Cybersecurity risk assessments: A complete guide for building a risk program

Organizations today face a crossroads between rigorous compliance and pragmatic speed. Should you chase perfect risk coverage or accept that "good enough" delivered quickly creates immediate value?

Think about it this way. Every month without proper risk assessment leaves your organization exposed to cyber threats, such as phishing, malware, and other cyberattacks, that regulators, auditors, and insurance providers are watching closely. In the meantime, frameworks like NIST CSF and SOC 2 aren't just compliance checkboxes — they're becoming table stakes for business partnerships, customer contracts, and market credibility.

In short, the cost of inaction compounds quickly.

Organizations without a structured risk assessment process often:

• Discover gaps during cybersecurity audits
• Scramble to address compliance requirements reactively
• Struggle to justify security investments to leadership

They're always one step behind potential threats and regulatory changes.

In this guide, we'll explain how to build cybersecurity risk assessments that satisfy compliance requirements while driving strategic business decisions.

What is cybersecurity risk assessment?

Cybersecurity risk assessment is a systematic process to identify, evaluate, and prioritize risks to your organization's information assets and data processing environments. Unlike basic security scans, comprehensive security risk assessments examine what exists on paper and what happens in practice.

Cybersecurity risk management complements enterprise risk programs but requires specialized processes tailored to technical assets, threat modeling, and regulatory needs. The broader principals are similar, such as:

• Risk identification: Pinpoint risks to cybersecurity assets and data processing environments. This isn't a one-time exercise — new risks emerge constantly as your technology stack evolves and threat landscapes shift.
• Risk assessment: Evaluate identified risks based on your organization's environment and context. You'll assess both inherent risk (the initial level before security controls) and residual risk (what remains after your security measures).
• Risk treatment: Create and implement plans to address risks through four main strategies: accept, transfer, avoid, or mitigate. The key is choosing the most effective approach for reducing or eliminating risk to your business operations.

The organization that positions cybersecurity risk management as a component of its IT Risk Management (ITRM) and Enterprise Risk Management (ERM) programs can connect the impact of such risks to broader business goals.

How to build a risk management program from scratch

A good starting point is conducting a cyber risk assessment based on established risk management frameworks like NIST CSF, ISO 27001, or SOC 2. Once you know which frameworks you need to follow, use this process to conduct a cybersecurity risk assessment:

Step 1: Identifying and scoping cybersecurity risks

Risk identification is identifying risks to the organization's information assets. This is an iterative process, and new risks will be identified over time. But if you have to identify as many risks as possible, you need to build a risk register first.

You can think about these aspects when you're identifying risks and building the risk register:

• Data classification: Identifying the types of data handled by the organization and classifying them based on sensitivity and/or importance to the organization
• Data processing scope: Identifying the specific assets, especially critical assets and information systems, processing environments, and storage environments in which each type of data is handled
• Relevant third parties: Identifying vendors, providers, and other third parties involved in data processing activities
• Specific framework requirements: Identifying specific risk management requirements of any frameworks in scope for the cybersecurity risk management program

Step 2: Assessing risks with scoring models

Once you’ve established a risk register, assess each risk individually. Risk assessments should be conducted on an ongoing basis — at least annually — to comply with most cybersecurity framework requirements.

Also, you need to consider both inherent and residual risks:

• Inherent risk: This is the level of risk before considering any mitigating factors, like controls. Alternatively, this may be the current level of risk (including current mitigating factors) before any additional mitigation efforts.
• Residual risk: This is the level of risk after implementing mitigation strategies, such as controls and/or additional treatment options.

To determine the calculation used to assess cybersecurity risks, you have to think about what considerations or factors you’ll include in the assessment.

A risk assessment matrix applied to each risk can be helpful at this stage. Two of the most commonly used scoring factors are Likelihood and Impact. AuditBoard's CrossComply solution also uses Strength of Controls to determine residual risk.

• Likelihood: What is the likelihood of a risk manifesting?
• Impact: If the risk manifests, what will the impact be to the organization?
• Strength of controls: How effective are the organization’s controls in design and operation to mitigate risk to an acceptable level?

