CEO · Framework · Advanced · Saves 50+ hours
Cybersecurity Risk Assessment
A framework for assessing cybersecurity risk.
What's included
- Risk Assessment
- Asset inventory
- Threat identification
- Vulnerability assessment
- Risk scoring
- Control Evaluation
- Control inventory
- Gap identification
- Remediation prioritization
- Ongoing Management
- Risk monitoring
- Incident tracking
- Continuous improvement
Best used when
- Board cybersecurity reporting
- Insurance cyber questionnaires
- Post-breach assessment
- Annual security review
Why this is Gold
Cybersecurity is board-level risk. This framework provides CEO-level visibility.
The template
The Template
CYBERSECURITY RISK PHILOSOPHY
Understanding Cybersecurity as Board-Level Risk
CYBERSECURITY RISK FUNDAMENTALS
WHY CYBERSECURITY IS CEO-LEVEL:
☐ Breaches destroy companies
☐ Board personally liable
☐ Customer trust at stake
☐ Regulatory requirements increasing
☐ Cyber insurance requires diligence
CEO'S ROLE IN CYBERSECURITY:
☐ Set security culture tone
☐ Ensure adequate investment
☐ Understand risk at strategic level
☐ Receive regular security briefings
☐ Communicate to board effectively
THE CYBERSECURITY REALITY:
"It's not if you'll be attacked, it's when.
The CEO doesn't need to understand every
technical detail, but must understand the
risks, the investments needed, and the
residual risk the company is accepting."
CYBERSECURITY PRINCIPLES FOR CEOs:
1. Security is an investment, not expense
2. Perfect security doesn't exist
3. People are often the weakest link
4. Third parties are part of your risk
5. Incident response matters as much as prevention
CYBER RISK CATEGORIES:
☐ Data breach (customer/employee data stolen)
☐ Ransomware (systems encrypted, ransom demanded)
☐ Business email compromise (fraud/impersonation)
☐ Insider threat (malicious/negligent employee)
☐ Third-party breach (vendor compromise)
☐ DDoS/availability (systems unavailable)
BOARD CYBERSECURITY QUESTIONS:
1. What are our crown jewels (most valuable data)?
2. What's our biggest cyber risk?
3. Are we adequately invested in security?
4. Do we have incident response capability?
5. What's our cyber insurance coverage?
COMPREHENSIVE CYBERSECURITY FRAMEWORK
Cybersecurity Risk Assessment Framework
═══════════════════════════════════════
CYBERSECURITY RISK ASSESSMENT
═══════════════════════════════════════
COMPANY: _______________
Assessment Date: _______________
Conducted by: _______________
Next Assessment: _______________
═══════════════════════════════════════
SECTION 1: ASSET INVENTORY
═══════════════════════════════════════
CRITICAL DATA ASSETS:
CUSTOMER DATA:
| Data Type | Records | Sensitivity | Location |
|-----------|---------|-------------|----------|
| PII | ___ | High | |
| Financial | ___ | High | |
| Health (if HIPAA) | ___ | High | |
| Behavioral | ___ | Medium | |
EMPLOYEE DATA:
| Data Type | Records | Sensitivity | Location |
|-----------|---------|-------------|----------|
| HR records | ___ | High | |
| Payroll | ___ | High | |
| Performance | ___ | Medium | |
BUSINESS DATA:
| Data Type | Description | Sensitivity | Location |
|-----------|-------------|-------------|----------|
| IP/source code | | High | |
| Financial records | | High | |
| Strategic plans | | High | |
| Customer contracts | | High | |
CRITICAL SYSTEMS:
| System | Function | Criticality | RTO |
|--------|----------|-------------|-----|
| | | ☐ Critical ☐ High ☐ Med | ___ hrs |
| | | ☐ Critical ☐ High ☐ Med | ___ hrs |
| | | ☐ Critical ☐ High ☐ Med | ___ hrs |
| | | ☐ Critical ☐ High ☐ Med | ___ hrs |
CROWN JEWELS:
What are the top 3 assets we must protect?
