1. What is the difference between a risk assessment and an IT audit?

    A risk assessment reports the resulting residual risk after evaluation of threats to your assets and current mitigating controls, whereas an IT audit proves/tests that you have implemented the prescribed and asserted controls.

  2. What is included in "IT security?"

    Information technology is one element of your information systems, but there are usually physical, technical, procedural, and personnel-related elements too. Combined, these encompass your Information Security program, which includes IT security.

  3. How much disruption will this cause in my day to day operations?

    Aside from interviews with key stakeholders, this service causes little to no disruption in normal business activities.

  4. What kind of physical access do you need?

    No type of physical access is necessary. We can perform risk assessments remotely or onsite depending upon your preference.

  5. How many times should I get a risk assessment and how often?

    Risk assessments should be done upon major changes to the processes or information systems, or at least once per year.

  6. Who do you need to talk to in my organization?

    Any stakeholder with knowledge of the technical, procedural, personnel, and physical controls employed by the organization to protect information.

  7. Are you going to look at my policies?

    A policy document may be reviewed at the client's request in order to gain insight into any particular policy, process, or control.