3.11.1—Risk Assessment - Basic
>Control Description
>Discussion
Clearly defined system boundaries are a prerequisite for effective risk assessments. Such risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations, organizational assets, and individuals based on the operation and use of organizational systems. Risk assessments also consider risk from external parties (e.g., service providers, contractors operating systems on behalf of the organization, individuals accessing organizational systems, outsourcing entities).
Risk assessments, either formal or informal, can be conducted at the organization level, the mission or business process level, or the system level, and at any phase in the system development life cycle. [SP 800-30] provides guidance on conducting risk assessments.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies govern periodically assessing risk to systems?
- •What risk assessment methodology do you use?
- •How often are risk assessments conducted?
- •Who is responsible for conducting and reviewing risk assessments?
- •What governance ensures risk assessments inform security decisions?
Technical Implementation:
- •What risk assessment tools or frameworks do you use?
- •How do you identify and categorize threats and vulnerabilities?
- •What technical methods support risk likelihood and impact analysis?
- •How do you track and prioritize identified risks?
- •What systems aggregate risk data for organizational visibility?
Evidence & Documentation:
- •Can you provide recent risk assessment reports?
- •What documentation shows risk assessment frequency and methodology?
- •Can you demonstrate risk-based security control decisions?
- •What risk registers or tracking systems exist?
- •What audit evidence verifies periodic risk assessment compliance?
Ask AI
Configure your API key to use AI features.