Cyber Risk
Management Maturity

Our unique maturity scoring model gives businesses an action plan for the most optimal cyber risk reduction.

Want to talk first? Arrange a call here

Areas of assessment

We used our decades of experience in IT and information security management, a thorough understanding and appreciation of cyber insurance and our first-hand engagement investigating hundreds of cyber incidents to deliver a comprehensive assessment based on the common risk concerns of cyber insurance underwriters and cyber security best-practice from standards such as ISO 27001, PCI DSS and NIST. Our findings are summarised and combined with our unique CyberProfiler: Attackers Eye View™ online footprint analysis.

Most importantly, we help executives and management to cut through the complexity by aligning the important assessment findings and recommendations to score a set of five key metrics to describe an organisations Cyber Risk Management Maturity (CRMM)

Skills & resources
1. People

We review staff roles and ensure they are clearly defined and assigned to those with appropriate experience or cyber risk qualifications. We also check the organisation has proper IT resourcing considering the information which they store and process. We base our scoring on best practice considering the organisation's size combined with the assets they handle.  

Documentation & workflows
2. Process

Our assessment reviews organisational policies to ensure the correct procedures are in place with appropriate guidance, standards and agreements. A high maturity indicates a hierarchical document set exists, is regularly updated and followed. We examine the organisations cybersecurity culture; are staff aware of cyber threats, governance documents & their obligations.

Security protection & detection
3. Technology

We review the technologies used to protect the organisations business data are planned, budgeted, implemented, up-to-date, and operated effectively.  We review security-specific solutions and the security functions available within other standard IT technology, such as operating systems and databases. We apply best-practice to review key safeguards using a layered approach. 

Reliance & assurance
4. Vendor management

We review the assurances an organisation has in regard to their outsourcing partners and vendors.  A high maturity indicates the company has considered a degree of trust and cybersecurity as important factors in their contractual relationships. We pay particular attention to clients existing relationships and standard practices when planning outsourcing and vendor assignments. 

Records & control
5. Data asset awareness

We examine how the organisation categorises the data it utilises. We ensure that critical personal and other business data is clearly understood so that the organisation can suitably assess the risks associated with these assets. As part of our assessment report, we produce a data asset register allowing clients to gain clarity over data access content and aggregation, to assign ownership and retention policy. 

The Attackers Eye View™

Many businesses unnecessarily leak information which is used by attackers to scam them and compromise their systems. Our profiler service provides an attacker's perspective for an organisation’s online presence. We scan for vulnerable systems, configurations, user accounts, domains, third party links, technology investment, and other sensitive details. Results then drive practical recommendations for remediation.

Assessment breakdown

Each section consists of easy to answer questions. Most questions offer simple - Yes, No, In Progress, Not Applicable - answers. There is the option to defer up to 5 questions that cannot be answered for post-review completion, although this can delay the report.

  • Section A  Introduction & Business Details.

  • Section B  Your Business Information Assets.

  • Section C  IT Operations and Cyber Security Function.

  • Section D  Your Cyber Risk Assessment Programme.

  • Section E  Your Information Governance Programme.

  • Section F  Your Cyber Security Systems & Processes.

  • Section G  Your Cyber Incident Management Process.

  • Section H  Historical Information 

Want to talk first? Arrange a call here

Cyber Risk Management Maturity scoring

We rank an organisations resilience using a straightforward 1-5 score in five key maturity areas. Our scores use proprietary logic functions applied to the information gathered over a personal one-to-one 90-minute security review by our expert assessors.

Opinion statement

We summarise assessment findings in a tailored opinion statement. The jargon-less summary clearly outlines the assessment findings for both technical and non-technical executives.

Risk results dashboard

This area provides an overview of every finding paired with a visual high/medium/low risk determination.  With one glimpse, a business can identify its cyber strengths and weaknesses and identify where best to act to address the most critical areas of exposure. 

In-depth remediation details

This section lists each assessment finding in order of urgency. We document each high/medium risk with a reason for its determination. The report also contains clear remediation advice for every high and medium risk, in addition to a commentary on low risks. Tags show a direct relationship to maturity improvement.

Improvements checklist

This checklist provides a clear action plan for the assessed organisation. The ten most urgent findings are summarised and scored. This section allows the assessed business to determine key remediations actions on its overall cyber maturity.

Data asset register

Many organisations are not aware of the information assets they store and process. As a result, they cannot demonstrate the steps taken to understand and protect these assets. The Cyber3 assessment generates a formal information asset register enabling tracking of ownership, access control and data retention policy. 


We help organisations understand the attackers perspective by including an open-source intelligence assessment. This section scans the business for susceptible technologies, misconfigured services, vulnerable user accounts, and many other details commonly used by hackers to breach organisations.

Findings overview

Cyber3 report sections

We outline assessment findings in a comprehensive well-structured report. The report contains jargon-less insights that are easy to understand by both technical and non-technical executives. Using the following report structure, we can raise risks clearly and provide a path to remediation with direct links from our recommendations to stepped improvements in cyber risk management maturity.


Developing maturity

Improving cyber security

Our assessment is performed over a 90 minute call with a STORM Guidance cybersecurity expert. As part of the review, we also complete an  'Attackers-Eye-View' scan of the company's entire digital estate. This scan examines all public-facing digital assets for security threats, domain misconfigurations and other exposures.


The result is a Certificate of Assessment, a comprehensive Risk Management Report incorporating our unique maturity scoring, and a straightforward strategy to achieve cyber resilience. Assessments are priced at £995 with discounts available for insurers, brokers and their clients.


Book an assessment

It takes just 3 minutes to make a booking.
You can choose to pay upfront during the booking process or to pay later.

Want to talk first? Arrange a call here