Risk Assessment SOP¶
Standard Operating Procedure for comprehensive security risk assessments
Service Pillar: Protect Service Category: Security Assessment Target Duration: 2-4 weeks Related Pricing: See Pricing & Positioning
Service Overview¶
Purpose¶
Conduct comprehensive security risk assessments that identify, analyze, and prioritize information security risks, providing actionable risk treatment recommendations aligned with business objectives.
Target Personas¶
| Persona | Primary Pain Point | Value Case |
|---|---|---|
| Solo IT Director | Overwhelmed, needs expert backup | Expert risk identification |
| CFO/Controller | Risk quantification, budget justification | ROI-based risk treatment |
| Managing Partner (Legal) | Fiduciary duty, client protection | Partner liability protection |
Business Justification¶
| Metric | Value | Source |
|---|---|---|
| Average data breach cost | $4.88 million | IBM Cost of a Data Breach 2024 |
| Average breach detection time | 194 days | IBM 2024 |
| Organizations without formal risk assessment | 60%+ of SMBs | Verizon DBIR 2025 |
| Cost savings with risk-based security | 20-40% efficiency | NIST CSF Implementation Studies |
| SMBs targeted in cyberattacks | 43% | Verizon DBIR 2024 |
Pricing Reference¶
| Tier | Scope | Price Range | Duration |
|---|---|---|---|
| Essential | <50 employees, single location | $8,000-$15,000 | 2 weeks |
| Standard | 50-200 employees, moderate complexity | $15,000-$30,000 | 3 weeks |
| Enterprise | 200+ employees, complex environment | $30,000-$50,000 | 4 weeks |
See Pricing & Positioning for complete pricing structure.
Pre-Engagement¶
Qualification Checklist¶
- Executive sponsor identified
- Scope boundaries defined
- Key stakeholders available
- Asset inventory accessible
- Prior assessments shared
- Compliance requirements known
Required Information Gathering¶
| Category | Documents Needed |
|---|---|
| Business | Org chart, business processes, critical systems |
| Technology | Network diagrams, asset inventory, cloud services |
| Security | Existing policies, prior assessments, incident history |
| Compliance | Regulatory requirements, contractual obligations |
| Vendor | Third-party relationships, outsourced services |
Risk Assessment Framework¶
Methodology Selection¶
SBK primarily uses NIST SP 800-30 methodology, adaptable to client requirements:
| Framework | Use Case | When to Apply |
|---|---|---|
| NIST SP 800-30 | Comprehensive risk assessment | Default methodology |
| ISO 27005 | ISO 27001 alignment | Clients pursuing ISO certification |
| FAIR | Quantitative risk analysis | Financial services, risk quantification needs |
| OCTAVE | Asset-centric assessment | Critical infrastructure focus |
NIST SP 800-30 Process¶
┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ PREPARE │ → │ CONDUCT │ → │ COMMUNICATE │ → │ MAINTAIN │
│ Risk context│ │ Assessment │ │ Results │ │ Ongoing │
└─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘
Assessment Process¶
Phase 1: Preparation (Days 1-3)¶
Objective: Establish context and scope for risk assessment
| Activity | Deliverable | Duration |
|---|---|---|
| Kickoff meeting | Aligned scope and expectations | 0.5 day |
| Business context review | Understanding of business priorities | 0.5 day |
| Asset identification | Critical asset inventory | 1 day |
| Threat source identification | Relevant threat actors | 0.5 day |
| Prior assessment review | Historical context | 0.5 day |
Asset Criticality Classification¶
| Classification | Definition | Examples |
|---|---|---|
| Critical | Essential to business operations, high data sensitivity | Customer database, financial systems |
| High | Important to operations, moderate data sensitivity | Email systems, HR systems |
