Skip Ribbon Commands
Skip to main content
Home > Services > Advisory Services > Risk- Assessment


Risk Assessment


Mature organizations are increasing their reliance on risk assessments to gain an enterprise-wide view of their security risks. With regulations like Sarbanes-Oxley, PCI, and HIPAA increasingly pushing organizations to perform security risk assessments, it’s become more important than ever before to have one performed. Based on ten years of experience assessing entire security programs, SecureState has developed a suite of offerings around its risk equation to help clients understand where they truly stands in terms of security risk.

  • The iRisk Framework provides clients with a true assessment of their security risks
  • An iRisk Assessment can help meet PCI, Meaningful Use, and other regulatory requirements


An iRisk Assessment will provide an organization with a global view of its information security risks and a framework which can easily be aligned with most Enterprise Risk Programs. This provides security with much greater visibility among executive leadership and places security risks in their proper context with other business risks like liquidity, supply chain management, and reputation.

Many regulations have begun to more narrowly define what they look for in a risk assessment…the “finger to the wind” assessments of the past are no longer good enough. SecureState’s PCI auditors (QSAs) have reviewed the PCI Council’s recent risk assessment guidance to ensure that the iRisk assessment aligns with and meets PCI requirements. Additionally, the iRisk Assessment has been aligned with the ISO 27005 framework and can be used to meet Meaningful Use and other risk assessment requirements.


SecureState consultants have experience with a wide variety of Risk Assessment methodologies including FAIR, OCTAVE, NIST, and ISO 27005. Our Profiling practice has a team of experts who perform custom vulnerability research and align ratings with the CVSS vulnerability rating system. Our audit practice contains consultants with years of experience performing HIPAA, PCI, ISO 27002, and many other control assessments. SecureState’s Advisory Services practice has assisted numerous clients in performing Threat Assessments, as well as pulling together Threat, Vulnerability, and Control data to identify a client’s residual iRisk.

Did You Know?

  • SecureState’s approach to Risk Assessment will help a client to meet regulatory requirements such as PCI-DSS, HIPAA, and ISO 27001
  • SecureState’s iRisk Assessment aligns with the ISO 27005 standard
  • SecureState can leverage existing assessments that have been recently performed

Our Approach and Methodology

There are multiple steps that go into performing a full risk assessment. Typically SecureState will perform the following:

  • Business Process Mapping
  • Asset Inventory
  • Vulnerability Assessment
  • CMMI Control Assessment
  • Threat Assessment
  • Risk Analysis
  • Recommended Risk Treatment Plan

If there is a specific regulatory requirement being targeted, such as PCI, these steps will be tailored to meet that requirement, and additional ones may be added. If a client has already performed one or more of these steps themselves, that information can potentially be leveraged during the iRisk assessment, eliminating duplicate efforts.


SecureState believes that Security Risk is made up of several components:

  • A Threat of some type, such as a malicious hacker or a piece of malware
  • A Vulnerability in some system, application, or other organization asset which a Threat can exploit
  • Controls which serve to diminish the ability of a Threat to exploit a given Vulnerability
iRisk Calculation

To perform a thorough assessment of risk, all three of these components need to be addressed. A Penetration Test or Vulnerability Assessment can be leveraged to identify vulnerabilities. A PCI, HIPAA, or ISO 27001 audit can identify controls, as can an INFOSEC assessment. Finally, a Threat Assessment needs to be performed to identify threats to the organization, as well as their likelihood and impact. By bringing all three of these components together, and organization is able to identify their true iRisk.

To ensure that the iRisk framework can be easily adopted by any organization which wishes to use it, as well as to allow for its continued improvement over time, SecureState has chosen to embrace the open source model which has been so successful for software like the Linux Kernel, Apache webserver, and Metasploit penetration testing framework. All of the latest iRisk content is accessible on the public web portal, which any security or risk practitioner can request edit access to and begin contributing their own content.

What Makes Us Different

  • SecureState ties together the work of Penetration Testers, Auditors, and other assessors to produce a single result.
  • SecureState’s iRisk framework is open source, and freely available to anyone who wishes to leverage it
  • SecureState can perform a Risk Assessment which aligns with FAIR, OCTAVE, NIST, or ISO 27005 methodology