ISO 27001 and information security are only one part of the risk picture. When leadership needs a clearer view of an organisation, programme, or proposition, the work has to look more broadly at delivery capability, governance, operating reality, and the assumptions holding the whole thing together.
This work is useful where the question is not just “is it secure?” but “what are we really looking at here, how does it work, and where are the meaningful risks?”
The approach looks at technology and information security, of course, but also at delivery, dependencies, operating model, organisational capability, and the practical conditions required for success.
Where useful, this can draw on 6.Three’s framework for governance-oriented risk assessment.