i. The risk assessment process includes the identification of threats and vulnerabilities having to do with company assets.
ii. The first step in the risk assessment is to identify all assets within the scope of the information security program; in other words, all assets which may affect the confidentiality, integrity, and/or availability of information in the organization. Assets may include documents in paper or electronic form, applications, databases, information technology equipment, infrastructure, and external/outsourced services and processes. For each asset, an owner must be identified.
iii. The next step is to identify all threats and vulnerabilities associated with each asset. Threats and vulnerabilities must be listed in a risk assessment table. Each asset may be associated with multiple threats, and each threat may be associated with multiple vulnerabilities.
iv. For each risk, an owner must be identified. The risk owner and the asset owner may be the same individual.
v. Once risk owners are identified, they must assess:
1. Consequences for each combination of threats and vulnerabilities for an individual asset if such a risk materializes.
2. Likelihood of occurrence of such a risk (i.e. the probability that a threat will exploit the vulnerability of the respective asset).
3. Criteria for determining consequence and likelihood are defined in Tables 1 and 2.
vi. The risk level is calculated by adding the consequence score and the likelihood score.