Read as
Why this module exists. Most Indian enterprises do qualitative risk assessment — likelihood × impact scoring on a 5×5 matrix — and most do it badly. The matrix becomes a heatmap that decorates board decks. This module covers ISO 27005 and NIST SP 800-30 done well: meaningful scoring scales, calibrated rater training, and the outputs that actually drive decisions.
Why this module exists. Done well, qualitative risk assessment is cheap, repeatable, and good enough for 90% of decisions. Done badly, it is theatre. The difference is in the scoring rigour, not the framework choice.
What ISO 27005 and NIST SP 800-30 actually prescribe
Both frameworks define a process: identify assets, identify threats, identify vulnerabilities, assess likelihood, assess impact, compute risk, treat. The frameworks are loose on the scoring scale — that is the practitioner’s choice, and the choice matters.
DPDP Act in your stack?
Get a DPDP gap assessment
Free 30-minute call. We map your data flows against DPDP §8 obligations and tell you exactly which gaps to fix first. Auditor-defensible output.
Book DPDP scoping call
Replies in 4 working hrs · India-only · Senior consultants