AuditBoard's CrossComply solution also includes a scoring consideration called the CIA Triad (NIST SP 800-16):

• Confidentiality: This is the assurance that sensitive information is not disclosed to unauthorized individuals or processes.
• Integrity: The quality of an IT system reflects the logical correctness and reliability of the operating system, the logical completeness of the hardware and software that implements the data protection mechanisms, and the consistency of the data structures and occurrence of the stored data.
• Availability: Availability refers to timely, reliable access to data and information services for authorized users.

The CIA Triad is used to determine the overall likelihood and impact of each risk for both inherent and residual risk. Scores are calculated by using the following considerations:

Overall impact

The overall impact of the risk event should consider the outcome of the risk if it is realized. The impact score of the risk should reflect the CIA Triad, the potential effect on the organization, and the severity of the effect.

Overall impact — scoring scale:

• Very Low (1)
• Low (2)
• Moderate (3)
• High (4)
• Very High (5)

Overall likelihood

Likelihood is the anticipated frequency of a data security risk manifesting within a year, regardless of the amount (disregarding the significance of impact). The anticipated frequency of a security risk is determined based on the probability that a risk will manifest in any given year.

Overall likelihood — scoring scale:

• Rare (1). Once a year (or less), or Rare (0%–10%)
• Unlikely (2). Once a month, or Unlikely (10%–25%)
• Possible (3). Once a week, or Possible (26%–50%)
• Likely (4). Multiple times a week but less than daily, or Likely (51%–75%)
• Certain (5). Daily or multiple times a day, or Certain (>75%)

Strength of controls

Determine the strength of the control environment. The control environment is broken down by various preventive and detective measures. The strength of the controls can be directly influenced by the business and improved with increased attention in these areas. Assign a controls rating of 1 to 5 based upon the following criteria.

Strength of controls — scoring scale:

• Inadequate (1). There are no policies and procedures, no training, no automated controls, and no manual controls. Risks are not controlled. Testing or audits have not been performed — or if performed, results indicate inadequate controls.
• Weak (2). Adequate policies and procedures exist. There’s weak reliance on automated controls. Effective manual controls are in place, and there is a low reliance on monitoring controls. Testing or audits are performed with results indicating controls adequately protect the company from risk. Minor observations are noted, with several noted process improvement opportunities.
• Adequate (3). Adequate policies and procedures exist. There’s moderate reliance on automated controls. Effective manual controls are in place with low reliance on monitoring controls. Testing or audits are performed with results indicating controls adequately protect the company from risk. Minor observations are noted, with several noted process improvement opportunities.
• Effective (4). Adequate policies and procedures exist. Automated controls are in place. Effective manual controls are in place. There’s moderate reliance on monitoring controls. Testing or audits are performed with results indicating controls adequately protect the company from risk. Observations noted are centered in process improvement opportunities.
• Strong (5). Adequate policies and procedures exist. Automated controls are in place. Effective manual controls are in place. There’s effective reliance on monitoring controls. Testing or audits are performed with results indicating controls adequately protect the company from risk, with no observations.

Using the scales and scoring factors above, overall risk scores can be calculated for each risk. Again, residual and inherent risk scoring should be performed for each risk.

Step 3: Choosing the right risk treatment method

Organizations have multiple options for treating risks and should choose the option that is the most effective at reducing or eliminating the risk to the organization. Common treatment options include:

• Accept: The organization has decided the risk to the organization is minimal and/or further mitigation options are not available. Accepted risks should be reassessed periodically to ensure the associated risk level has not increased beyond acceptable levels.
• Avoid: The activities causing risk to the organization are not essential business functions and can be stopped.
• Transfer: Ideally, risks are transferred to third parties that can reduce the risk to the organization. Transferred risks should be reassessed periodically to ensure the associated risk level with the third party has not increased beyond acceptable levels.
• Mitigate: The organization has determined steps that can be taken to reduce the risk to the organization, including the implementation of mitigating controls. Mitigated risks should be reassessed upon implementation of remediation plans to ensure an acceptable reduction in the level of risk.

Step 4: Creating a proper risk reporting capability

You have to make sure you can report on the kinds of risks that could impact your organization at any time. Without this information, you won't be able to build a proper risk management program.

