AGCG Genuine
Consulting Group

Cybersecurity • IT Governance

Case Study

Overhauling an ISO 27001 Risk Analysis for a Multi-Entity Public Group

Context: an ISO 27001 audit identified a major non-conformity in the organisation’s risk analysis. Intervention: complete redesign of the approach across four entities, harmonisation of methods, and facilitation of cross-entity risk workshops. Result: the non-conformity was fully resolved, and the approach was praised by auditors and highlighted as a key strength of the ISMS.

  • Harmonised risk methodology & scoring scales
  • Collaborative facilitation across 4 entities
  • ISO 27001 auditors’ praise & validation
Duration
3 months
Impact
Non-conformity resolved
Read full version

Detailed Case Study — ISO 27001 Risk Analysis Overhaul for a Public Group

Context

Following an ISO 27001 certification audit, a major public group was notified of a major non-conformity in its risk analysis. The initial evaluation presented structural weaknesses: divergent methods between entities, lack of traceability of criteria, an incomplete scope, and misalignment with ISMS requirements.

AGCG was mandated to lead a complete redesign of the risk analysis across four entities with heterogeneous activities, including industrial systems and critical support processes. Objective: achieve compliance within three months and ensure a robust risk analysis ahead of the upcoming ISO 27001 follow-up audit.

Challenges

  • • Redo a risk analysis deemed non-compliant — under tight deadlines,
  • • Align methods and scoring criteria across four autonomous entities,
  • • Engage business teams with varying maturity and security culture,
  • • Ensure traceability, coherence and long-term reusability of the results.

AGCG Approach

AGCG deployed a structured and federating approach, based on the EBIOS Risk Manager methodology and aligned with ISO/IEC 27005 requirements. The mission was organised into four stages:

  • Phase 1 — Scoping & Diagnostic: review of the initial audit, definition of the consolidated scope, clarification of responsibilities and inter-entity interfaces.
  • Phase 2 — Methodological Harmonisation: creation of a shared evaluation grid, standardisation of likelihood and impact scales, and formalisation of a common risk calculation model.
  • Phase 3 — Risk Analysis Workshops: facilitation of collaborative inter-entity sessions to identify business values, threat scenarios and existing measures.
  • Phase 4 — Consolidation & Validation: construction of the global risk map, definition of the treatment plan, and preparation of the compliance dossier for the follow-up ISO 27001 audit.

Results

  • • ISO 27001 non-conformity fully resolved,
  • • Harmonised risk analysis across four entities,
  • • Full traceability and alignment with ISMS requirements,
  • • Risk map validated by stakeholders and auditors,
  • • Method reused as a reference for future analyses.

The follow-up audit highlighted the quality, coherence and maturity of the new approach, recognising the transformation as a major improvement in the ISMS.

Why This Case Reflects a Widespread Challenge

Many public organisations operate with decentralised governance models and fragmented security practices. Conducting a consistent risk analysis across multiple entities is often difficult without a shared methodology and centralised facilitation.

  • heterogeneous maturity levels,
  • divergent interpretations of ISO 27001,
  • lack of business engagement,
  • limited coordination between entities,
  • multiple repositories and inconsistent documentation.

The AGCG approach — structured, collaborative and business-oriented — provides a scalable framework for organisations needing to align multiple entities under a single risk analysis model.

AGCG Key Differentiators

  • • Expertise in multi-entity facilitation,
  • • Accelerated ISO 27001 remediation methodologies,
  • • Mastery of EBIOS RM and ISO/IEC 27005,
  • • Clear business-oriented communication,
  • • Audit-ready documentation and dashboards.

Conclusion

Redesigning a multi-entity risk analysis requires more than just applying a method. It demands alignment, facilitation, pedagogy and structure.

Through its structured and collaborative approach, AGCG Genuine Consulting Group enabled this public group to restore compliance, gain clarity on risks and elevate its ISMS maturity — all within three months.