Cyber Risk Audit


A Comprehensive Cyber Risk Audit & Assessment Framework

Our Cyber Risk Audit is a comprehensive Audit & Assessment Framework designed to identify and prioritize the remediation of key Cyber Risks and to protect your Digital Assets, Brand Reputation and Balance Sheet from all forms of malicious attack.

“You can’t improve it if you don’t measure it”.

Cyber Risk Rating

Our standards-based Cyber Risk Rating measures every aspect of your organisation’s cybersecurity Posture and is a robust solution to the need for driving standards in Cyber Risk Management (called for by the National Cyber Security Centre & the Department for Digital, Culture, Media and Sport), improving your organisation’s cybersecurity Posture and having a direct influence on the cost of Cyber Risk insurance premiums.

Our Cyber Risk Audit looks at the people, process and technology in place to cover the key Cyber areas.

In the dictionary, the term “spectrum” has several related but similar definitions. They all relate to the distribution of a characteristic across a system or phenomenon.  In information security, Trustify relates the spectrum to those characteristics which are essential for the successful implementation of security control.  All too often we come across what should be effective controls only to find they have been let down by partial implementation or a complete failure to put in place those elements needed to operate the control beyond implementation.  The Trustify method helps to identify and address these gaps in the control implementation.

Once establishing the threats and drivers, Trustify looks deeply into the technical aspects to understand placement and effectiveness then enhances that analysis by discovering who is responsible for, and how the controls are operated.  The method, covers not only the control specific processes but also delves into the relevant ITIL service management aspects which have to be there to operate a control successfully and effectively.  The Trustify “Full Spectrum” method goes further!

In design, Trustify applies the same rigorous approach to define the “Full Spectrum” of characteristics to ensure the controls prescribed will not only provide the desired control but will also continue to do so throughout the systems lifetime.

The Trustify method draws upon established enterprise architecture methods such as Togaf and SABSA to ensure fit in any enterprise regardless of size.

Trustify’s Technical Security Services are built to address the challenges of a rapidly changing threat landscape and evolving business needs by providing independent advice of your new and existing technology.

With skills in enterprise security architecture, security design and security operations Trustify is more than capable in helping you reduce your risk exposure.

The Cyber Risk audit is designed to highlight issues with your presence in public space.  The audit uses investigative techniques to identify issues with your registered domains, the certificates and cryptography used to protect them as well as other interesting exposures of your brand on the big bad internet.

Depending on the need we can focus on specific points of interest and provide a deeper assessment through web application security testing.

The crypto risk audit is designed to discover and highlight issues with the deployment and management of digital certificates and cryptographic keys.

The Audit is modular to allowing for either a complete audit or a focused assessment of the risks and issues associated with your external certificate space, your internal certificate space or the way you manage your certificates.

The Security Architecture Assessment is designed to dig a little deeper than a typical Penetration test.  Our consultants will engage with your business and technical staff and through a processes of design review and conversation will identify any threats and risks associated with a given target architecture.

The process is comprehensive and goes further than most because we understand that security doesn’t begin and end with a technical assessment.  Implementing a security control to minimise a threat is pointless if the people and processes are not there to ensure the effectiveness of the control in operation.

Whilst there are plenty of free Information Security Policies and Standards available on the web you still need to tailor these based on the requirements of your business.

Trustify can help by mapping out those Policies and Standards you need through engagement with key areas within your business.  We will then shape those policies and standards accordingly leaving you with a usable set of policies and standards in the most appropriate format for your business.

Beyond this, we can help with the publication and promotion.

Whether well on the way to obtaining certification, or at the beginning of your journey it is worth performing a gap assessment.

Trustify can help with this through application of a structured approach to identify the key stakeholders and draw out the status of those the elements necessary for the successful implementation of an Information Security Management System (ISMS).

The output from the process provides you with a structure report with recommendations and a skeleton plan to help you begin the journey.

ISO 27001 is a comprehensive standard for management of information security within an organisation and as a result is not quickly or easily achieved.

Understanding your gaps is the first stage, defining your statement of applicability the next.  Knowing where to begin is


  • Definition of your Statement of Applicability
  • Creation of Risk Register
  •  Creation of Asset Register

Enterprises both small and large often make decisions that can Trustify can help at any point in your architectures lifecycle;

Idea inception – We can help by identifying and analysing the threats with a business idea

Requirements definition – Security requirements are often overlooked and left to the end of project delivery process.  This is dangerous and leaves the business with one of three choices.

  • Stop and identify the requirements leading to delay and additional cost as often elements the product needs redevelopment.
  • Proceed with the project delivery and hope that nothing happens.
  • Do the minimum amount possible minimising the delay as much as possible.

None of these options are really acceptable and in almost all cases the threat and risks are never treated appropriately.  Security design should always be well established within your project lifecycle which includes threat assessment and requirements definition.

Risk Assessment – you should always incorporate an independent review of the risks associated with the introduction of a new business system.  Independence here is crucial.  Without independence you are asking the design and delivery teams to mark their own homework.  Never a good idea.

From strategic business decisions to tactical responses, we give you the confidence and insight to manage risk and compliance demands effectively. Benefit from a comprehensive range of services – including consulting, designing, building, operating and maintaining your chosen solution.

  • Access the latest industry-specific security insights, controls and technologies.
  • Benefit from comprehensive professional security services – from building and installation to testing and integration.
  • Optimise security spending with a focus on your core business.
  • Increase your overall protection level, and minimise the risk of cyber attack.
  • Security Organisation Capability Assessment and Design Service
  • Security Capability Assessment and Design Service
  • Security Design Services