
Every organization has assets (e.g., people, property, and information) it relies on to achieve their organizational strategic goals and objectives. To ensure success, the organization must ascertain their assets and apply effective measures to safeguard them.
To determine the appropriate treatments, it’s critical to conduct a security risk assessment (SRA) and identify the risks to the organization. An organization must establish a risk management process to support enterprise-wide strategic, tactical, and operational activities. An SRA provides a logical, structured, and consistent approach to assess risk. The people responsible for decision-making can then systematically select from risk treatment strategies and options based on reason and best available information.
An SRA provides the cornerstone to make informed decisions in order to address uncertainties and achieve an organization’s objectives. A comprehensive SRA is designed to consider the organization’s mission and vision, core values, and operating environment, as well as strategic, tactical, and operational objectives. It is not possible to eliminate all risk and uncertainty, but the results of the SRA inform the responsible decision maker(s) of the options to effectively manage and prioritize the risks and achieve the organization’s objectives.
This revised
standard provides guidance for conducting a security-specific risk assessment, which may include physical, non-physical, and logical risks. It provides a structured process to establish the context of the SRA, plan SRA activities, and conduct the SRA (i.e., risk identification, risk analysis, and risk evaluation). This
standard also provides guidance on post SRA activities and includes an example of information that may be incorporated into an SRA report.