A security risk assessment is a part of an organization’s overall risk management process. The goal of the risk assessment is to identify security risks to the company’s electronic and physical assets and take appropriate actions for mitigating the identified risks to the acceptable level. 

There are several terms that are used to describe the process including:

• Cybersecurity risk assessment
• Information security risk assessment
• IT security risk assessment
• Risk analysis

Although there are some academic differences among these terms, mainly related to their scope, they all have the same ultimate goal and take a similar approach. There are several different methodologies for conducting security risk assessments, with NIST 800-30 and ISO 27005 being the most popular ones.

Following minimum compliance requirements does not protect an organization from all security risks. However conducting a security risk assessment allows the company to gain knowledge about where their highest risks are, which helps them understand and prioritize their security spending. This knowledge, in return, results in a reduced likelihood that certain events will jeopardize the confidentiality, integrity, or availability of the company’s data. Additionally, the results of a risk assessment are critical for defining, evaluating, and improving the company’s information security strategy.

Furthermore, conducting security risk assessments are required by several regulations, security certifications, and audits, including HIPAA,  SOC 2, ISO27001, HITRUST, GDPR, and PCI DSS. Companies that have these compliance requirements must conduct periodic security risk assessments. While conducting annual risk assessments is a common practice — and often a compliance requirement — risk assessments should be conducted every time changes in business processes, technologies, data flows, or regulatory requirements occur.

Planet 9, a San Francisco Bay Area-based organization, employs seasoned professionals with years of experience working in various private industries, including e-commerce, finance, healthcare, manufacturing, and technology. We have former security Chief Information Security Officers and compliance managers who have personally been accountable for security risk management. We use industry-standard frameworks, such as NIST or ISO, to develop and execute a repeatable risk management process. A typical approach consists of the following steps:

• Conduct a discovery to understand the client’s people, processes, and technologies
• Perform an analysis to identify all potential threats and vulnerabilities that may lead to security risks
• Estimate threats’ likelihood (probability) and impact 
• Identify existing controls that the organization has implemented to mitigate the risks
• Identify residual risks and remaining control gaps
• Prioritize the severity of the identified risks 
• Provide recommendations and approaches for addressing identified risks
• Develop a remediation plan for mitigating the identified risks
• Assist the client on executing the remediation plan

Depending on the client’s internal resources’ expertise and availability, Planet 9 helps position them  execute the remainder on their own, or supplements the client’s team.