For many UK organisations the hardest part of cybersecurity is not identifying risks, it is deciding what to fix first. Budgets are limited, regulators expect evidence of risk-based decisions, and the threat landscape shifts weekly. This guide sets out a practical, step-by-step approach to run a cybersecurity risk assessment UK leaders can rely on to prioritise remediation, demonstrate due diligence, and align with UK best practice and common standards.
Samurai Security consultants run assessments across healthcare, financial services, technology, retail, maritime and manufacturing. The process below distils what works in the field, mapped to National Cyber Security Centre guidance and the realities of UK compliance.
1) Set the scope and objectives
Start with a clear purpose: prioritise actions that reduce material business risk. Define scope by business service, data type and location, not just systems. For example, “Order-to-cash service for UK customers, including ERP, payment gateway, and warehouse network” gives you a risk lens that business leaders recognise.
Align early to your obligations and chosen frameworks such as ISO 27001 and cyber essentials certification. The NCSC explains cyber risk fundamentals and how to set context, threats and vulnerabilities in its overview of the basics of cyber risk, which is a sound starting point for UK teams here.
2) Build a lightweight asset and data inventory
You cannot prioritise what you cannot see. Capture an inventory that is good enough to act:
- Business services and owners
- Information assets and sensitivity, especially personal and special category data
- Supporting systems, suppliers and cloud platforms
- Existing key controls, known gaps and dependencies
Tag items that are safety critical, customer-facing or underpin revenue. These tags will later influence impact scoring. If you need input quickly, leverage recent vulnerability assessments and targeted web application testing to surface high-value issues early.
3) Establish a clear, UK-aligned risk model
Keep the scoring model simple so it is repeatable and defensible in audits and board discussions. NCSC’s Board Toolkit describes pragmatic approaches to risk governance that boards understand here. A practical model we use often:
- Likelihood scale 1 to 5: 1 = rare, 5 = expected
- Impact scale 1 to 5: evaluate across financial loss, service disruption, safety, legal/regulatory and reputation. Use the highest applicable impact.
- Risk score = Likelihood x Impact (range 1 to 25)
- RAG thresholds: 15 to 25 High, 8 to 14 Medium, 1 to 7 Low
Document assumptions. Example: “Ransomware likelihood is 4 for our sector due to known incident frequency, and impact is 5 for the order fulfilment service as downtime halts revenue.” If you operate in a regulated or essential service context, consider using the NCSC’s Cyber Assessment Framework outcomes as structure for control coverage and maturity. CAF v4.0 details updated expectations and can anchor your scoring and evidence here.
4) Populate the risk register with traceable evidence
Use a concise template. Each row should include:
- Risk ID and description, linked to a business service or data set
- Threat and vulnerability statement
- Existing controls and their effectiveness
- Likelihood, impact and risk score
- Proposed treatments with cost, effort and time to implement
- Owner, target date and expected residual risk
Evidence sources should be transparent. Combine findings from operations, audits, incident reviews, penetration testing, supplier attestations and system telemetry. The objective is not volume of entries, it is clarity on the top risks that matter.
5) Prioritise using risk reduction per pound spent
To justify spend and sequence work, rank candidate actions by their risk-reduction impact divided by estimated cost and effort. Example worked scenario:
Context: Ransomware risk to on-prem file shares supporting order fulfilment. Inherent risk scored at 20 (Likelihood 4, Impact 5). Existing backups are weekly and untested. Remote access uses only passwords.
- Option A: Enforce multi-factor authentication on all remote access and admin accounts. Cost estimate £9,000 per year in licences and rollout time. Expected residual risk 8 (L2, I4). Risk reduction 12.
- Option B: Network segmentation and privileged access redesign. Cost estimate £40,000 in project effort. Expected residual risk 10 (L2, I5). Risk reduction 10.
Result: Option A delivers a larger reduction for significantly less cost. Implement A first, then plan B for defence in depth. This evidence-based ordering is easy to explain to boards and auditors.
Tip: When the cyber threat is heightened, the NCSC advises temporarily reweighting prioritisation to patch exposure and tighten access rapidly. Their practical checklist is available here.
6) Remediation plan, owners and timelines
Convert the top risks into an executable plan. Group actions into waves:
- Wave 1, 0 to 30 days: high-impact, low-effort fixes such as MFA enforcement, critical patching, disabling stale accounts, backup validation
- Wave 2, 30 to 90 days: projects needing coordination such as endpoint hardening, email security tuning, supplier assurance
- Wave 3, 90 to 180 days: architecture changes, segmentation, identity governance and application security initiatives
Assign named owners, budget, and success criteria. Where continuous monitoring and rapid response are required, consider managed detection and response to strengthen detection, containment and evidence gathering. Pair this with a tested incident response plan so risk treatments consider both prevention and recovery.
7) Governance, reporting and risk acceptance
Make risk visible and auditable. Report a concise top 10 risk list to the board each quarter, show trend arrows, and track the percentage of high risks on track. Where a risk is accepted, record rationale, acceptance period and a review date. This aligns with UK regulators’ expectations for demonstrable, risk-based decision making and helps satisfy audits against ISO 27001 and cyber essentials certification requirements.
8) Case studies from the field
Healthcare SME: A 400-employee provider faced phishing-led credential theft and legacy VPN exposure. We applied the model above and prioritised MFA, email authentication controls and backup testing. Cost about £18k. Outcome in 90 days: phishing account takeovers dropped to near zero and backup recovery time improved by 60 percent. Longer-term network segmentation followed.
Fintech scale-up: A payments platform needed to align with ISO 27001 controls and FCA expectations. A focused assessment of customer-facing APIs and CI/CD pipelines identified injection and secrets management risks. Immediate action was to conduct targeted web application testing, rotate credentials and implement pre-commit scanning. The measured risk reduction per pound clearly justified the sequence to the board.
9) Use UK guidance to stay aligned
If you are building your approach for the first time, start with the NCSC’s risk resources index for a UK-centric view of frameworks and advice here. The Board Toolkit, the CAF v4.0 summary here and the fundamentals of cyber risk overview here together provide a strong policy backbone.
10) A simple, reusable risk assessment template
Use this structure in a spreadsheet or ticketing tool and keep it to one page per service for exec readability:
- Service and owner
- Top threats and vulnerabilities
- Risk entries: Description, Likelihood, Impact, Score
- Existing controls and effectiveness
- Treatments: Action, Cost, Effort, Timeframe, Expected residual score
- Decision: Treat, Tolerate, Transfer or Terminate
- Status and due date
- Evidence links
When you are ready to formalise and scale, Samurai can deliver a facilitated risk assessment workshop that aligns outputs to ISO 27001 clauses and Cyber Essentials controls, then hand over a tailored, repeatable model.
When to reassess and how often
Re-run the assessment at least annually, after material change, and whenever the NCSC signals increased threat activity, using their heightened threat checklist here. Track leading indicators such as patch latency, phishing simulation failure rate, and mean time to detect and respond. Where needed, augment in-house capability with managed detection and response for 24×7 coverage.
Key takeaways
- Prioritisation is a business decision informed by a clear, simple, UK-aligned risk model
- Rank actions by risk reduction per pound spent to justify budget and sequencing
- Document assumptions and evidence so boards and auditors can follow the logic
- Use NCSC resources to stay aligned with UK expectations
- Make it a cycle, not a one-off, and be ready to adjust when the threat is heightened
If you want independent assurance or a rapid start, our consultants can facilitate, validate and help you implement the plan, from quick wins like MFA to deeper improvements coordinated with incident readiness and ongoing monitoring.