Here are a few things you could consider for this purpose:

• Defined scale: Use consistent scoring scales aligned with other organizational risk activities, with visual cues like stoplight colors for clarity.
• Compliance alignment: Include which risks impact specific frameworks or regulations, especially those affecting upcoming audits.
• Frequency of assessments: Conduct assessments regularly and increase frequency as programs mature to capture changing risk conditions.
• Risk scoring inputs: Define how scores are calculated, including factors, threats, and inputs to build stakeholder confidence.
• Treatment decisions: Document risk treatment choices for executive alignment, and require leadership approval for changes.
• Risk remediation: Track open remediation activities with ownership, timelines, and regular progress updates to maintain accountability.
• Reporting levels: Tailor reports for different audiences, giving tactical teams actionable tasks while providing executives strategic insights.

How frameworks like NIST, ISO, and SOC 2 handle risk management

While most cybersecurity frameworks align at a high level with what is required around risk management, it’s important to understand there are some differences in the level of detail in what is required. Below, we list common cybersecurity frameworks and the specific requirements around risk management included in each.

SOC 2

• CC3.1 — Includes risk tolerance considerations in operations
• CC3.2 — Includes the following in risk management:
  • Risk at relevant levels of the organization
  • Internal and external factors affecting risk
  • Involves appropriate levels of management
  • Estimates significance of risks (risk scoring)
  • Risk treatment decisions (see Treating Cybersecurity Risks)
• CC3.3 — Includes potential for fraud in risk assessments
• CC5.1 — Control implementation is used for risk mitigation
• CC9.1 — Considers the following related to business disruption:
  • Performs business continuity/disaster recovery planning
  • Considers insurance to mitigate financial risk
• CC9.2 — Includes management of third-party risk

PCI 4.0

• 12.3 — Risk management program for the Cardholder Data Environment (CDE)
• 12.3.1 — Targeted risk analysis is performed for each PCI requirement that allows variability
• 12.3.2 — Targeted risk analysis is performed for each PCI requirement where the customized approach is used
• A2.1.2 (Only for organizations using SSL or early versions of TLS) — Risks associated with SSL/early TLS are managed

NIST CSF

• ID.RA, ID.RM, ID.RM-1 — Risks to the organization are managed
• ID.RA-5 — Threats, vulnerabilities, likelihood, and impact are included in risk management activities
• ID.RA-6 — Risk responses are identified and prioritized
• ID.RM-2, ID.RM-3 — Risk tolerances are established and justified

NIST 800-53

• CA-7(4) — Include risk monitoring in ongoing monitoring
• PM-9 — Develop a risk management strategy
• PM-28 — Ensure risks are framed in context of the organization
• PM-29 — Ensure risk leadership roles are identified
• PM-30 — Implement a supply chain risk management strategy
• RA-3, RA-3(1), RA-3(2), RA-3(4) — Conduct a risk assessment
• RA-7 — Develop an incident response plan
• SA-9(1) — Conduct a risk assessment prior to engaging third parties

NIST 800-171

• 3.11.1 — Periodically assess risk to organizational operations
• 3.11.3 — Remediate identified vulnerabilities

HIPAA

• 164.308(a)(1)(ii)(A) — Conduct an assessment of risks to the CIA of ePHI
• 164.308(a)(1)(ii)(B) — Implement a program to manage risks through mitigation strategies

CMMC

• RM.2.141, RM.3.144 — Periodically assess risk to organizational operations
• RM.2.143 — Remediate identified vulnerabilities
• RM.3.146 — Develop and implement risk mitigation plans
• RM.4.148 — Develop and implement a third-party risk management plan

COSO

• Principle 10. PoF-1 — Integrates control activities into risk assessments
• Principle 6. PoF-2, Principle 6. PoF-15 — Considers tolerances for risk
• Principle 7, Principle 7. PoF-4 — Identifies and analyzes risk
• Principle 7. PoF-5 — Identifies plans for responding to risk
• Principle 8 — Assesses fraud risk

23 NYCRR 500 (NYDFS)

• 23NYCRR500: 500.09 — Conduct a periodic risk assessment

CCPA

• No specific requirements; recommended as best practice

GDPR

• No specific requirements; however, risks to processing activities must be taken into consideration in defining operational activities

CIS Controls v8

• No specific requirements; however, specific requirements exist around vulnerability management and supplier risk management

How AuditBoard supports cybersecurity risk assessments

It’s common for organizations of all sizes to work with a hundred different spreadsheets when they’re conducting such an audit. But why use that approach when there are better options available?

