IT Risk Assessments: A Process Your CIO or CISO Will Thank You For

IT Risk Assessments: A Process Your CIO or CISO Will Thank You For

This article originally appeared on the ISACA Blog.

Information technology (IT) risk assessments focus attention on critical information assets, highlight connections between cyber threats and risks, and map key controls to known threats. Assessing IT risk also demonstrates compliance with regulations and adherence to frameworks. Finally, IT risk assessments provide leaders with a basis for decision-making, including prioritizing security investments.

Here, we explore the best practices for conducting an IT risk assessment and break down six steps to identify and quantify risk.

Best Practices for Your Next IT Risk Assessment

Adopting the following best practices helps to ensure success:

  • Incorporate industry-leading controls guidance into your security risk assessment framework.
  • Integrate IT risk assessment with operational and enterprise risk assessment programs.
  • Map business risks to relevant threats, controls, and assets.
  • Articulate a security risk tolerance that aligns to the organization’s goals and objectives.
  • Align enterprise risk with security operations (SecOps) to improve the long-term security posture of the organization against real-world threats. A criticism of traditional enterprise risk assessments is that they aren’t always as grounded in real-world threats to assets as SecOps usually is — but it doesn’t have to be this way!
Scaling ITRM

IT Risk Assessment in Six Steps

Following these six key steps will help you identify and quantify residual risk — ultimately helping risk owners make informed decisions and enabling leaders to make appropriate risk management investments.

  1.  Understand the business. This includes understanding the impact of security on the organization’s progress toward its business objectives as well as considering risk management in the context of business outcomes.
  2.  Analyze business impacts. A business impact analysis articulates stakeholders’ determination of criticality and impact levels of each asset.
  3. Recognize data’s criticality to risk. Understanding the organization’s goals and objectives will determine what data is most critical. You can use this information to classify data down to the asset level.
  4.  Look beyond regulated data. While regulated data remains a critical consideration, consider other information that creates risk for the business. Trade secrets are one example of data that isn’t typically regulated, but their loss would create significant impacts.
  5. Calculate your security risk. Consider the impact and likelihood of risks to critical assets. These might be financial, reputational, regulatory, or other risks. Determine which key controls are most helpful in reducing these risks. Evaluate the strength of controls in place to manage those risks, and identify residual risk that remains after taking existing controls into account. Create risk treatment plans to address any residual risk that exceeds leaders’ risk appetites. And remember, risk isn’t static. It can go up or down as new assets are acquired or deprecated, and as subsequent controls testing demonstrates improvement or degradation in the control environment.
  6. Put risk in a financial context. Risk can be quantified as loss: loss of revenue, regulatory fines, reputational damage that depress sales and share prices, and impaired performance of the organization.

Effectively Manage IT Risk

Assessing IT risk brings critical information assets, threats, risks, and controls into focus while informing security investment priorities and supporting compliance. Compliance management software supports IT risk assessments by providing the means to track performance and guide risk-based decisions, support IT risk management, monitor progress against plans, and create a meaningful basis for leaders’ investment decisions in security and compliance.


Richard Marcus, CISA, CRISC, CISM, TPECS, is VP, Information Security at AuditBoard, where he is focused on product, infrastructure, and corporate IT security, as well as leading the charge on AuditBoard’s own internal compliance initiatives. In this capacity, he has become an AuditBoard product power user, leveraging the platform’s robust feature set to satisfy compliance, risk assessment, and audit use cases. Connect with Richard on LinkedIn.


John Volles, CISA, is a Director of Information Security Compliance responsible for managing AuditBoard’s compliance, risk, and privacy obligations as well as helping customers understand AuditBoard’s security posture and position. John joined AuditBoard from EY, where he reviewed and implemented client compliance programs and supporting technologies. Connect with John on LinkedIn.