This application was inspired by the day-to-day needs of the security governance team of a European central bank. The team needed a methodology that can be applied to a flexible scope (e.g., from a single IT service to an entire ISMS), while being able to rely on arbitrary sources for the selection of controls to be implemented. It is quantitative and all steps are easily reproducible, which helps you avoid “finger in the air” risk assessments and “black box” results.

Risk assessments should not be limited to certain standards or frameworks. Security experts should be able to choose controls from CIS, ISO27001, OWASP, BSI basic protection, NIST, or any other source, if suitable for the task at hand and for the scope of the risk assessment to be drafted.