the risk assessment.

    Is there a risk assessment process to be followed?

    The risk assessment process is documented in the Seratos Risk Management Methodology. The Risk Assessment is performed in accordance with the documented risk management methodology, which takes into consideration the scope and the organizational objectives for the risk assessment.

    How much of the existing controls including documentation, technical controls and records are utilized in the risk assessment?

    The identified risk mitigation controls including documented controls, artifacts, as well as non-documented (technical/operational) controls are a fundamental input in the risk assessment.

    What is the purpose of the risk assessment?

    One of the critical objectives of the risk assessment is to identify controls that need improvement or need to be created in order to maintain residual risk below the acceptable risk threshold. Other objectives include compliance with the requirements of the standard, evaluation of operational exposure and budget optimization.

    Who is responsible to identify the operational controls?

    We work with our client to identify documentation, artifacts and controls relevant to the risk assessment scope. Using various methods, we evaluate and map the existing controls to the standard requirements creating a “live” baseline control repository.

    What are the relevant threats for my organization identified?

    In our risk methodology we have documented a threat matrix that is considered comprehensive for the information security domain. However, depending on client specific situations the threat matrix can be tailored to various type of operational risks.

    How is the threat catalogue generated?

    Using our proprietary risk assessment tool (SRT-ISMS) we generate the threat catalogue and the risk register mapped to the assets in scope.

    How are the threats, risks and controls ranked and prioritized?

    Risk prioritization, categorization and ranking methods are customized and applied based on the clients information security needs and environment.

    How is the threat analysis performed?

    The threat analysis is performed through the application of control sequences to existing threats. Control sequences are made up of baseline controls and represent the real life activities used for the mitigation of risk.

    Are the clients provided with specialized risk assessment training?

    Our team provides risk assessment training and workshops for the risk management methodology, the risk assessment, reporting methods and techniques.

    Who gets involved in the risk assessment from the client’s side?

    Our consultants work with in scope process owners throughout the duration of the risk assessment.

    Where do we find the threat analysis results?

    Results of the threat analysis including the observed deviations are documented in the risk assessment report.

    Are the risk assessment reports tailored for each client?

    The content and format of the risk assessments are tailored to address the unique needs of each client.

    What type of risk assessment reports are provided?

    Using a variety of reporting methods, we provide the executive and operational teams with the necessary information to determine exposure, threat impact, controls effectiveness, compliance and risk mitigation levels for their critical assets.

    Does the risk assessment provide a quantitative risk analysis?

    We can provide either a qualitative or quantitative risk assessment based on client needs. With our methodology, we can seamlessly transition from one to the other.

    Does the client have access to its risk assessment data and results?

    The inputs, outputs and results of our risk assessments are available at all times for our clients through the utilization of cloud services.

    Next Steps

    Schedule an intro call with one of our consultants to find out more about how we can help
    To find out more about how we can help, schedule an introductory call with one of our consultants.
    Participate in one of our public events, we will be happy to meet you in person

    Talk with our experts

    Schedule a 15 min introductory call to discuss your needs with our experts

    Schedule Intro Call

    Contact Us

    Call us Toll-Free

    +1-855-218-7878

    Need more information?

    To find out more about how we can help, schedule an introductory call with one of our consultants.

    Info Request