Home > Consultancy and training > Digital and information security > Digital risk reviews and assessments

Digital risk reviews and assessments

Many organisations first come to us seeking an independent view of their digital or information security approach. Sometimes, that’s part of a formal audit or board-level review. Other times, it’s the first step for organisations without a structured programme in place, or where information security has been treated solely as an IT function until now. These reviews can help build a clearer picture of risks, improve how sensitive work or data is protected, and ensure duty of care to your team and partners.

We design review processes around your specific context and goals. If you’re unsure where to begin, we’ll help you identify your priorities and define what success could look like.

Depending on your needs, we might:

  • Engage at board or senior leadership level, providing reassurance through governance-focused approaches.
  • Focus on practical risks and likely threat scenarios grounded in your operational reality.
  • Audit or assess an existing security programme or identify the gaps where one should be.

Whether you’re working with an internal risk or IT team, using an outsourced service, or starting from scratch, we can help you understand your current posture, map your exposure, and build a path forward.

Where appropriate, we embed our assessment work into a broader change strategy – helping your teams build ownership of data and digital risks, reinforcing policies and practices, and shaping a roadmap towards compliance or investment.

Assessment frameworks

We’re flexible about frameworks and methodologies – because one size rarely fits all. Our team has experience working across different models and maturity levels. We’ll help you choose the right tool or blend of tools, depending on what you need to achieve.

We work with:

  • International standards like ISO 27001, PCI-DSS, and SOC 2.
  • Civil society tools like SAFETAG.
  • Government-aligned frameworks like Cyber Essentials and NIST CSF.
  • Control-based models like the CIS Critical Security Controls.

But we also know when not to reach for a formal framework. Sometimes, a simple risk lens is more useful than a compliance checklist.

What to expect from an assessment

We work with you to:

  1. Clarify purpose and outcomes. Are you trying to understand your attack surface? Reassure your board? Benchmark an existing programme? Or inform broader change?
  2. Design an approach that fits. This may include:
    • Desk-based or paper reviews.
    • Technical assessments of tools and platforms.
    • Staff engagement to understand use, culture, and governance.
    • Data mapping and asset identification.
    • Framework alignment (where relevant).
    • Knowledge transfer to your internal team.
  3. Plan a strong exit and next steps. Depending on your goals, this might include:
    • Formal or informal reporting.
    • Leadership or team debriefs.
    • Follow-on workshops or training.
    • Accompaniment or implementation support.

If you’re early in your journey, we may recommend a lighter, framework-based review to map risk areas and prioritise next steps, before returning to a more formal audit when you’re ready.

Open Briefing is a certified social enterprise and a member of
the CIVICUS global civil society alliance and the Vuka! coalition

Share
Tweet
Pin
Share