IT Security Risk Assessment Identify Threats. Quantify Risk.
Structured risk assessments aligned to NIST SP 800-30 and NIST RMF. We identify threats, quantify risk with likelihood-impact matrices, and deliver a prioritized remediation roadmap that satisfies CMMC, HIPAA, SOC 2, and PCI DSS requirements.
What We Evaluate
Seven domains covering your complete attack surface, assessed against NIST SP 800-53 and applicable compliance frameworks.
Technical Controls
- Network perimeter, segmentation, firewall rules, and IDS/IPS
- Identity management, MFA, privileged access, and least privilege
- Endpoint detection, patch management, and application controls
- Cloud configuration (M365, Azure, AWS) and data encryption
Administrative Controls
- Security policies, incident response, and business continuity
- Physical security, server room access, and environmental controls
- Data classification, DLP, backup integrity, and key management
- Vendor risk management and change management procedures
What You Receive
Documentation for two audiences: technical teams and executive leadership.
Risk Register
Complete inventory of identified risks with threat source, vulnerability, likelihood, impact, raw risk, existing controls, and residual risk level.
Executive Summary
Plain-language overview of risk posture, critical findings, and strategic priorities for board members and C-suite stakeholders.
Compliance Gap Matrix
Control-by-control mapping against CMMC, HIPAA, SOC 2, PCI DSS, or ISO 27001 requirements.
Remediation Roadmap
Phased action plan sequenced by risk reduction value. Quick wins separated from strategic initiatives.
Threat Landscape Briefing
Analysis of threat actors relevant to your industry mapped to MITRE ATT&CK tactics, techniques, and procedures.
Vulnerability Detail Report
Technical findings with CVSS scores, affected assets, evidence, and specific remediation instructions.
Risk Assessment vs. Vulnerability Scan
Raw CVE List
Automated output of known technical weaknesses ranked by CVSS severity -- no business context.
No Threat Modeling
Reports vulnerabilities without considering who would exploit them or what the business impact would be.
Not Audit-Ready
Scans alone do not satisfy the risk assessment requirements in HIPAA, CMMC, SOC 2, or PCI DSS.
Risk-Ranked Register
Each finding tied to a threat source, likelihood, impact, and residual risk after existing controls are factored in.
Industry-Specific Threats
Threat actors mapped to your industry, geography, and data types using current intelligence.
Compliance Artifacts
Output satisfies risk assessment mandates across every major framework your auditor evaluates.
NIST SP 800-30 Process
Scope Definition
Asset Inventory
Threat Identification
Vulnerability Analysis
Risk Calculation
Report and Brief
Satisfies Requirements For
Frequently Asked Questions
How is a risk assessment different from a vulnerability scan?
A vulnerability scan identifies known technical weaknesses. A risk assessment contextualizes each finding with threat modeling, asset valuation, likelihood analysis, and impact scoring to produce a business-risk register. Every compliance framework distinguishes the two.
How long does the assessment take?
For 25-100 employees with a single location, typically 2-4 weeks. Larger organizations with multiple locations or complex environments may require 4-8 weeks. We confirm timeline during the scoping call.
Is a risk assessment required for HIPAA?
Yes. The HIPAA Security Rule at 45 CFR 164.308(a)(1)(ii)(A) requires covered entities and business associates to conduct an accurate and thorough assessment. The Office for Civil Rights has imposed multi-million-dollar fines on organizations that failed this requirement.
Do we need a risk assessment for CMMC certification?
Yes. CMMC Level 2 includes control RA.L2-3.11.1 requiring periodic risk assessments. Our output satisfies this requirement and produces artifacts that can be presented during a CMMC assessment.
Can PTG help remediate the issues found?
Yes. We offer complete remediation services including technology implementation, NIST compliance consulting, policy development, security awareness training, and managed security services.
Know Your Risk. Protect Your Business.
Contact us to schedule your IT security risk assessment. Transparent pricing, actionable intelligence, audit-ready deliverables.