| Medium | Supports operations, limited data sensitivity | Internal tools, non-sensitive apps |
| Low | Convenience systems, minimal sensitivity | Office productivity, collaboration |
Phase 2: Threat and Vulnerability Assessment (Days 4-10)¶
Objective: Identify relevant threats and vulnerabilities
Threat Source Analysis¶
| Threat Source | Motivation | Capability | Targeting |
|---|---|---|---|
| Cybercriminals | Financial gain | Moderate-High | Opportunistic + Targeted |
| Nation-States | Espionage, disruption | Very High | Targeted |
| Hacktivists | Ideological | Low-Moderate | Cause-related |
| Insiders | Various (malice, error) | High (access) | Internal systems |
| Competitors | Competitive advantage | Moderate | Industry-specific |
Threat Event Catalog¶
| Category | Threat Events | Likelihood Factors |
|---|---|---|
| Unauthorized Access | Account compromise, privilege escalation | Authentication strength, access controls |
| Malware | Ransomware, trojans, cryptominers | Endpoint protection, user awareness |
| Social Engineering | Phishing, pretexting, BEC | Training, email security |
| Data Breach | Exfiltration, exposure, theft | DLP, encryption, access controls |
| System Disruption | DDoS, destruction, corruption | Redundancy, backup, monitoring |
Vulnerability Identification¶
| Assessment Type | Method | Tools/Approach |
|---|---|---|
| Technical | Vulnerability scanning | Authenticated scans, configuration review |
| Process | Policy/procedure review | Gap analysis against standards |
| Human | Social engineering potential | Training records, awareness assessment |
| Physical | Facility assessment | Site inspection, access controls |
Phase 3: Risk Analysis (Days 8-14)¶
Objective: Analyze and prioritize identified risks
Likelihood Determination¶
| Level | Rating | Definition | Frequency Guidance |
|---|---|---|---|
| Very High | 5 | Almost certain to occur | Multiple times per year |
| High | 4 | Likely to occur | Annual occurrence |
| Moderate | 3 | Possible occurrence | Every 2-3 years |
| Low | 2 | Unlikely but possible | Every 5+ years |
| Very Low | 1 | Rare occurrence | Historical only |
Impact Determination¶
| Level | Rating | Financial | Operational | Reputational | Regulatory |
|---|---|---|---|---|---|
| Catastrophic | 5 | >$1M | Business failure | Industry-wide | License loss |
| Major | 4 | $500K-$1M | Major disruption | Significant coverage | Major fine |
| Moderate | 3 | $100K-$500K | Extended outage | Local coverage | Moderate fine |
| Minor | 2 | $10K-$100K | Brief disruption | Limited awareness | Warning |
| Negligible | 1 | <$10K | Minimal impact | No coverage | None |
Risk Rating Matrix¶
| Negligible (1) | Minor (2) | Moderate (3) | Major (4) | Catastrophic (5) | |
|---|---|---|---|---|---|
| Very High (5) | Medium | High | Critical | Critical | Critical |
| High (4) | Low | Medium | High | Critical | Critical |
| Moderate (3) | Low | Medium | Medium | High | Critical |
| Low (2) | Low | Low | Medium | Medium | High |
| Very Low (1) | Low | Low | Low | Medium | Medium |
Phase 4: Risk Evaluation and Treatment (Days 12-18)¶
Objective: Prioritize risks and develop treatment recommendations
Risk Treatment Options¶
| Option | Definition | When to Apply |
|---|---|---|
| Mitigate | Implement controls to reduce risk | Cost-effective controls available |
| Transfer | Share risk with third party | Insurance, outsourcing appropriate |
| Avoid | Eliminate the activity creating risk | Risk exceeds benefit |
| Accept | Acknowledge and monitor risk | Low risk, cost exceeds benefit |
Cost-Benefit Analysis¶
For each treatment recommendation:
ALE (Annual Loss Expectancy) = SLE × ARO
Where:
SLE = Single Loss Expectancy (impact in dollars)
ARO = Annual Rate of Occurrence (likelihood as frequency)
