Do you use FAIR exclusively?

Quantitative + Qualitative · Board-Ready

Cybersecurity Risk Assessment

Know what to fix first. With math.

Cybersecurity risk assessment using quantitative methods (FAIR) and qualitative frameworks (ISO 27005, NIST 800-30). Outcome: a prioritized risk register your board can act on, not a 200-page document nobody reads.

Request Audit Talk to a consultant

Download sample audit report

CERT-In format · anonymised

Aligned to

FAIR (Factor Analysis of Information Risk)
ISO 27005:2022
NIST SP 800-30
OCTAVE Allegro

Why this matters

Compliance is leverage, not paperwork.

Most risk assessments produce paperwork, not decisions. Macksofy uses FAIR (Factor Analysis of Information Risk) to express risk in financial terms — letting you compare a $4M expected loss against a $200K control investment with executive clarity.

Applicability

Boards needing quantitative risk for investment decisions
M&A due diligence (target-side or acquirer-side)
Pre-product-launch risk assessment
Annual risk-register update (ISO 27001 / NIST CSF)
Cyber insurance underwriting evidence

Standards & frameworks

Aligned to the regulations that matter.

FAIR (Factor Analysis of Information Risk)

ISO 27005:2022

NIST SP 800-30

OCTAVE Allegro

Methodology

How we run a Risk Assessment engagement.

Interactive walkthrough — every phase clickable, every activity documented, every artefact regulator-ready.

Phase 01 of 5

1 · Scoping

Asset + business process inventory
Critical risk areas identification
Quantitative vs qualitative scope split

Deliverables

Everything you need to satisfy auditors.

FAIR-quantified risk register
Board-level executive briefing
Investment prioritization matrix (ROI by control)
Tabletop scenarios (top 3 risks)
Annual update playbook

Recent engagements

Listed Indian Bank

Annual board-level risk assessment

Outcome: Quantified annual loss expectancy enabled $3M cyber-insurance premium negotiation

At a glance

The shape of a Risk Assessment engagement.

Every number below is grounded in how Macksofy actually runs the engagement — not aspirational marketing copy.

Methodology phases

Documented activities

Auditor-ready deliverables

0 day

Day retest window

Audit pillars

What we actually examine.

Each pillar is a distinct workstream inside the engagement — scoped, evidenced, and signed off independently before the audit pack is assembled.

Coverage breakdown

Asset & process inventory3 pts
Threat & vulnerability ID3 pts
Impact & likelihood scoring3 pts
Treatment plan3 pts
Residual risk acceptance3 pts
Continuous monitoring3 pts

Pillar 01

Asset & process inventory

You cannot rank risk on assets you do not know exist.

Critical business-process catalogue
Asset → process → data linkage
Crown-jewel + revenue-impact ranking

Pillar 02

Threat & vulnerability ID

Threat-modelling married to your real attack surface.

STRIDE / PASTA threat models
MITRE ATT&CK technique applicability
Vulnerability + misconfig baseline

Pillar 03

Impact & likelihood scoring

Quantified where possible, qualitative where appropriate.

Quantitative risk (₹ revenue / penalty exposure)
Qualitative likelihood (CIS-RAM aligned)
Sensitivity / what-if scenarios

Pillar 04

Treatment plan

Treat / transfer / accept / avoid — with evidence behind each call.

Per-risk treatment decision + owner
Control selection + effort estimate
Insurance & contractual transfer review

Pillar 05

Residual risk acceptance

Documented sign-off so the board has clarity, not surprises.

Residual risk register + tolerance bands
Executive / board sign-off pack
Trigger conditions for re-assessment

Pillar 06

Continuous monitoring

Risk is dynamic — your view of it should be too.

KRI / KPI dashboard
Quarterly recalibration cadence
Material-change re-assessment trigger

Engagement timeline

From kick-off to regulator-ready report.

The horizontal flow below shows the typical week-by-week shape of a Risk Assessment engagement. Click any station for detail in the methodology section above.

Week 1

Scoping

Week 2

Threat modeling

Week 3

Risk analysis

Week 4

Control evaluation

Week 5

Reporting

What clients say · Trusted India + UAE

Rated 4.9 ★ from 612 client reviews.

CERT-In Empanelled

Govt of India · MeitY

EC-Council ATC

Authorized Training

ISO 27001 Certified

Info Security Mgmt

“We've worked with three Big 4 firms before Macksofy. None found what their team did in our payments stack. The most actionable report we've received in a decade.”

Aisha Khan

Information Security Manager · Listed Fintech · BKC, Mumbai

“The CHFI training Macksofy delivered for our cyber cell raised investigation quality measurably. Practical, India-context-aware, and respectful of our operational realities.”

Inspector K. Joshi

Cyber Cell · Maharashtra Police · Mumbai

“Came in with zero security background. 5 weeks later I was running Burp Suite and Metasploit confidently. Cleared CEH on the first attempt.”

Vivek Iyer

DevSecOps Lead · Healthcare SaaS · Hyderabad

Read all 612 reviews on Google →

FAQ

Things compliance leads ask before signing.

We default to FAIR for quantitative scenarios and ISO 27005 / NIST 800-30 for qualitative scope. Mix depends on stakeholder needs.

Other audit engagements

Talk to us

Get a fixed-price proposal in 48 hours.

Tell us about your security need — pentest, audit, training or a wider engagement. A senior consultant will reply within a few business hours.