1. _______________
2. _______________
3. _______________
═══════════════════════════════════════
SECTION 2: THREAT ASSESSMENT
═══════════════════════════════════════
THREAT LANDSCAPE:
EXTERNAL THREATS:
| Threat | Likelihood | Impact | Trend |
|--------|------------|--------|-------|
| Ransomware | H/M/L | H/M/L | ↑↓→ |
| Phishing/BEC | H/M/L | H/M/L | ↑↓→ |
| Targeted attack | H/M/L | H/M/L | ↑↓→ |
| Opportunistic attack | H/M/L | H/M/L | ↑↓→ |
| Nation-state (if applicable) | H/M/L | H/M/L | ↑↓→ |
INTERNAL THREATS:
| Threat | Likelihood | Impact | Controls |
|--------|------------|--------|----------|
| Malicious insider | H/M/L | H/M/L | |
| Negligent employee | H/M/L | H/M/L | |
| Privileged user misuse | H/M/L | H/M/L | |
THIRD-PARTY THREATS:
| Vendor/Partner | Data Access | Risk Level | Last Review |
|----------------|-------------|------------|-------------|
| | | H/M/L | |
| | | H/M/L | |
| | | H/M/L | |
RECENT INDUSTRY INCIDENTS:
What attacks have hit similar companies?
1. _______________
2. _______________
3. _______________
═══════════════════════════════════════
SECTION 3: VULNERABILITY ASSESSMENT
═══════════════════════════════════════
VULNERABILITY SCAN RESULTS:
SCAN INFORMATION:
Last scan date: _______________
Scanner used: _______________
Scope: _______________
VULNERABILITY SUMMARY:
| Severity | Open | Remediated | MTTR |
|----------|------|------------|------|
| Critical | ___ | ___ | ___ days |
| High | ___ | ___ | ___ days |
| Medium | ___ | ___ | ___ days |
| Low | ___ | ___ | ___ days |
PENETRATION TEST RESULTS:
Last test date: _______________
Testing firm: _______________
Type: ☐ External ☐ Internal ☐ Application
Key findings:
1. _______________
2. _______________
3. _______________
Remediation status:
☐ All critical/high fixed
☐ In progress: ___ items
☐ Accepted risk: ___ items
═══════════════════════════════════════
SECTION 4: SECURITY POSTURE ASSESSMENT
═══════════════════════════════════════
SECURITY CONTROLS EVALUATION:
IDENTITY & ACCESS:
| Control | Implemented | Effectiveness |
|---------|-------------|---------------|
| MFA for all users | ☐ Yes ☐ No ☐ Partial | ☐ Strong ☐ Adequate ☐ Weak |
| SSO | ☐ Yes ☐ No ☐ Partial | ☐ Strong ☐ Adequate ☐ Weak |
| Privileged access management | ☐ Yes ☐ No ☐ Partial | ☐ Strong ☐ Adequate ☐ Weak |
| Access reviews (quarterly) | ☐ Yes ☐ No ☐ Partial | ☐ Strong ☐ Adequate ☐ Weak |
| Least privilege principle | ☐ Yes ☐ No ☐ Partial | ☐ Strong ☐ Adequate ☐ Weak |
ENDPOINT PROTECTION:
| Control | Implemented | Effectiveness |
|---------|-------------|---------------|
| Endpoint detection (EDR) | ☐ Yes ☐ No ☐ Partial | ☐ Strong ☐ Adequate ☐ Weak |
| Device encryption | ☐ Yes ☐ No ☐ Partial | ☐ Strong ☐ Adequate ☐ Weak |
| Mobile device management | ☐ Yes ☐ No ☐ Partial | ☐ Strong ☐ Adequate ☐ Weak |
| BYOD policy | ☐ Yes ☐ No ☐ Partial | ☐ Strong ☐ Adequate ☐ Weak |
| Patch management | ☐ Yes ☐ No ☐ Partial | ☐ Strong ☐ Adequate ☐ Weak |
NETWORK SECURITY:
| Control | Implemented | Effectiveness |
|---------|-------------|---------------|
| Firewall/WAF | ☐ Yes ☐ No ☐ Partial | ☐ Strong ☐ Adequate ☐ Weak |
| Network segmentation | ☐ Yes ☐ No ☐ Partial | ☐ Strong ☐ Adequate ☐ Weak |
