Skip to main content

Risk Assessment

Also known as: Cyber Risk Assessment, Information Security Risk Assessment

The structured process of identifying threats, estimating likelihood and impact, and producing a defensible record of which risks the organisation accepts, treats, or transfers.

Written by Askara Solutions editorial team · Updated

A risk assessment is the part of the ISMS where you stop talking about controls and start talking about consequences. Without one, every security investment is a guess. With one, an auditor can understand why you made the choices you made.

The mechanics differ between methodologies. ISO 27005 is the assessment standard that pairs with ISO 27001 and accepts both qualitative and quantitative approaches. NIST SP 800-30 is the US public-sector reference. FAIR provides a quantitative model with explicit factors. What they share is a sequence: identify what you are trying to protect, identify what could go wrong, estimate how often and how much, and decide what to do about it.

The quality of the result depends almost entirely on whose estimates feed the model. A risk assessment built from a consultant's defaults reflects the consultant's prior clients. A risk assessment built from your own people's calibrated judgment reflects your business. The Askara Solutions agent runs the elicitation with the people who actually know the systems, so the resulting register is something your team can defend rather than something they have to memorise.

Related terms

Where this connects.

  • FAIR

    Quantitative risk-analysis methodology that expresses cyber risk as financial loss exposure rather than ordinal severity scores, by decomposing it into loss event frequency and loss magnitude.

  • Risk Register

    The single source of truth recording every identified risk, its assessment, the control treatment chosen, the owner, and the review date.

  • ISO 27001

    International standard that defines the requirements for an information security management system (ISMS), including risk assessment, control selection, and management review.

  • Statement of Applicability

    ISO 27001 document that records, for every Annex A control, whether it is applied, why it is applied, and what evidence demonstrates that it operates.

  • Annex A

    The catalogue of 93 information security controls in ISO/IEC 27001:2022, organised into four themes (organisational, people, physical, technological), referenced from the Statement of Applicability.

Authoritative sources

Where to read more.

Back to Risk ManagementBack to glossary