IT risk assessment methodology evaluation and application

This barebones guide simplifies the IT risk assessment methodology selection process with its emphasis on how you can use different standards.

An information security strategy is incomplete without risk assessment (RA). Selection of the right IT risk assessment...

methodology is central to any information gathering exercise that aims to formulate a proactive security posture. Since effective risk management lies in identification of risks relative to business goals and key assets, choosing the right risk assessment methodology is a prerequisite.

IT risk assessment frameworks reduce risk to a measurable quantity, making it possible for systematic addressal of security gaps. Risk assessment must not be confused with an audit. In risk assessment, the one-size approach never fits-all – such an approach is destined to stifle productivity and business efficiency. This guide looks at some of the popular IT risk assessment methodologies, highlighting the respective work-flows, relevance, and various points of differentiation between them.


The IT risk assessment methodology should provide focused information on an enterprise’s current security posture. It should be able to highlight deficiencies, and create a correction strategy. The focus of an IT risk assessment methodology can be on specific aspects of the IT setup or an enterprise-wide evaluation. Here is a brief overview of what constitutes an effective risk assessment process – from technical procedures to policy, and everything in between.

The latest IT risk assessment methodology from the ISO stable is the ISO 27005 standard. First published in June 2008, it's based on concepts specified in ISO 27001. It is a unique IT Risk assessment methodology in that it provides organizations plenty of leg-room to define their own risk parameters. This is an approach markedly different from other risk assessment standards on the market like OCTAVE and NIST SP 800-30. Discover how you can use ISO 27005 to your advantage.

The OCTAVE method for IT risk assessment follows a self-directed approach to risk assessment, relative to business objectives. The idea here is to leverage an organization’s core business expertise towards identification of risks unique to its business paradigms. As an IT risk assessment methodology, OCTAVE is context-driven and self-directed, based on integrating experience gleaned overtime by an organization to its unique business needs. This tip is a comprehensive overview of the standard’s relevance and workflow.

NIST SP 800-30 is an IT risk assessment methodology that has been around for a long time. First published in July 2002, it focuses solely on securing IT infrastructure. NIST SP 800-30 approaches risk assessment from a purely technical perspective, and has been influential in the formulation of most prominent IT risk assessment methodologies. This part of our guide addresses the workflow and logic behind NIST-SP 800-30, and how it differs from other risk assessment standards.

Small merchants lack hefty IT security investments making them highly susceptible to frauds and security breaches that involve sensitive customer data. To help such entities, an IT risk assessment framework under PCI DSS is available in the form of self assessment questionnaires (SAQs). This can be a feasible and cost effective alternative to gunning for full compliance under PCI DSS 2.0. Join us, as we outline the IT risk assessment checklist for small merchants who opt for SAQ compliance.



Read more on IT risk management