Risk Assessment Checklist – 5 Steps You Need to Know

KirkpatrickPrice

Innovation. Integrity. Delivered.

Risk Assessment Checklist: 5 Steps You Need to Know The 5 Steps of a Risk Assessment 1. Conduct a Risk Assessment A risk assessment is a systematic process of identifying, assessing, and prioritizing the potential operational, reputational, and compliance risks that your organization faces. An internal or third-party auditor will perform staff interviews, review policies and procedures, observe tasks in real-time, and conduct a physical inspection. Your organization’s hardware, software, system interfaces, data, information, and IT personnel will be involved in the risk assessment. Using the NIST Special Publication 800-30 as guidance, the auditor will then perform the following four steps. 2. Identify Risks After you have identified your organization’s assets, you have to identify the threats to those assets, which your risk assessment found. Threats can be man-made (intentional or accidental) or natural events (floods, power outages, earthquakes, etc.) that take advantage of an asset’s flaws, and that can result in a loss of integrity, availability, or confidentiality. 3. Assess Risk Importance and Risk Likelihood Now that you are aware of what the risks to your organization are, you can begin to assess the importance of the risks and the likelihood that the risks would actually occur. This process will help your organization strategically prioritize risk and determine where you should spend your time and effort. The likelihood of a risk can be expressed subjectively or quantitatively (high, medium, low or 1, 2, 3, 4, 5). 4. Create a Risk Management Plan Based on your complete analysis of which assets are important to your business and the threats and vulnerabilities that are likely to negatively affect those assets, you must develop security control recommendations to either mitigate, transfer, accept, or avoid the risks. 5. Implement a Risk Management Plan After you’ve developed an actionable plan to manage your risks and determine what you’re going to do and how you’re going to do it, it’s time to implement those controls. Continuous monitoring of risk management processes must be established to ensure that any and all risk mitigation efforts are operating effectively. Because the threat landscape is constantly evolving, conducting risk assessments on a regular basis will ensure that your organization strengthens its security posture.

Turn static files into dynamic content formats.

Create a flipbook

Risk Assessment Checklist – 5 Steps You Need to Know

Published on Jul 31, 2020

kirkpatrickprice

A risk assessment is a process by which an organization analyzes vulnerabilities, potential threats and risks to the organization’s security posture and IT systems. Performing a risk assessment is a critical component of any Information Security program. Because it’s mandated by several frameworks (SOC 1, SOC 2, PCI DSS, ISO 27001, HIPAA, FISMA), organizations wanting to comply with these frameworks must conduct risk assessments on a regular basis. By doing so, organizations will be able to stay on top of mitigating vulnerabilities in their security posture and demonstrate to their current and potential clients that they are performing their due diligence in keeping sensitive assets secure.