Here’s how AuditBoard’s connected risk management platform can help:

1. Centralize risk data and create a risk register

AuditBoard creates unified visibility by connecting risk information from audit, compliance, and security teams in one assessment tool. Changes in one area automatically update throughout the system via a common data core.

When your team adds a new risk or updates a control, that information flows immediately to related assessments, reports, and dashboards. As a result, you don't have to deal with version control issues or data silos that are common with traditional risk programs.

The platform maintains comprehensive audit trails so you can track how risks evolve. You'll see who made changes, when they occurred, and how they affect related risk calculations. This risk data helps you build confidence in your assessments and make accurate organization-wide changes.

2. Automate risk scoring with built-in intelligence

Manual risk scoring takes too much time and introduces inconsistencies and errors.

AuditBoard automates these calculations using configurable methods that incorporate likelihood, potential impact, and control strength factors. The platform applies your scoring criteria consistently across all risks, enabling accurate comparisons and risk analysis.

When your control testing reveals new gaps or improvements, these risk scores adjust in real time. This way, you can be sure that your risk assessments reflect the realities of your business at any given point in time.

3. Map reusable controls to multiple frameworks using a centralized control library

Typically, organizations tend to maintain separate control libraries for each standard. But that's not necessary when you use AuditBoard. In the platform, you can map controls to frameworks like NIST CSF, ISO 270001, SOC 2, etc. You can set it and forget it — and the platform automates evidence collection all at once.

If a new regulation changes, you can update the relevant control, and the changes apply to everything else. As a result, you're not stuck duplicating work across the board and can stay ahead of every risk.

And you can create role-based workflows to review, change, or approve these controls as and when they change.

Use security questionnaire automation to reduce manual burden

Security questionnaires consume your infosec team’s bandwidth without adding strategic value to your risk program.

Organizations typically spend dozens of hours monthly responding to vendor assessments, customer security reviews, and partner due diligence requests. But the problem is that they’re all asking similar questions about your security posture and compliance status.

AuditBoard turns this reactive process into an automated workflow that actually strengthens your risk management capabilities. The platform maintains a dynamic knowledge base that maps your security controls and policies directly to framework requirements like NIST CSF, ISO 27001, and SOC 2.

When security questionnaires arrive, it automatically populates responses using your current control documentation and evidence. If regulations change or your security posture changes, you update the relevant controls once, and those changes propagate across all future questionnaires.

In short: you can set it and forget it with AuditBoard.

Start conducting risk assessments that are faster, smarter, and built for real-world compliance. See AuditBoard’s CrossComply in action.

Frequently asked questions

What are the principles of cybersecurity risk management?

Cybersecurity risk management has three core principles:

• Risk identification (identifying risks to cybersecurity assets and data processing environments)
• Risk assessment (assessing identified risks, including inherent and residual risk)
• Risk treatment (creating plans to treat risks through transferring, avoiding, accepting, and mitigating)

How often should an organization conduct a cybersecurity risk assessment?

You need to conduct risk assessments continuously instead of relying on point-in-time assessments. Ideally, you’re auditing if you have all the information and evidence you need quarterly, even if regulatory frameworks require annual audits.

What are the 5 things a risk assessment should include?

A comprehensive cybersecurity risk assessment should include:

1. Risk identification covering data classification, processing scope, and third-party relationships
2. Risk evaluation using a consistent scoring methodology for likelihood, impact, and control strength
3. Framework alignment that ensures compliance with applicable standards like NIST CSF, GDPR, HIPAA, IEC, PCI DSS, or SOC 2
4. Treatment decisions documenting how each risk will be accepted, transferred, avoided, or mitigated
5. Reports for stakeholders, including executives, technical teams, and board members

About the authors

Tony Luciani is a Strategic Account Executive, EMEA at AuditBoard. Prior to AuditBoard, Tony served as IT Risk and Compliance Lead at Sony Pictures. As a former InfoSec consultant, PCI QSA, and HITRUST Assessor, his experience ranges from performing gap/attestation assessments (i.e. NIST, ISO, CIS, SOC2, PCI, HITRUST, etc.) to facilitating IT risk management programs for customers across multiple industries. Connect with Tony on LinkedIn.