GRC — Flagship Service

Risk Assessment & Risk Register Build

ISO 27005-aligned cybersecurity risk assessment for UAE organisations — asset-based risk identification, threat and vulnerability mapping, scored likelihood × impact, and documented treatment decisions. Audit-ready from day one.

AED 20,000 – 45,000 GRC Mastery · ISO 27001 LA 2 – 3 weeks
Book a 30-min Scoping Call →
Book a 30-min Scoping Call →
Jump to FAQ

What it is

A complete, audit-ready cybersecurity risk register and the assessment process that produced it — built to ISO 27005 methodology and usable as evidence for ISO 27001, SOC 2, NESA, PDPL, and similar frameworks.

We identify your information assets and their owners, map the threats relevant to your sector and context, assess existing controls against each threat, score likelihood and impact on a defined rubric, and document the treatment decision for every risk — avoid, transfer, mitigate, or accept — with explicit rationale.

The deliverable is not a spreadsheet of generic risks. It's your risk register, authored to your actual asset base, with an established review cadence your team can maintain.

What this is not

Not a generic risk-register template. Authored to your specific assets and threats.
Not an enterprise risk assessment. Cybersecurity-focused; broader enterprise risk is separate.
Not a GRC-platform implementation. Register is delivered as document + spreadsheet. Platform rollout (Vanta, Drata, Sprinto) is separate.
Not permanent — ongoing maintenance is yours. We build it; you run it (or engage us on retainer in 2027).

Who this is for

1
You're preparing for ISO 27001 and want the risk register in place before full Implementation.
2
Your board or audit committee has asked for a current, defensible cyber-risk view.
3
Your current risk register is outdated (older than 18 months) or was authored by a consultant who's long gone.
4
A regulator or insurer has asked for documented risk management evidence.
5
You're moving from informal risk management (spreadsheet in someone's head) to a managed program.

What you get

  • Risk methodology document — scoring rubric, likelihood and impact definitions, risk appetite guidance, treatment categories.
  • Asset inventory — information assets, owners, criticality, regulatory context.
  • Complete risk register (typically 30 – 80 risks for a mid-market organisation) — identified risk, threat, vulnerability, likelihood score, impact score, risk score, treatment decision, owner, target date.
  • Risk treatment plan — actions required, owners, target dates, acceptance statements for risks explicitly accepted.
  • Risk heat map — visual likelihood × impact matrix, board-consumable.
  • Review cadence template — quarterly review agenda, KRIs to track, escalation thresholds.
  • Handover workshop — 90-minute session training your team to maintain the register.

How we deliver

01
Scoping & methodology
2 – 3 days
Scope workshop, methodology selection (qualitative / quantitative), rubric calibration, risk-appetite discussion.
02
Asset identification
2 – 3 days
Information asset inventory, criticality tiering, owner assignment.
03
Threat & risk identification
4 – 6 days
Threat modelling workshops, vulnerability assessment, existing-control mapping, risk identification.
04
Scoring & treatment
3 – 4 days
Likelihood × impact scoring, treatment decision workshops, owner and target-date assignment.
05
Documentation & handover
3 – 4 days
Full register compilation, methodology document, heat map, review cadence, handover workshop delivery.

Pricing

Published range

AED 20k – 45k

Per engagement. Written quote within 48 hours.

What drives the price:

  • Organisation size & complexity
  • Number of information assets in scope
  • Methodology (qualitative vs. FAIR-style quantitative)
  • Number of stakeholder interviews
  • Regulatory overlay (NESA, PDPL, sector-specific)

Commercial terms

  • Deposit: 50% at signing
  • Net terms: Net-30
  • Quote validity: 30 days
  • ISO 27001 Implementation bundle: included as sub-deliverable if bought together
  • Annual refresh: 30 – 40% of original fee

Your cert-backed lead

Engagement Lead

Manoj Prabhakaran

ISO 27001 Lead Auditor · GRC Mastery · CPTS · CDSA · Security+ · Azure Cloud Security

Focus: Risk methodology, threat modelling, treatment design, board-level risk communication. Angle: risks assessed by someone with offensive-security background means technical risks get accurate likelihood scoring — not inflated worst-case or dismissed best-case.

Frequently asked questions

What methodology do you use?

ISO 27005-aligned qualitative assessment by default — asset-based risk identification, threat and vulnerability mapping, likelihood × impact matrix with defined scoring rubric, risk treatment decisions (avoid / transfer / mitigate / accept) with rationale. Quantitative (FAIR-style) methodology available on request for organisations that want dollar-denominated risk conversations.

Why buy a risk register as a standalone service?

Three reasons: (1) you're pursuing ISO 27001 and need a risk register ahead of full Implementation, (2) your board or audit committee has asked for an enterprise risk view and your current register is incomplete or outdated, (3) regulatory frameworks (NESA, PDPL, sector-specific) require documented risk management and you don't have it.

How is this different from ISO 27001 Gap Assessment?

A Gap Assessment measures controls against a standard. A Risk Register identifies risks to your organisation and the treatment decisions made about each. Many clients need both — they answer different questions. Risk Registers are a required sub-deliverable of ISO 27001 Implementation; this service delivers one standalone.

How long does it take?

2 – 3 weeks for a typical mid-market organisation. Larger or more complex environments (multi-entity, multi-jurisdiction) extend to 4 – 5 weeks. The fieldwork is front-loaded; reporting is typically a third of the timeline.

Who should be involved from our side?

One executive sponsor, IT leadership, HR leadership, legal / compliance, operations leads, and typically 2 – 3 subject-matter experts per major technology or business area. 45 – 60 minute interviews with each.

Does this satisfy audit requirements?

Yes — ISO 27001, SOC 2, NESA, PDPL, and most sector-specific frameworks mandate a documented risk management process. Our register provides methodology, identified risks, assessment scores, treatment decisions, owner accountability, and review cadence — all the elements auditors look for.

What ongoing maintenance do I need?

We build the register and establish the review cadence. Typical cadence: quarterly review of high and critical risks, annual full review. You own maintenance; we can be engaged on retainer for quarterly refresh if you want ongoing support (retainer offering launches in 2027).

Do you assess cybersecurity risks only, or broader enterprise risks?

Cybersecurity-focused by default (information assets, systems, data) — that's our expertise. We can include technology-related operational and regulatory risks where they intersect. Broader enterprise risks (financial, strategic, market) are outside our scope and typically handled by a separate enterprise risk function.

You might also need

ISO 27001 Implementation

Full ISMS program — risk register is a required sub-deliverable; ours feeds directly.

Read full details

ISO 27001 Gap Assessment

If you want to understand the controls gap before committing to full Implementation.

Read full details

NESA / UAE IA V2 Gap

NESA mandates documented risk management — our register satisfies the requirement.

Read full details

UAE PDPL Compliance

PDPL is risk-based — a proper risk register makes Data Protection Impact Assessments straightforward.

Read full details

Board asking for the cyber-risk view? Auditor asking for the register?

Book a 30-minute scoping call. 2 – 3 weeks to a defensible, audit-ready risk register. Written quote within 48 hours.

Book a Scoping Call →
Book a Scoping Call →