| VPN for remote access | ☐ Yes ☐ No ☐ Partial | ☐ Strong ☐ Adequate ☐ Weak |
| Intrusion detection | ☐ Yes ☐ No ☐ Partial | ☐ Strong ☐ Adequate ☐ Weak |
| DNS filtering | ☐ Yes ☐ No ☐ Partial | ☐ Strong ☐ Adequate ☐ Weak |
DATA PROTECTION:
| Control | Implemented | Effectiveness |
|---------|-------------|---------------|
| Encryption at rest | ☐ Yes ☐ No ☐ Partial | ☐ Strong ☐ Adequate ☐ Weak |
| Encryption in transit | ☐ Yes ☐ No ☐ Partial | ☐ Strong ☐ Adequate ☐ Weak |
| Data loss prevention | ☐ Yes ☐ No ☐ Partial | ☐ Strong ☐ Adequate ☐ Weak |
| Backup encryption | ☐ Yes ☐ No ☐ Partial | ☐ Strong ☐ Adequate ☐ Weak |
| Data classification | ☐ Yes ☐ No ☐ Partial | ☐ Strong ☐ Adequate ☐ Weak |
APPLICATION SECURITY:
| Control | Implemented | Effectiveness |
|---------|-------------|---------------|
| Secure development | ☐ Yes ☐ No ☐ Partial | ☐ Strong ☐ Adequate ☐ Weak |
| Code review | ☐ Yes ☐ No ☐ Partial | ☐ Strong ☐ Adequate ☐ Weak |
| Application testing | ☐ Yes ☐ No ☐ Partial | ☐ Strong ☐ Adequate ☐ Weak |
| Dependency scanning | ☐ Yes ☐ No ☐ Partial | ☐ Strong ☐ Adequate ☐ Weak |
OVERALL POSTURE:
| Domain | Rating |
|--------|--------|
| Identity & Access | ☐ Strong ☐ Adequate ☐ Weak |
| Endpoint Protection | ☐ Strong ☐ Adequate ☐ Weak |
| Network Security | ☐ Strong ☐ Adequate ☐ Weak |
| Data Protection | ☐ Strong ☐ Adequate ☐ Weak |
| Application Security | ☐ Strong ☐ Adequate ☐ Weak |
═══════════════════════════════════════
SECTION 5: ADMINISTRATIVE CONTROLS
═══════════════════════════════════════
POLICIES & PROCEDURES:
| Policy | Status | Last Updated | Owner |
|--------|--------|--------------|-------|
| Information security | ☐ Yes ☐ No | | |
| Acceptable use | ☐ Yes ☐ No | | |
| Data classification | ☐ Yes ☐ No | | |
| Incident response | ☐ Yes ☐ No | | |
| Vendor security | ☐ Yes ☐ No | | |
| Remote work | ☐ Yes ☐ No | | |
SECURITY AWARENESS:
| Element | Status | Metrics |
|---------|--------|---------|
| Training program | ☐ Yes ☐ No | __% completed |
| Phishing simulations | ☐ Yes ☐ No | __% fail rate |
| Security onboarding | ☐ Yes ☐ No | |
| Regular communications | ☐ Yes ☐ No | |
VENDOR SECURITY:
| Element | Status |
|---------|--------|
| Security questionnaire | ☐ Required ☐ Sometimes ☐ Never |
| Contract security terms | ☐ Standard ☐ Sometimes ☐ Never |
| Ongoing monitoring | ☐ Yes ☐ No |
| SOC 2 requirement | ☐ Required ☐ Preferred ☐ No |
═══════════════════════════════════════
SECTION 6: INCIDENT RESPONSE
═══════════════════════════════════════
INCIDENT RESPONSE CAPABILITY:
IRP STATUS:
☐ Incident response plan exists
☐ Plan tested in last 12 months
☐ Roles/responsibilities defined
☐ External resources identified
RESPONSE TEAM:
| Role | Primary | Contact |
|------|---------|---------|
| Incident Commander | | |
| Technical Lead | | |
| Communications | | |
| Legal | | |
| External IR firm | | |
| Cyber insurance | | |
INCIDENT CLASSIFICATION:
| Level | Description | Response Time |
|-------|-------------|---------------|
| Critical | Active breach, data exfil | Immediate |
| High | Confirmed intrusion | <1 hour |
| Medium | Suspected incident | <4 hours |
| Low | Anomaly investigation | <24 hours |
