How long does a risk assessment take?

Three to six weeks for a small organization, six to ten weeks for a mid-sized one, and ten to fourteen weeks for a larger or more complex environment. Kickoff happens within five business days of contract signature.

What does the deliverable look like?

A written report (40 to 90 pages depending on scope), a risk register in spreadsheet form, a prioritized 90-day remediation plan, and an executive readout deck. Source files transfer to the client.

Do you also remediate the findings?

If you want us to. Remediation is scoped separately, either through a vCISO retainer or as a discrete project. The assessment artifacts are portable, so you can take them to any qualified firm.

Services · Risk Assessment

Risk assessment.

A written assessment that maps your security posture to NIST CSF 2.0 or ISO 27001, ranks gaps by business risk, and gives you a 90-day plan you can run.

Overview

An assessment is the right starting point when you don't have a written security program, when a customer or insurer is asking for evidence of one, or when you want a second opinion on what you already have. We work alongside your team for three to fourteen weeks, look at your controls, configurations, and process, and write down what we find.

The report is structured so a non-technical reader can act on it. The risk register is structured so an engineer can. Both are yours.

What's included

Documentation review (existing policies, network diagrams, prior audit findings)
Stakeholder interviews with leadership, IT, engineering, and operations
Configuration review of identity, endpoint, email, cloud, and backup
External attack-surface scan and credential exposure check
Control-by-control mapping to your governing framework
Risk scoring against business impact and likelihood

What you get

Posture report. 40 to 90 pages depending on the size of the engagement. Plain English, with a one-page executive summary up front.
Risk register. Spreadsheet of every gap with owner, severity, framework reference, and recommended treatment.
90-day remediation plan. Prioritized actions sized for the team and budget you actually have.
Executive readout. One-hour live presentation to leadership, with a deck that travels to the board.

Engagement sizes

Small. Under 50 employees, single office or remote. Three to six weeks.
Mid-sized. 50 to 200 employees, multi-cloud, regulated data. Six to ten weeks.
Large. 200 or more employees, multiple business units, M&A diligence. Ten to fourteen weeks.

Travel within Central Florida is included. Out-of-state on-site work is scoped separately at signature.

Common questions

What framework do you use?

NIST CSF 2.0 by default. We can also map to ISO 27001 Annex A, CIS Critical Security Controls v8, HIPAA Security Rule, NIST 800-171, or PCI-DSS as needed.

Will you also fix the findings?

If you want us to. Remediation is a separate engagement, either through a vCISO retainer or a one-time project. The report is portable so you can take it to any qualified firm.

Do you require an NDA before kickoff?

Yes. NDA first, then the kickoff call is scheduled.

Next step

Book a thirty-minute intro call. We'll ask about the business, the program in place, and what's forcing the assessment. If we're not the right firm, we'll say so.