Understanding Risk Assessments -NIST SP-800–30 and IS0 2700 Guidelines

As a company is starting its initial stages of planning for growth and development, its Enterprise Risk Management must be set in place to deal with the inherent risks they may face and the risks their product or service may impose. As frameworks developed are set in place, a risk assessment must be provided in order to identify, estimate the risk, and prioritize what information must be secured first within an organization. NIST SP-800–30 for Conducting Risk Assessments and ISO 270006 Requirements for bodies providing audit and certification of information security management systems, guides assessors (CISCO) on how to give an in-depth risk assessment. Here we highlight the critical elements of the guidance, their differences, and the advantages and disadvantages of performing qualitative and quantitative risk assessments.

According to the NIST SP-800–30, a “[r]isk assessment is one of the fundamental components of an organizational risk management process as described in NIST Special Publication 800–39. Risk assessments are used to identify, estimate, and prioritize risk to organizational operations…” Furthermore, “The purpose of risk assessments is to inform decision-makers and support risk responses by identifying: (i) relevant threats to organizations or threats directed through organizations against other organizations; (ii) vulnerabilities both internal and external to organizations;(iii) impact (i.e., harm) to organizations that may occur given the potential for threats exploiting…