Citicus ONE is a web-based application, available in six languages (UK English, US English, Dutch, French, German and Japanese), that offers a highly-efficient, constructive and continuous method of measuring and managing risk of assets and processes across an enterprise.

To measure risk in meaningful business terms, Citicus ONE employs succinct risk scorecards and criticality assessments to evaluate defined ‘targets of evaluation’ that pose a risk to the enterprise, such as:

  • application systems and IT infrastructure that support the organization’s business activities
  • key suppliers and the services they provide
  • essential physical sites
  • other user-definable risk areas

Deploying Citicus ONE gives business ‘owners’ on the ground insights into the risk status of their areas of responsibility, and practical guidance on driving risk down. It also provides top management with an overview of the risk and compliance status of their critical operational assets and processes.

Citicus ONE's functionality is outlined below. For a printer-friendly summary, download our Summary of Citicus ONE's capabilities (PDF, 137Kb).

Fact gathering capabilities

Fact-gathering about risk and compliance

Citicus ONE equips you to measure risk of defined targets of evaluation efficiently using carefully-designed forms presented for easy completion on line. These include:
  • Criticality assessment - identifying and quantifying the potential business impact that could result from worst-case incident scenarios, enabling a triage-based approach to risk management
  • Risk scorecard - configurable scorecards probing the status of controls, threats and special circumstances that drive risk up
  • Mini-scorecards - probing particular risk factors in detail (eg compliance assessments)
  • Incident assessment - probing the causes and business impact of significant incidents.

Results produced for people responsible for risk ‘on the ground’

Citicus ONE provides high-quality graphical results for business ‘owners’. These are presented succinctly, in plain language, both on screen and in PDF format. They include:

  • Criticality status report
  • Risk status report
  • Risk heat map
  • Dependency risk map™
  • Compliance status and Compliance trend reports
  • Schedule of issues and Action plan
  • Schedule of control weaknesses and other key findings of the risk evaluation process.

Results produced for decision-makers at business unit/corporate level

Citicus ONE also provides high-quality results for top management and for others with an interest in the status of risk and compliance across the enterprise. These consolidated results include:
  • Risk dashboard showing the overall level of risk and its key drivers
  • High-level risk status report, showing key risks, common vulnerabilities and threats, and the cost and other business impacts of actual incidents experienced
  • Criticality league table, ranking information resources, suppliers, sites and other targets according to their measured business criticality
  • Risk league table, ranking targets of evaluation according to their measured risk
  • Dependency risk maps™ highlighting the risk pinch-points in the complex structure of inter-dependent information systems, suppliers, sites and other assets and processes
  • Compliance trend reports for specific business units or the enterprise as a whole
  • Breakdown of Compliance status by business unit
  • Geo-Risk reports showing the distribution of risk by asset location
  • Risk factor analysis reports allowing you to drill-down on the status of specific controls (or other risk factors) across the enterprise
  • Incident list, ranked by harm caused
  • Incident statistics, including breakdowns by type and their business impact.

Workflow management

Citicus ONE helps you implement a constructive risk management process efficiently by providing automated support for:
  • Defining the information resources, suppliers, sites and other targets within the scope of the risk management system
  • Administering users either directly or via integration with an external user directory such as Microsoft Active Directory
  • Assigning ‘owners’ to targets of evaluation and ‘completers’ for each evaluation form
  • Issuing risk scorecards and assessments at frequencies that reflect the criticality of each target
  • Bringing forward previous evaluation results for updating, with minimal effort
  • Tracking completion of issued scorecards/assessments and supporting chase up as required through e-mail-integrated workflow capabilities
  • Reviewing completed forms and assigning them as 'accepted' or 'returned for correction'
  • Keeping track of actions needed at corporate level and any risk 'pinch points' (eg weaknesses in IT infrastructure which affect many information resources)
  • Generating high-level results (these can be refreshed automatically as evaluations are updated)
  • Exporting risk and compliance data in XML format (using an Excel-compliant schema) for external analysis and reporting
  • Keeping track of risk management activity via an extensive audit log.

Remediation activity planning

Citicus ONE records key issues raised by risk and compliance evaluations and maintains action plans to help manage these issues through to resolution. Issue schedules and Action plans are maintained at three levels:
  • For individual targets of evaluation, enabling their ‘owners’ to identify and manage the control improvements called for by risk and compliance assessments
  • For specific parts of the enterprise, enabling local co-ordinators to identify and manage actions they need to take within their business units
  • For the enterprise as a whole, enabling the custodian of the entire risk management process to identify and manage actions needed at corporate level (eg new policies, standards or procedures).

Remediation activities can be tracked and chased through Citicus ONE’s e-mail-integrated workflow system.


Citicus ONE's customization capabilities enable you to tailor the process to fulfil your own requirements. For example, you can:
  • Generate Harm reference tables which help users evaluate business impact consistently, in terms that reflect your organization's activities.
  • Set up Triage schemes that enable you control when and how security, risk and / or compliance is assessed with minimal effort, once the criticality of a target of evaluation has been assessed, and to track and chase completion of such evaluations
  • Generate Standards of practice and compliance checklists to help users consistently evaluate the status of the controls applied to their information resources, suppliers, sites and other targets. If desired these can be based on the Citicus-supplied standards such as ISO27001, PCI-DSS, ISF SoGP, Cloud Security Alliance CIAQ, OWASP, Cyber Essentials, COBIT or can be developed from your internal standards or local regulatory requirements (eg FSA, FFIEC, Basel II, SOX, etc).
  • Generate customized checklists of threats and special circumstances that apply to specific types of target of evaluation. These can be based on the content supplied with Citicus ONE for threat categories and special circumstances for information risk, supplier risk and site risk or can be built from scratch.
  • Develop multi-lingual versions of the customizable content so that it is presented to end users in their own language.
  • Modify the user authentication and administration process to integrate with your corporate approach to identity management.

The customization process is simple and can be carried out by the customer using the Citicus ONE user interface and other support tools such as the Excel-based Citicus Workbench. Support from Citicus is available if needed (see the Services page for further details).

Data exchange

Citicus ONE can exchange data with one or more external systems over a corporate intranet or the Internet, according to schedules or on demand.

Such data exchanges are established using a SOAP-based web service, which enables information about targets of evaluation (eg information systems, suppliers, sites) to be exchanged on-line. Details which may be exchanged includes the identity of individual targets of evaluation; their criticality and risk status; and any user-defined characteristics that have been established.

Citicus ONE can also exchange data for user administration and authentication purposes using LDAP. These capabilities enable integration with Microsoft’s Active Directory, Computer Associates’ SiteMinder and other LDAP-compliant solutions.