Risk Assessment
Definition
A risk assessment is a formal, documented process for identifying, analyzing, and evaluating information security risks to an organization's assets, operations, and objectives. It determines the likelihood and impact of potential threats exploiting vulnerabilities and informs decisions about which controls to implement, maintain, or enhance.
The Risk Assessment Process
Asset identification -- catalog information assets, systems, and processes that need protection
Threat identification -- determine what threats could affect each asset (malicious, accidental, environmental)
Vulnerability identification -- assess weaknesses that threats could exploit
Likelihood assessment -- evaluate the probability of each threat-vulnerability pair being realized
Impact assessment -- determine the business consequence if the risk materializes
Risk evaluation -- combine likelihood and impact to calculate risk levels and prioritize treatment
Risk treatment -- decide how to handle each risk: mitigate, transfer, accept, or avoid
Framework Requirements
SOC 2
Risk assessment is a common criteria requirement. Organizations must identify and assess risks that could affect trust services criteria.
HIPAA
Security Rule requires a thorough risk analysis of ePHI. This is the most commonly cited HIPAA finding.
ISO 27001
Clause 6.1.2 requires a formal risk assessment methodology with defined criteria for risk acceptance.
PCI-DSS
Requirement 12.2 mandates an annual risk assessment that identifies threats and vulnerabilities.
NIST CSF
The Identify function centers on understanding and managing cybersecurity risk through formal assessment.
CMMC
Risk Assessment domain (RA) requires periodic assessments of risk to organizational operations.