Risk assessment is the process of identifying, estimating, and prioritizing information security risks. Assessing risk requires the careful analysis of threat and vulnerability information to determine the extent to which circumstances or events could adversely impact an organization and the likelihood that such circumstances or events will occur.
Cyber risk assessments address the potential adverse impacts to organizational operations and assets, individuals, and other organizations, arising from the operation and use of information systems and the information processed, stored, and transmitted by those systems. Organizations conduct cyber risk assessments to determine risks that are common to the organization’s core business functions, business processes, business segments, or information systems.
A cyber risk assessment is a compliance requirement for ISO 27001, NIST 800-171 , HIPAA Security Rule and the Payment Card Industry Data Security Standard (PCI DSS).
The end product of a risk assessment is the Risk Assessment Report. This report is used to document and communicate the assessment results and share risk-related information.
This approach provides risk assessments that are repeatable and reproducable.
The asset/impact-oriented approach starts with the identification of impacts or consequences of concern and critical assets and identifying threat events that could lead to and/or threat sources that could seek those impacts or consequences.
The vulnerability-oriented approach starts with a set of predisposing conditions or exploitable weaknesses in organizational information systems and identifies threat events that could exercise those vulnerabilities together with the consequences of vulnerabilities being exercised. A vulnerability assessment would be conducted to gather the set of predisposing conditions.more info on Vulnerability Assessment
- Evaluate and prioritize risks.
- Demonstrate risk management for compliance.
- Plan and justify implementation of security controls.
- NIST SP 800-30r1