Control Value = ALE (before) - ALE (after) - Control Cost
Phase 5: Documentation and Reporting (Days 16-20)¶
Objective: Document findings and communicate results
Deliverables¶
Risk Assessment Report¶
Structure:
- Executive Summary (2-3 pages)
- Assessment scope and approach
- Top risks identified
- Risk posture summary
- Priority recommendations
-
Investment recommendations
-
Methodology (1-2 pages)
- Framework used
- Scope boundaries
-
Limitations and assumptions
-
Asset Inventory (varies)
- Critical assets identified
- Asset classification
-
Data flows mapped
-
Threat Analysis (3-5 pages)
- Relevant threat sources
- Threat event catalog
-
Threat trends (industry-specific)
-
Vulnerability Assessment (varies)
- Technical vulnerabilities
- Process gaps
-
Human factors
-
Risk Register (varies)
- Complete risk inventory
- Risk ratings
- Treatment recommendations
-
Owner assignments
-
Risk Treatment Plan (3-5 pages)
- Prioritized actions
- Timeline and milestones
- Resource estimates
- Success metrics
Risk Register Template¶
| Risk ID | Risk Description | Asset | Threat Source | Vulnerability | Likelihood | Impact | Risk Rating | Treatment | Owner | Due Date |
|---|---|---|---|---|---|---|---|---|---|---|
| R-001 | Example | System X | Cybercriminal | Weak auth | 4 | 4 | Critical | Mitigate | IT Dir | 30 days |
Quality Assurance¶
Internal Review Checklist¶
- All critical assets assessed
- Threat sources relevant to client
- Vulnerabilities validated
- Risk ratings consistent
- Treatment recommendations actionable
- Cost-benefit analysis included
- Executive summary compelling
- Business context reflected
Client Review Process¶
- Draft report delivery
- 5 business day review period
- Risk review workshop
- Final report delivery
- Risk treatment planning session
Post-Delivery¶
Risk Treatment Support¶
| Option | Scope | Investment |
|---|---|---|
| Self-Treatment | Report only | Included |
| Quarterly Reviews | Progress tracking, priority updates | $3,000-$5,000/quarter |
| vCISO Integration | Full risk program management | vCISO pricing |
Ongoing Risk Management¶
| Activity | Frequency | Purpose |
|---|---|---|
| Risk register review | Quarterly | Status updates, re-prioritization |
| Annual reassessment | Annual | Full reassessment |
| Incident integration | Ongoing | Update based on incidents |
| Threat intelligence | Ongoing | Update threat landscape |
Related Services¶
| Service | Connection | SOP Reference |
|---|---|---|
| Penetration Testing | Validates technical vulnerabilities | pentest-sop.md |
| vCISO | Ongoing risk program management | vcto-vciso-engagement-sop.md |
| Compliance Gap Assessment | Risk + compliance alignment | hipaa-gap-sop.md, soc2-gap-sop.md |
| Incident Response | Risk materialization handling | incident-response-sop.md |
Evidence Base¶
Why This Approach Works¶
| Principle | Evidence | Source |
|---|---|---|
| Risk-based approach | NIST CSF core function | NIST Cybersecurity Framework |
| Business context essential | 70% of breaches impact business ops | Verizon DBIR 2025 |
| Quantification improves decisions | Risk quantification adoption growing | FAIR Institute |
| Treatment prioritization | Resource optimization | Gartner Security Risk Management |
SBK Success Metrics¶
| Metric | Target | Measurement |
|---|---|---|
| Risk identification coverage | 95%+ | Critical asset coverage |
| Client satisfaction | 4.5+/5.0 | Post-engagement survey |
| Treatment plan adoption | 80%+ | 12-month follow-up |
| Incident reduction | 40%+ | Client-reported |
Regulatory References¶
- NIST SP 800-30 - Risk Assessment Guide
- ISO 27005 - Information Security Risk Management
- NIST Cybersecurity Framework
- FAIR Standard
Last Updated: February 2026 Version: 1.0