There are many different ways to assess risk, some of which are better suited to cyber risk management than others. Where possible, the consultant team will endeavour to make use of an organisation's established risk assessment process to ensure that findings can be more readily adopted and incorporated into risk management processes, however, where this is not possible, they will use recognised standard approaches appropriate to the engagement.
The specific approach taken will depend on the organisation, and any specific requirements that they may have, however, a typical risk assessment will include the following:
- Asset Management Review – Identify and utilise existing asset management process if available, or perform initial asset inventory activities if not.
- Vulnerability Assessment – Review and understand the vulnerabilities relevant to the assets under consideration. This may be at a high level, depending on the scope of the engagement and the time available.
- Threat Assessment – Understanding of the likely threats that would lead to compromise of the asset, through the vulnerabilities determined.
- Impact & Likelihood Assessment – Determine the potential impact and likelihood of a given threat and vulnerability combination leading to a compromise of the asset.
- Control Gap Analysis – If appropriate, determine where existing controls can be used to manage identified risks, where controls are needed, or where controls are already in place to manage risks.
- Reporting – Production of a risk assessment report that can be used to inform risk management decisions, to determine controls, or to prioritise other assessment activities.