═══════════════════════════════════════
SECTION 7: CYBER RISK SUMMARY
═══════════════════════════════════════
TOP CYBER RISKS:
| Rank | Risk | Likelihood | Impact | Mitigation Status |
|------|------|------------|--------|-------------------|
| 1 | | H/M/L | H/M/L | |
| 2 | | H/M/L | H/M/L | |
| 3 | | H/M/L | H/M/L | |
| 4 | | H/M/L | H/M/L | |
| 5 | | H/M/L | H/M/L | |
REMEDIATION PRIORITIES:
| Priority | Gap/Risk | Action | Owner | Due |
|----------|----------|--------|-------|-----|
| 1 | | | | |
| 2 | | | | |
| 3 | | | | |
INVESTMENT REQUIREMENTS:
| Initiative | Cost | Timeline | Risk Reduced |
|------------|------|----------|--------------|
| | $ | | |
| | $ | | |
| | $ | | |
═══════════════════════════════════════
SECTION 8: BOARD REPORTING
═══════════════════════════════════════
BOARD SECURITY DASHBOARD:
| Metric | Target | Current | Status | Trend |
|--------|--------|---------|--------|-------|
| Critical vulnerabilities | 0 | | ☐G☐Y☐R | ↑↓→ |
| High vulnerabilities | <5 | | ☐G☐Y☐R | ↑↓→ |
| Mean time to patch (critical) | <7 days | | ☐G☐Y☐R | ↑↓→ |
| Security training completion | 100% | | ☐G☐Y☐R | ↑↓→ |
| Phishing test failure rate | <5% | | ☐G☐Y☐R | ↑↓→ |
| Incidents this quarter | 0 | | ☐G☐Y☐R | ↑↓→ |
| Third-party reviews current | 100% | | ☐G☐Y☐R | ↑↓→ |
CYBER INSURANCE:
Coverage limit: $_____
Deductible: $_____
Policy renewal: _______________
Last claim: ☐ Never ☐ _______________
Security Control Checklist
| Category | Control | Status | Priority |
|---|---|---|---|
| Identity | MFA for all users | ☐ | High |
| Identity | Privileged access management | ☐ | High |
| Endpoint | EDR on all devices | ☐ | High |
| Endpoint | Device encryption | ☐ | High |
| Network | Firewall/WAF | ☐ | High |
| Data | Encryption at rest | ☐ | High |
| Data | Encryption in transit | ☐ | High |
| App | Secure SDLC | ☐ | Medium |
| Admin | Security training | ☐ | High |
| Admin | Incident response plan | ☐ | High |
Board Security Summary
| Metric | Target | Current | Status | Trend |
|---|---|---|---|---|
| Critical vulns open | 0 | ☐ G ☐ Y ☐ R | ↑↓→ | |
| Mean time to patch | <7 days | ☐ G ☐ Y ☐ R | ↑↓→ | |
| Security training % | 100% | ☐ G ☐ Y ☐ R | ↑↓→ | |
| Phishing fail rate | <5% | ☐ G ☐ Y ☐ R | ↑↓→ | |
| Incidents this quarter | 0 | ☐ G ☐ Y ☐ R | ↑↓→ |
Frequently asked questions
What is the Cybersecurity Risk Assessment?
A framework for assessing cybersecurity risk.
Who is the Cybersecurity Risk Assessment for?
It is built for CEOs and their teams working on Risk Management. The AI coach adapts it to your company, stage, and goals.
How long does the Cybersecurity Risk Assessment take to use?
It saves roughly 50+ hours versus building from scratch. Our AI coach can tailor the framework to your situation in minutes, then hand you a step-by-step plan.
Is the Cybersecurity Risk Assessment free?
Yes. You can read the full framework and start getting coached through it for free. Sign in to save your tailored version and track your next steps.
How does the AI coach help with the Cybersecurity Risk Assessment?
The coach teaches you the framework, asks a few questions about your business, tailors the framework to you, and gives you measurable next steps to execute.