Your board asked about cyber risk. Give them a real answer — not reassurance.
A cyber risk register, heat map, and board-ready briefing document — produced in four to six weeks. Written for a non-technical board audience. The risk picture in terms they can act on: likelihood, consequence, and what you're doing about it.
Answering a vendor questionnaire? That's Client-Ready Security — a different engagement designed specifically for questionnaire response and evidence packs. Cyber Risk Assessments is for board-level risk governance: risk registers, heat maps, and executive briefings.
"Our board asked management to present the organisation's cyber risk posture at the next board meeting. We have no documented risk assessment."
Board-level accountability for cyber risk is increasing. Management that can't produce a risk register at the board's request has a governance problem, not just a security problem.
"An APRA-regulated entity we supply services to has asked us to complete a cyber risk assessment as a third-party supplier requirement."
Third-party risk requirements from regulated entities are now standard. The format and evidence they expect is specific — CyberCraft knows what they're looking for.
"We're going through ISO 27001 certification. The auditor said we need a risk assessment as a foundation document."
ISO 27001 requires a documented risk assessment using a defined methodology. CyberCraft's risk assessment uses an ISO 27001-compatible approach.
"A PE investor doing due diligence on our business asked for our cyber risk register. We don't have one."
Investor due diligence increasingly includes cyber risk. A completed risk register with a board briefing is the evidence they're looking for.
Cyber risk register
Documented risks with likelihood rating, consequence rating, current controls, residual risk level, and ownership assigned to a named role.
Risk heat map
Visual representation of the risk landscape — likelihood on one axis, consequence on the other. Communicates the risk picture at a glance for a board audience.
Executive briefing document
Plain-language summary of the risk picture: top five risks, business consequence framing (revenue, reputation, regulatory, operational), and recommended responses. Written for a non-technical board member.
Risk treatment plan
Recommended actions for each risk above the acceptable threshold — prioritised, with an owner, a timeline, and a mapped follow-on service where applicable.
Risk workshop — two hours
Facilitated session covering the business's operating environment, critical assets, threat landscape, and current controls. The risk register is seeded from this workshop.
Risk register and heat map production
CyberCraft builds the register using a standard likelihood and consequence matrix. No further client time required during this phase.
Executive briefing draft and review
Draft executive briefing delivered for review. CyberCraft incorporates feedback and finalises the board presentation documents.
Board presentation support (optional)
CyberCraft joins your board presentation call to walk through the findings and answer board questions directly. Available as an optional addition.
Cyber Risk Assessment — Pricing Configurator
Fixed fee. Board presentation support is an optional addition.
↳ JS configurator to be built. Inputs: staff count, requirement driver (board / ISO 27001 / APRA / investor / general), board presentation support (yes/no, adds $490).