Why SOA instead of traditional risk assessment?

Risk assessments have long been the cornerstone of cybersecurity governance. They are the exercises every organization is familiar with: gather a team, fill in spreadsheets, estimate how likely a threat is to materialize, and score its potential impact. The result is a table of subjective guesses—often based on periodic workshops—that regulators accept, but adversaries routinely outpace. By the time a quarterly or annual risk assessment is complete, the ground has shifted. New adversary techniques emerge, assets evolve, and controls drift. Static risk assessments are snapshots in a world that requires continuous video.

Attestor.ai takes a different path. Instead of treating risk assessment as a periodic, human-judgment-heavy exercise, we anchor our methodology in Statements of Applicability (SOAs). This choice is deliberate and reflects a fundamental shift in how risk should be understood, measured, and managed.

From Guesswork to Calculated Applicability

Traditional risk assessments rely heavily on subjective judgments: How likely is this threat? How severe might the impact be? Such questions invite inconsistent answers depending on who is in the room. In contrast, Attestor.ai’s SOAs work from objective attributes:

  • Scope attributes (e.g., criticality, exposure, continuity requirements) describe the business process or system at risk.
  • Threat attributes (e.g., activity levels, relevance, and adversary behavior profiles) capture how attackers are operating globally.

By combining these attributes, the SOA calculates an inherited risk score—a quantified measure of how applicable a threat is to a given scope. This shifts the model away from speculation and toward systematic, data-driven calculation.

SOA as a Living Risk Object

In ISO 27001, the SOA has traditionally served as a compliance artifact, documenting which controls apply to which scope. Attestor.ai extends this concept into a living risk object:

  • It records not only applicability but also the baseline inherited risk.
  • It evolves dynamically as scope or threat attributes change.
  • It serves as the anchor point for mitigations, controls, and residual risk recalculations.

Rather than a static table, the SOA becomes a driver of automated, traceable, and continuously updated risk governance.

Why Not Call It a Risk Assessment?

We intentionally avoid framing SOAs as traditional risk assessments because the market associates risk assessments with outdated practices:

  • Static and periodic: conducted quarterly or annually, always out of sync with live adversary activity.
  • Subjective: dependent on consensus opinions, which vary across teams and time.
  • Disconnected: often siloed from actual control performance, leaving governance stranded in documents.

By contrast, the SOA reflects the dynamic, data-driven, and automatable foundation of Attestor.ai’s model. It is not about guessing risk—it is about measuring applicability and continuously recalculating exposure as mitigations and evidence are applied.

Strategic Differentiation

For innovation-oriented CISOs, security strategists, and enterprises moving beyond checklist compliance, this distinction matters. Choosing SOAs over risk assessments signals a shift:

  • From compliance artifacts to dynamic governance drivers.
  • From subjective estimation to calculated applicability.
  • From static risk pictures to living, continuously recalibrated postures.

The Future of Risk Management

Attestor.ai’s adoption of SOAs is not a rejection of traditional frameworks—it is their modernization. Where ISO 27001’s SOA documented applicability, Attestor.ai’s SOA calculates it, operationalizes it, and continuously reduces it through mitigations and evidence. This evolution transforms the SOA from a regulatory checkbox into the foundation of AI-powered cyber risk management.

In short: risk assessments freeze risk in time; SOAs let risk evolve in real time.

© 2025 Digibator Oy. All rights reserved
Terms Of UsePrivacy Policy