About RiskForge · Founder

Built by the people who get audited.

RiskForge is the work of Luis A. Santos — an information security and cyber risk professional with 10+ years maturing enterprise cybersecurity and GRC programs inside regulated banking and U.S. defense environments. The same workbooks the consulting bill was hiding, built once and priced for sanity.

CISM CRISC CCAK 10+ yrs in cyber risk
10+ yrs
In information security
& cyber risk
500+
Controls & risks
assessed
2
ISACA certifications
CISM · CRISC
2
Regulated sectors
Banking · Defense
01 · Why RiskForge exists

The deliverable was always a spreadsheet.

After enough audit cycles, one pattern is impossible to un-see: teams paying five figures for a workbook they could have owned outright.

Spend ten years inside regulated industries and you watch the same scene replay every audit cycle. A consultant arrives, runs a gap assessment, and leaves behind a spreadsheet. The invoice reads $15K to $50K. The deliverable could have been built once and reused forever.

The workbook was never the hard part. The hard part was knowing what a QSA or an internal-audit reviewer actually wants to see — how evidence should be laid out, which testing procedures belong on the page, where maturity scoring earns its keep. After assessing 500+ controls across banking and U.S. defense — and maturing an enterprise IT & Cyber Risk framework against NIST CSF, FFIEC, PCI DSS, and COBIT — that knowledge stops being research and becomes muscle memory.

RiskForge is that muscle memory, packaged. Every tab is structured the way auditors expect evidence presented. No filler. No theatre. Just the deliverables the consulting bill was hiding.

02 · Track record

Ten years across the regulated world.

Every role added a different lens — and a different set of auditors and examiners to satisfy. The workbooks carry all of it.

01
Senior IT & Cyber Risk Analyst
Matured the enterprise IT & Cyber Risk framework; assessed 500+ controls across IAM, cloud, and network security.
Banking
02
IT Audit Specialist
IT & cyber control audits across multiple countries; system integrity and mission assurance.
Defense & Aerospace
03
IT Auditor
Audits of data-processing systems and applications; control effectiveness and security of operations.
Banking
04
Co-Owner / General Manager
Grew one operation into three dealerships; led multi-disciplinary teams and operational accountability.
Operations · Leadership
03 · How everything is built

Four rules, no exceptions.

Every workbook ships against the same principles — the conventions GRC reviewers, QSAs, and internal audit expect to see.

01

Evidence-first

Structured the way auditors want proof presented — preparer / reviewer / approver sign-off, tickmark legend, revision history on every tab.

Workpaper hygiene
02

Built to current standard

NIST CSF 2.0 and PCI DSS v4.0.1 — not the old versions still floating around in free templates. Updated when the frameworks move.

Always current
03

No theatre

No dashboards that impress and don't audit. Every cell earns its place against a real requirement, testing procedure, or artifact.

Substance only
04

Yours to keep

One-time purchase, lifetime updates within the major version, hidden branding tab. Rebrand it and ship under your own name.

Owned, not rented

Frameworks I know cold.

The standards behind the workbooks — and the cross-walks that tie them together inside every tab.

NIST CSF 2.0 PCI DSS v4.0.1 NIST SP 800-53 Rev. 5 ISO/IEC 27001 CIS Controls v8 COSO 2013 COBIT 2019 CRI Profile 2.0 FFIEC CAT AICPA AU-C 530 PCAOB AS 2201

If you've ever rebuilt the same tracker from scratch the week before an audit, this was built for you. Put it to work before your next cycle.

— Luis A. Santos, Founder · RiskForge
CISM · CRISC · Information Security & Cyber Risk
hello@riskforge.tech

See what's actually inside.

The workbook tour is a real workbook — every tab, not a screenshot. Walk through it before you decide.