Govern · NIST CSF 2.0

Risk Assessment & Compliance

We find out where your business is actually exposed, rank it by what it would cost you, and give you a plan you can act on.

In Plain English

A risk assessment is an honest inventory of where your business could get hurt through its technology: what could go wrong, how likely it is, and what it would cost you if it did. The compliance side lines that up against a recognized standard so you can show insurers, customers, and auditors that you're handling security on purpose, not by luck. Together they answer the question every owner actually has: where do I stand, and what should I do first?

How It Actually Works

The Technical Reality

Risk has a definition, not just a feeling. NIST's standard (SP 800-30) treats risk as the combination of two things: how likely an event is, and how badly it would hurt you. We work through three pieces for each part of your business: the threats (events that could harm you, like ransomware or a hijacked email account), the vulnerabilities (the weaknesses those threats would exploit), and the impact (what it actually costs you in money, downtime, and trust). High likelihood plus high impact is what we fix first.

The work follows the four steps SP 800-30 lays out: Prepare, Conduct, Communicate, Maintain. We scope what matters to you, dig into where you're exposed, hand you findings in plain language, and set you up to keep the picture current as your business changes. The output isn't a binder that sits on a shelf; it's a ranked list of what to do, in what order, and why.

To measure where you stand, we use real standards instead of opinion. CIS Controls v8.1 sort security safeguards into Implementation Groups: IG1 is the baseline of essential cyber hygiene that fits most small businesses, with IG2 and IG3 adding more for larger or regulated companies. We map your security to the NIST Cybersecurity Framework 2.0, which organizes everything into six functions: Govern, Identify, Protect, Detect, Respond, and Recover. Govern is new in version 2.0. It's about who's accountable and how security decisions actually get made.

One thing worth being blunt about: compliant is not the same as secure. A framework is a structured starting point, not a guarantee — you can check every box on a checklist and still get breached, because attackers don't care about your paperwork. We treat these standards as a map of what good looks like, then judge your real-world risk against it. The goal is a business that's genuinely harder to hurt, with the documentation to prove you're managing it.

The NIST Cybersecurity Framework 2.0
GOVERNNIST CSF 2.001IDENTIFY02PROTECT03DETECT04RESPOND05RECOVER
In Your Business

What It Looks Like For You

For a small or midsize business, we look at the systems you actually run: your Microsoft 365 (email, files, who can log in from where), the line-of-business apps you depend on, your backups, and the people who hold the keys. We sort out which data would genuinely hurt you to lose or leak, where a single hijacked account could do the most damage, and which IG1 basics you already have versus the handful you're missing. You don't get auditor jargon. You get a short, ranked plan (here's where you stand, here's what would cost you most, here's what to fix first) plus the documentation that satisfies a cyber-insurance application or a customer's security questionnaire.

The Value

What You Get Out Of It

Know where you actually stand

A clear, current picture of your real exposure (not a guess and not someone else's generic checklist) measured against recognized standards.

Fix the right things first

Findings are ranked by likelihood and business impact, so your time and budget go to the gaps that would actually cost you, not the loudest ones.

Answer insurers and customers

The documentation that cyber-insurance applications, SOC 2 efforts, and customer security questionnaires increasingly require, without scrambling to assemble it.

Make security a decision, not an accident

Clear ownership of who's accountable for what, so security choices get made on purpose as your business grows and changes.

Frameworks & Sources

The Standards Behind It

NIST Cybersecurity Framework 2.0 (SP 1300)Organizes security outcomes into six functions — Govern, Identify, Protect, Detect, Respond, Recover. Govern was added in version 2.0.
NIST SP 800-30 Rev. 1The federal Guide for Conducting Risk Assessments, defining risk as a function of likelihood and impact, across Prepare, Conduct, Communicate, and Maintain.
CIS Controls v8.1Sorts security safeguards into Implementation Groups; IG1 is the essential-hygiene baseline we recommend for most small businesses.
Start With a Free 30-Minute Conversation

NO PRESSURE.
JUST A PLAN.

Cybersecurity gap, IT problem, or just not sure where to begin? We'll listen first, recommend second, and only propose what actually serves you.

connor@tremodi.com