Risk Assessment
What is Risk Assessment?
Risk AssessmentA structured activity within risk management that identifies threats, vulnerabilities, and impacts on specific assets and rates the resulting risk to support treatment decisions.
A risk assessment combines risk identification, analysis, and evaluation for a defined scope such as a system, business process, vendor, or new project. Assessors gather threat intelligence, map vulnerabilities, estimate likelihood and business impact, and produce a prioritized list of risks against the organization's criteria. Methods range from qualitative heat maps to quantitative techniques like FAIR or Monte Carlo modelling, and outputs feed the risk register and treatment plans. Risk assessments are also a regulatory requirement under frameworks such as NIST SP 800-30, ISO/IEC 27005, GDPR DPIAs, and HIPAA Security Rule.
● Examples
- 01
NIST SP 800-30 style assessment for a new SaaS payroll platform.
- 02
Annual ISO 27005 assessment supporting an ISO 27001 certification audit.
● Frequently asked questions
What is Risk Assessment?
A structured activity within risk management that identifies threats, vulnerabilities, and impacts on specific assets and rates the resulting risk to support treatment decisions. It belongs to the Compliance & Frameworks category of cybersecurity.
What does Risk Assessment mean?
A structured activity within risk management that identifies threats, vulnerabilities, and impacts on specific assets and rates the resulting risk to support treatment decisions.
How does Risk Assessment work?
A risk assessment combines risk identification, analysis, and evaluation for a defined scope such as a system, business process, vendor, or new project. Assessors gather threat intelligence, map vulnerabilities, estimate likelihood and business impact, and produce a prioritized list of risks against the organization's criteria. Methods range from qualitative heat maps to quantitative techniques like FAIR or Monte Carlo modelling, and outputs feed the risk register and treatment plans. Risk assessments are also a regulatory requirement under frameworks such as NIST SP 800-30, ISO/IEC 27005, GDPR DPIAs, and HIPAA Security Rule.
How do you defend against Risk Assessment?
Defences for Risk Assessment typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Risk Assessment?
Common alternative names include: Cyber risk assessment, IT risk assessment.
● Related terms
- compliance№ 936
Risk Management
The coordinated process of identifying, analyzing, evaluating, treating, monitoring, and communicating risks to keep them within an organization's defined tolerance.
- compliance№ 937
Risk Register
A living inventory of identified risks with their description, owner, scores, treatment, and status, used to track the organization's exposure over time.
- compliance№ 888
Qualitative Risk Analysis
A risk analysis approach that rates likelihood and impact using descriptive scales such as low/medium/high or 1-5, rather than monetary or probabilistic values.
- compliance№ 889
Quantitative Risk Analysis
A risk analysis approach that expresses likelihood and impact in numbers, typically as probabilities and monetary loss distributions, to support data-driven decisions.
- compliance№ 282
Data Protection Impact Assessment (DPIA)
A structured assessment, required by GDPR Article 35, that identifies and mitigates risks to individuals' rights and freedoms before high-risk personal data processing begins.
- appsec№ 1150
Threat Modeling
A structured analysis that identifies the assets, threats, vulnerabilities and mitigations of a system so security can be designed in rather than bolted on.