Free cyber risk assessment template. Covers technology, security and data risks. Instant risk register with severity scoring and recommended controls.
A structured way of judging how likely your technology is to let the business down, and how badly. This tool covers six areas a board cares about: keeping systems available, single points of failure, ageing technology, security, suppliers and change. It scores each from 0 to 100 and gives you a summary you can act on.
Yes. The six dimensions and eighteen questions are a reusable template. You can run it now for a score, then use the same structure as the backbone of an ongoing IT risk register, re-running it each quarter or after major change.
ISO 31000:2018 for how risk is governed and the language of risk; COBIT 2019 for governing and managing enterprise IT; and NIST for security and resilience, drawing on the NIST Cybersecurity Framework 2.0 functions (Govern, Identify, Protect, Detect, Respond, Recover) and the NIST SP 800-37 Risk Management Framework. These are the frameworks auditors and regulators recognise.
Each of the eighteen questions has four answers worth 1 (worst) to 4 (best). We take your total, subtract the lowest possible total, and convert it to a true 0 to 100 scale, so all-worst answers score 0 and all-best score 100. Each of the six dimensions is scored the same way. There is no hidden floor inflating your result.
No. Every question is written in plain business language for a board member, finance leader or general manager. If you can describe how your organisation behaves, you can complete it.
About ten minutes. Eighteen questions, four options each.
Yes. We show your result on screen. We do not publish it or share it. We ask for your details so we can send the summary and, if you want, follow up; we do not sell your data.
No, and we are clear about that. This is a free self-assessment and a board-ready starting point, not a formal review, audit, certification or legal advice. It is designed to surface the right questions and give you a defensible first artefact, which a deeper review then validates.
Because most organisations do not have an honest, structured view of their IT risk, and the conversations that follow are where we add value. Starkhorn is an independent advisory firm. We sell advice, not software, certification, insurance or audit, so we have no incentive to inflate your risk or sell you a product.
Take your two weakest dimensions to your next leadership or audit-committee meeting, assign an owner and a date to each, and test the things you currently assume work, starting with a backup restore, a key-person scenario and a critical-supplier failure. Then re-run this after you have acted.