This post tries to make an overview about how to perform a risk assessment of information technology (IT) assets.
Steps to perform an IT risk assessment
The summary of steps to be done are:
- Define scope
- Select a risk assessment methodology
- Identify asset types
- Identify threats
- Identify vulnerabilities
- List controls
- Assign controls to threats
- Identify main assets
- Identify derived assets
- Determine likelihood that an incident occur
- Assess the impact of an incident
- Calculate likelihood and impact after applying controls
- Set risk threshold
- Prioritize risks
- Set an action plan
- Review the results of the action plan
1. Define scope
2. Select a risk assessment methodology
You can find a list of assessment methodologies on this post.
3. List asset types
Make a catalog of possible asset type classification.
4. List threats
Make a catalog of possible threats.
5. List vulnerabilities
Make a catalog of possible vulnerabilities.
6. List controls
You can find some references that have already listed controls, so you can reuse them.
One reference is ISO 27002.
Since ISO 27002:2022, each control is linked to the NIST Cybersecurity Framework Core functions (Identify, Protect, Detect, Respond, and Recover). This assignment is also available in the table “Framework Core” of the document “Framework for Improving Critical Infrastructure Cybersecurity” by NIST.
7. Assign controls to threats
Assign controls to the threats where they are relevant.
7b. Assign threats to asset types
Also assign threats to asset types.
Until this steps all of them were generic and can be reused from one risk to another. From now on, they will be unique for each risk assessment.
8. Identify main assets
Identify the main assets under scope.
9. Identify derived assets
Identify the assets that are related to the main assets, and that should be taken into account to assess risk.
9. Assign threats to assets
As each asset has an asset type, you can assign a set of threats to each existing asset.
10. Determine likelihood that an incident occur
Set a value to the likelihood that an incident provoked by a threat occur.
11. Assess the impact
Assess the impact of the incident provoked by a thread happening.
12. Calculate likelihood and impact after applying controls
Repeat the two previous steps taking into account already applied controls.
13. Set risk threshold
Determine what is the risk threshold that you need.
14. Prioritize risks
As resources are limited, you cannot make.
Make an action plan of actions to be taken, and a date.
15. Review the results of the action plan
Review the results of the action plan based on the assigned dates.
Risk analysis should be repeated periodically.