What is a cybersecurity risk assessment?

A cybersecurity risk assessment is a systematic evaluation of an organization's information systems, policies and controls to identify vulnerabilities, threats and the potential business impact of security incidents. It quantifies risk in terms the business understands and provides prioritized recommendations for remediation. Sherlock Forensics aligns assessments to NIST CSF 2.0, ISO 27001 or SOC 2 depending on your compliance requirements.

What frameworks does Sherlock Forensics use for risk assessments?

We align our assessments to NIST Cybersecurity Framework (CSF) 2.0, ISO/IEC 27001:2022, SOC 2 Trust Service Criteria and CIS Controls v8. We select the framework based on your industry, regulatory requirements and business objectives. Many organizations use NIST CSF 2.0 as a baseline with additional controls mapped to specific compliance requirements.

How long does a cybersecurity risk assessment take?

A typical risk assessment for a mid-market organization takes 3-6 weeks from kickoff to final report delivery. This includes stakeholder interviews, technical assessment, control evaluation, risk quantification and report preparation. Larger enterprises or organizations with complex regulatory requirements may require 8-12 weeks.

What is the difference between a risk assessment and a penetration test?

A risk assessment evaluates your overall security posture - policies, controls, processes and governance - to identify and quantify organizational risk. A penetration test actively attempts to exploit technical vulnerabilities in your systems. They are complementary: the risk assessment tells you where you are exposed organizationally; the pen test proves it technically. We offer both services.

Risk Management

Cybersecurity Risk Assessment

Quantify your exposure. Prioritize what matters. Report to the board.

A cybersecurity risk assessment is a systematic evaluation of an organization's security posture, identifying vulnerabilities, quantifying threats and prioritizing remediation. Sherlock Forensics delivers NIST CSF 2.0, ISO 27001, EU AI Act and NIST AI RMF aligned risk assessments, AI governance readiness, compliance gap analysis and board-ready security reporting for organizations across Vancouver and British Columbia.

Security decisions should be driven by evidence, not assumptions. Our risk assessments give executives and boards a clear, quantified view of organizational exposure - mapped to recognized frameworks and translated into business impact terms that drive informed investment in controls.

Request a Risk Assessment All Services

Capabilities

Risk Management Services

01 - Assessment

Security Posture Assessment

Comprehensive evaluation of your technical controls, policies, procedures and governance against NIST CSF 2.0 functions: Govern, Identify, Protect, Detect, Respond and Recover.

02 - Compliance

Compliance Gap Analysis

Gap analysis against ISO 27001:2022, SOC 2 Type II, PCI DSS 4.0, PIPEDA and BC FIPPA. Control mapping with prioritized remediation roadmap and effort estimation.

03 - Quantification

Risk Quantification

FAIR-based risk quantification that translates technical vulnerabilities into financial exposure. Board-ready metrics that tie security investment to business risk reduction.

04 - Architecture

Security Architecture Review

Evaluation of network architecture, cloud infrastructure (AWS, Azure, GCP), identity management and data flow to identify design-level security gaps and misconfigurations.

05 - Policy

Policy & Governance Review

Review and development of security policies, acceptable use policies, incident response plans and business continuity documentation aligned to regulatory requirements.

06 - Reporting

Board-Ready Reporting

Executive summaries, risk heat maps, trend analysis and KRI dashboards designed for board presentation. Technical findings translated into business language decision-makers understand.

07 - AI Governance

AI Risk & Governance

EU AI Act compliance readiness assessment, NIST AI Risk Management Framework alignment and AI risk scoring for deployed models. We evaluate algorithmic transparency, bias controls, data provenance and accountability structures - turning regulatory requirements into auditable controls before enforcement deadlines arrive.

Frameworks

Supported Compliance Frameworks

Framework	Best For	Deliverable
NIST CSF 2.0	Baseline security posture, all industries	Maturity assessment with function scores
ISO 27001:2022	International certification readiness	Statement of Applicability, gap report
SOC 2 Type II	SaaS, cloud, customer-facing services	Readiness assessment, control mapping
CIS Controls v8	Prioritized technical hardening	Implementation group assessment
PIPEDA / BC FIPPA	Canadian privacy compliance	Privacy impact assessment
EU AI Act	Organizations deploying AI in or serving EU markets	Risk classification, compliance gap report, conformity roadmap
NIST AI RMF 1.0	AI/ML system governance, any industry	AI risk scoring, trustworthiness assessment, governance controls mapping

Frequently Asked Questions

Risk Management FAQs

What is a cybersecurity risk assessment?: A cybersecurity risk assessment is a systematic evaluation of an organization's information systems, policies and controls to identify vulnerabilities, threats and potential business impact. It quantifies risk in business terms and provides prioritized recommendations aligned to frameworks like NIST CSF 2.0.
What frameworks does Sherlock Forensics use?: We align assessments to NIST CSF 2.0, ISO 27001:2022, SOC 2 Trust Service Criteria and CIS Controls v8. Framework selection depends on your industry, regulatory requirements and business objectives.
How long does a cybersecurity risk assessment take?: A typical risk assessment for a mid-market organization takes 3-6 weeks from kickoff to final report delivery. This includes stakeholder interviews, technical assessment, control evaluation, risk quantification and report preparation. Larger enterprises may require 8-12 weeks.
What is the difference between a risk assessment and a penetration test?: A risk assessment evaluates your overall security posture - policies, controls, processes and governance. A penetration test actively exploits technical vulnerabilities. They are complementary: the risk assessment identifies organizational exposure; the pen test proves it technically. We offer both.

Authority Resources

Standards & References

Framework Sources

Related Services

Certifications

Our risk advisors hold governance and technical credentials.

CISSP

Get Started

Ready to assess your security posture?

Order a risk assessment online.

Order Online

Schedule a Risk Assessment

Understand your security posture before the next board meeting, audit cycle or funding round. Our assessments deliver actionable findings, not binder-filler.

Call 604.229.1994

Phone: 604.229.1994
Burnaby Office: Burnaby, BC, Canada
Coquitlam Office: Coquitlam, BC, Canada
Typical Timeline: 3-6 weeks, kickoff to final report