IT Governance & Cybersecurity Risk Assessment

Caso Risk Assessment Cybersecurity

Leading Contractor among the top 25 in Europe in the construction sector

The Client requested Macfin’s support in order to detect and represent its IT and cybersecurity risk profile according to a methodology / risks taxonomy that could be effectively shared between control functions, IT area and key process owners operating in the headquarter, foreign offices and production sites.



based on qualitative-quantitative metrics, the absolute exposure, the level of controls and the residual exposure for each risk in the scope, in order to define an audit program based on the actual risk profile


the adequacy of the Organizational and Control Model ex Legislative Decree 231/2001 to prevent cybercrime and copyright violations

Implement a risk taxonomy

in line with the characteristics of the organization, effectively shareable and, at the same time, consistent with COBIT framework


Definition of a custom taxonomy

including about 35 risks and related controls (IT governance, operations, cybersecurity) and its mapping with the COBIT standard classification consisting of about 110 risks and 210 controls

Mapping of the Business application systems

primary, secondary and general purpose for each business area (about 60 systems centrally managed, in addition to those operating locally in the main foreign offices) The mapping was used as context information in the risk assessment with the process owners

Risk assessment

with reference to 12 main process owners in different areas (bids, production, AFC, HR, acquisition, IT, etc.) and main foreign offices The activity was carried out in a self-assessment modality through the use of a tool for sharing the results with the process owners during the interview

Mapping of cybercrime and copyright violation risks

within the identified IT risks and evaluation of the adequacy with the provisions of the Organization and Control Model ex the Legislative Decree 231/2001 231/2001


Cross-dissemination of risk culture

and IT control in different areas of the organization, overcoming the typical separation between technology and business risks

Definition of an IT risk report shared at all levels

of the organization and of immediate reading, through the contextualization of IT risk in the business operational processes

Identification of an IT risk assessment methodology

that can be retraced according to defined criteria and processes, thanks to knowledge transfer to control functions and references to the COBIT IT governance standard


Would you like to have more information about our services and solutions? Enter your data and we will contact you as soon as possible. 

    I'd like to talk about:

    Other Success Cases

    Caso Framework Player Internazionale Gaming

    Setting the "231" Framework of an International Gaming Player

    Industry & Services | ESG, Risk & Compliance

    Caso framework GDPR società pubblica

    Setting the "GDPR" Framework of a State-owned company

    Non-Profit & Public | Risk & Compliance

    About Macfin