Risk Assessment Process


A risk assessment should be completed at least annually and is core to the information security process.

The risk assessment framework is a tool to help identify the material weaknesses and prioritize areas for improvement. A risk assessment is also a great tool for demonstrating your awareness of the scenarios that could result is loss of confidentiality, integrity, and availability or sensitive data. If these scenarios are well documented, assessed, and mitigated it becomes easier to build trust with stakeholders.

Risk can live is all areas of the business, so the risk assessment should consider many topics including people, processes and technology.


A strong risk assessment will have a clear focus. Consider the scope of the ISMS and make sure the risk assessment is focused on the people processes, and technologies that are covered by the ISMS.


At a minimum, the security team should be involved in the annual risk assessment. Other teams that often have an ideas in terms of risk identification, assessment, and mitigation are:

  • Engineering
  • Site Reliability
  • Customer Support
  • People Operations
  • Legal
  • Operations


Participating individuals should be sent a communication 1-2 weeks prior to the risk assessment, encouraging them to consider the top information security risks that the company faces at this point in time.

Questions to consider asking that will help to individually answer 50-60 questions in one of the following calibration tests. (Research suggests that calibrating your ability to forecast prior to forecasting can help level results across participants.)

Risk Identification

A strong risk assessment will identify risks from across the business that could impact the confidentiality, integrity and availability of sensitive data. Aptible has a staring template of risks that can be made available upon request.

The more specific a risk statement, the targeted the mitigation and response can become. You can consider facilitating a session and asking questions below to help document additional risks:

  • What could security risks could impact our ability to achieve our objectives as a company?
  • What events would lead to loss of confidentiality of critical data or services?
  • What events would lead to loss of integrity of critical data or services?
  • What events would lead to loss of availability of critical data or services?
  • What tools, technologies, and vendors do we rely on that my introduce risk?
  • What changes in the external environment may impact the organization?
  • What keeps you up at night as it relates to an internal process or procedure?

Risk Assessment

When it comes time to assess each risk, this article will help with that mechanical steps in the Comply application.

The assessment of risks allows for objectively prioritizing which risks need action taken.

Risk Response

For each risk, a response show be chosen:

  • Accept the risk by not acting;
  • Mitigate the risk by implementing a security control to lessen the impact of the threat event or the likelihood of the threat event occurring;
  • Avoid the risk by acting in a way that prevents the threat from occurring (e.g., for the threat event that a phishing attack is successful because 2FA is disabled, we might avoid the risk by requiring use of 2FA);
  • Transfer the risk that the threat occurs to another party (e.g., if one threat is related to us creating our own internal messaging system, we might instead purchase the use of a third-party messaging system); or
  • Share the risk by transferring a portion of the risk to a third party.

If a risk will be accepted, it is import to log a rationale for that in the notes field outlining why the risk is being accepted.

Risks that are being mitigated should be linked to the corresponding policies and controls in Comply under the Control Responses column.

Risk Treatment

The risk assessment is a great tool for prioritizing security projects and risk treatments to take on over the course of the next year.

If a risk is above an acceptable level, or there are known weaknesses with the controls, use the "Open Ticket" function to track a risk treatment.


The risk treatment should have clear ownership and due dates so you can clearly demonstrate commitment to improving your security program over time.

Next Up

Get an overview of the risk tool within Aptible Comply