Control system

Contact us

Do you need help?

Do not hesitate to contact us, without any obligation.
(+39) 011.9597444

Control system

One of the main indicators for calculating IT risks is represented by the levels of adequacy that are assigned to the control system.


AIT Risk offers the possibility to apply different industry standards (for example: ISO 27001:2013, COBIT, NIST SP800-53, etc…) in order to allow the conduct of real pre-assessment sessions aimed at identifying, through questionnaires, the real level of compliance and maturity of each component of the control system in use.

The evaluation of the system of controls can be conducted by applying two different approaches:

  • A top-down methodology that is based on a process of definition of exposure risk levels within homogeneous control families.
  • A buttom-up logic that allows to investigate first of all the individual areas of control and countermeasures through an evaluation of the functional and documentary covers and, subsequently, to obtain summary values calculated at the level of control categories.

1.1.1 Simulations “what if?”

An IRSA can also be conducted in the form of simulation “what if?” through the performance of a session without the involvement of any subject outside the Risk Management office and/or the IT function and, above all, without the application of constraints and user profiles.