Risk Assessment Checklist – 5 Steps You Need to Know

by Sarah Harvey / November 20th, 2018

What is a Risk Assessment?

A risk assessment is a process by which an organization analyzes vulnerabilities, potential threats and risks to the organization’s security posture and IT systems. Performing a risk assessment is a critical component of any Information Security program. Because it’s mandated by several frameworks (SOC 1, SOC 2, PCI DSS, ISO 27001, HIPAA, FISMA), organizations wanting to comply with these frameworks must conduct risk assessments on a regular basis. By doing so, organizations will be able to stay on top of mitigating vulnerabilities in their security posture and demonstrate to their current and potential clients that they are performing their due diligence in keeping sensitive assets secure.

How Do You Conduct a Risk Assessment?

We believe that the risk assessment process can be broken down to five steps. The first step is to conduct the risk assessment. To do this, an internal or third-party auditor will perform staff interviews, review policies and procedures, observe tasks in real-time, and conduct a physical inspection. Your organization’s hardware, software, system interfaces, data, information, and IT personnel will be involved in the risk assessment.

The next step is to identify risks. After you have identified your organization’s assets, you have to identify the treats to those assets, which were found in your risk assessment. These threats can be man-made (intentional or accidental) or natural events (floods, power outages, earthquakes, etc.) that can take advantage of an asset’s flaws, and that can result in a loss of integrity, availability, or confidentiality.

After you have identified risks, you’ll assess the risk importance and risk likelihood. What is the importance of each risk? What is the likelihood that each risk would actually occur? This process will help your organization strategically prioritize risk and determine where you should spend your time and effort. The likelihood of a risk can be expressed subjectively or quantitatively (high, medium, low or 1, 2, 3, 4, 5).

Next, create a risk management plan. Based on your complete analysis of which assets are important to your business and the threats and vulnerabilities that are likely to negatively affect those assets, you must develop security control recommendations to either mitigate, transfer, accept, or avoid the risks.

After you’ve developed an actionable plan to manage your risks and determine what you’re going to do and how you’re going to do it, it’s time to implement those controls. Continuous monitoring of risk management processes must be established to ensure that any and all risk mitigation efforts are operating effectively. Because the threat landscape is constantly evolving, conducting risk assessments on a regular basis will ensure that your organization strengthens its security posture.