The specific approach taken will depend on the organisation, and any specific requirements that they may have, however, a typical risk assessment will include several common components and align to industry good practice standards such as ISO 27005 (“Guidance on managing information security risks”)
These components include the following:
- Asset Management Review - Identify and utilise existing asset management process if available, or perform initial asset inventory activities if not.
- Vulnerability Assessment - Review and understand the vulnerabilities relevant to the assets under consideration. This may be at a high level, depending on the scope of the engagement and the time available.
- Threat Assessment - Understanding of the likely threats that would lead to compromise of the asset, through the vulnerabilities determined.
- Impact & Likelihood Assessment - Determine the potential impact and likelihood of a given threat and vulnerability combination leading to a compromise of the asset.
- Control Gap Analysis - If appropriate, determine where existing controls can be used to manage identified risks, where controls are needed, or where controls are already in place to manage risks.
- Reporting - Production of a risk assessment report that can be used to inform risk management decisions, to determine controls, or to prioritise other assessment activities.