The specific approach taken will depend on the organisation, and any specific requirements that they may have, however, a typical risk assessment will include the following:
- Asset Management Review – Identify and utilise existing asset management process if available, or perform initial asset inventory activities if not.
- Vulnerability Assessment – Review and understand the vulnerabilities relevant to the assets under consideration. This may be at a high level, depending on the scope of the engagement and the time available.
- Threat Assessment – Understanding of the likely threats that would lead to compromise of the asset, through the vulnerabilities determined.
- Impact & Likelihood Assessment – Determine the potential impact and likelihood of a given threat and vulnerability combination leading to a compromise of the asset.
- Control Gap Analysis – If appropriate, determine where existing controls can be used to manage identified risks, where controls are needed, or where controls are already in place to manage risks.
- Reporting – Production of a risk assessment report that can be used to inform risk management decisions, to determine controls, or to prioritise other assessment activities.