Information Security Risk Assessment

Information Security Risk Assessment

Understanding your risks for an effective security program

Yuval Yelin
Yuval Yelin


One of the first things I do when I join a company is conduct a full information security risk assessment. Such risk assessment covers all aspects of information security and gives both the CISO (me) and the company an up-to-date picture of the information security status.

This, of course, doesn’t end here. An information security risk assessment is an iterative process that must be repeated at least annually, if not more often.

So how do you execute this process?
There are many frameworks to do it. NIST CSF, ISO 27001, Octave and many local initiatives are available. You need to choose a framework that fits your organization best. Even after choosing the framework you want to work with, you have the flexibility to remove criteria that are not relevant to your organization and add others that do fit, but are not included.

How do you manage the information security risk assessment?
Many of my colleagues use a spreadsheet like Microsoft Excel. We, as you can imagine, use for that purpose.

Information Security Risk Assessment Board

Figure 1: Information Security Risk Assessment board

Information Security Risk Assessment Process

As written above, the first step in your information security risk assessment is choosing the framework you want to work with. We chose NIST CSF (Cyber Security Framework) since its control base attitude fits us best.

Next, I decided on the assets we would like to assess against this framework. I assessed the information security controls implemented on the organizational level and assessed them on more granular criteria like CIA (Confidentiality, Integrity, Availability), Infrastructure Security, Application Security & Physical Security.
For each control, I assessed the relevancy to and to the criteria. I did this by interviewing stakeholders and technical level employees, reviewing past projects and future work plans.
The risk level was calculated as a sum of the risk level and the implementation level. The higher the number – the lower the risk
For example: If a control’s relevancy is Critical (1), and the level of implementation is Partially implemented (2) then the risk level is Medium (3).

KPIs and Insights

The conservative approach to risk assessment is that the highest risk level identified in the risk assessment is the risk level of the company. Therefore, even if you find only 1 control that its risk level is critical, the company’s risk level is critical too. It’s correct logically since if this risk will materialize, the organization may cease to exist.

In order to be able to assess our risk more accurately and get a more granular approach, we decided to calculated other risk levels:

  • For each category (risk/asset) we calculated an average risk level.
  • We calculated a weighted average of all risk grades and came out with a calculated company risk level.

Figure 2: Risk assessment main indicators (proprietary information was removed)

Using the calculated risk levels allows us to monitor our progress both at the company level and in different categories.

This process also helped us identify the highest risks from one hand, and to identify the low hanging fruit from the other hand.

What are the next steps?

An information security risk assessment is the cornerstone of your information security work plan. After you’ve identified your risks, you’ll need to plan how to address them according to their severity and the effort needed to address them.
The risk treatment plan can rely on all risk treatment methodologies:

  • Risk elimination/avoidance – Implementing a different workflow that eliminates the risk.
  • Risk mitigation or reduction – Implementing a compensating control that mitigates or reduces the risk to an acceptable level.
  • Risk acceptance – In some cases and when it doesn’t exceed the risk tolerance of the company, we can accept the risk and leave it as it is.
  • Risk transference – When it is feasible we can transfer the risk to a 3rd party. The most common example is cyber insurance, but the risk can also be transferred to sub-processors like cloud service providers.


An information security risk assessment is an essential step when building your information security work plan. It helps you identify your highest risks and concentrate on them, and helps you present to senior management the risks that your organization face. It’s a never-ending process that you need to repeat at least annually in order to continue to focus on your highest risks.