🎯 Free Website Audit. Get Yours →
Optimum Web
ISO 27001NIS2SOC 2DORACR-ISO-04

Risk Assessment & Treatment Plan

Formal ISO 27005 risk assessment with treatment plan and Statement of Applicability. Ready for ISO 27001 Stage 1 audit. Also covers NIS2, SOC 2, DORA. $490.

Risk Assessment & Treatment Plan by Optimum Web is a fixed-price compliance service covering ISO 27001 Clause 6.1.2 — Information security risk assessment. It costs €449 with 5–7 business days delivery by senior security engineers. Risk assessment report (ISO 27005 methodology, 5×5 matrix). 14-day warranty included.

Covers: ISO 27001 Clause 6.1.2 — Information security risk assessment

4 clients served this month
4.8·172 clients·25 yrs

"Senior engineers who actually deliver what they promise. Rare."

Thomas K., IT Manager · Austria

€449
Fixed price, VAT excluded
5–7 business daysSenior only
Risk assessment report (ISO 27005 methodology, 5×5 matrix)
Risk treatment plan with mitigate/accept/transfer/avoid for each risk
Statement of Applicability (SoA) mapping controls to Annex A
Asset register linking assets to risks and controls
🛡️
14-Day Money-Back Guarantee
Issue recurs? We fix it free or refund in full. No questions asked.

Secured by PayPal · 256-bit SSL encryption

or order without payment
+373 22 843569
PayPal · SSL
👨‍💻 Senior only
14-day warranty
🆔 CR-ISO-04

This Service Covers

ISO 27001Clause 6.1.2 — Information security risk assessment
NIS2Article 21(2)(a) — Risk analysis
SOC 2CC3.1–3.2 — Risk assessment and risk mitigation
DORAChapter II — ICT risk management

What You Get

ISO 27001-aligned risk assessment following the ISO 27005 methodology. We identify information assets, evaluate threats and vulnerabilities, assess risk levels using a 5×5 likelihood-impact matrix, and produce a formal Risk Treatment Plan with four options for each risk: mitigate, accept, transfer, or avoid. The Statement of Applicability (SoA) maps selected controls to Annex A. Ready for ISO 27001 Stage 1 audit.

Who Needs This

  • Companies pursuing ISO 27001 certification (Clause 6.1.2 is mandatory)
  • Organizations that need a formal risk treatment plan for board presentation
  • Businesses preparing for SOC 2 Type II needing CC3.1-3.2 evidence
  • Companies that had an incident and need a structured risk reassessment

NEXT STEP

Ready to Implement the Findings?

After the assessment, our fixed-price implementation services cover every gap — from GDPR backup (€449) to incident response (€359). No surprises.

Browse Fix Services

Ready to Start?

€449 · 5–7 business days · 14-day warranty

+373 22 843569

Secured by PayPal · 256-bit SSL encryption

or order without payment

Ready to implement? Browse individual fix services

Learn more
CLIENT REVIEWS

What Our Clients Say

4.8 / 5·172 clients · 25+ years

"Senior engineers who actually deliver what they promise. Fixed price, fixed timeline, thorough documentation. Rare combination."

T
Thomas K.
IT Manager · Manufacturing company · Austria

"Worked with 4 agencies before finding Optimum Web. First team that delivered exactly what the scope said, on time."

S
Sophie V.
Operations Manager · Logistics company · Belgium

"The 14-day warranty is real. Had a small follow-up question and it was handled same day, no extra charge."

M
Mikael B.
CTO · B2B SaaS · Germany
Read all reviews on Clutch →

Frequently Asked Questions

What is the Statement of Applicability (SoA)?+
The SoA is a required ISO 27001 document that lists all 93 Annex A controls and states whether each is applicable to your organization, with justification. It links your risk assessment to the controls you implement.
Can I use this for ISO 27001 Stage 1 audit?+
Yes. The risk assessment and SoA are the two most critical documents for Stage 1. Auditors check that risks are identified, assessed, and linked to controls via the SoA. This service produces both.
How many assets do you typically assess?+
For a mid-size company: 20-50 information assets (servers, databases, SaaS services, network segments, physical locations). For larger scope, we may need additional time.
Do you use qualitative or quantitative risk assessment?+
Qualitative (5×5 matrix). This is what ISO 27001 auditors expect and what most organizations can maintain. Quantitative (financial) is available on request but requires more input data.
How does this relate to the Risk Analysis service (CR-NIS2-03)?+
CR-NIS2-03 focuses on NIS2 requirements and includes the Information Security Policy. This service (CR-ISO-04) is ISO 27001-specific with the SoA. If pursuing both ISO and NIS2, we recommend both — they share 60% of the work.

Also Relevant

NIS2

Risk Analysis & Information Security Policy

€449 · 5–7 business days
ISO 27001

ISO 27001 Readiness Assessment

€539 · 5–7 business days
ISO 27001

Asset Inventory & Classification

€319 · 3–5 business days
DORA

DORA ICT Risk Assessment

€539 · 5–7 business days
+373 22 843569

Secured by PayPal · 256-bit SSL encryption

or order without payment
📞Call Us💬Get Free Quote