NIS2YOU helps you build and maintain the risk register required by NIS2, ISO 27001, and GDPR — without needing a consultant. Here's how the pieces fit together.
Your assets (what has value) are threatened by risks, which you reduce with controls, deployed via action plans. Together they prove your compliance with the frameworks you follow. You keep the register alive through periodic reviews, and you log incidents when things actually happen.
Anything of value: app, server, data, contract, key person.
A potential event that could harm you (probability × impact).
A measure that reduces a risk (technical, organisational, contractual).
A concrete task with an owner and a due date that moves security forward.
The moment you re-assess a risk or control.
An event that actually happened — to track, understand, and notify.
-
1
Week 1 — Inventory your critical assets.
List the 10-20 things your business cannot operate without: business apps, servers, customer data, key suppliers, key people.
-
2
Week 2 — Identify your top 10-15 risks.
The classics for a tech SME: phishing, cloud provider outage, GDPR data leak, departure of a key developer, ransomware.
-
3
Week 3 — Document the controls you already have.
MFA, backups, antivirus, encryption, contracts, insurance: you probably already do a lot. Document it. Link each control to the risks it covers.
-
4
Week 4 — Create action plans for the gaps.
Wherever residual probability stays high, create a plan: deploy a new control, improve an existing one, document a procedure.