You are on page 1of 2

IT Risk Assessment Templates

NIST-SP 800:30 Risk Management Guide for IT Systems

No Step Description Output Status

1 System Define the scope of the effort. In this Characterization of the IT system
Characterization step, the boundaries of the IT system assessed, a good picture of the IT
are identified, along with the resources system environment, and
and the information that constitute the delineation of system boundary
2 Threat Identify the potential threat-sources and A threat statement containing a list
Identification compile a threat statement listing of threat-sources that could exploit
potential threat-sources that are system vulnerabilities
applicable to the IT system being
3 Vulnerability Develop a list of system vulnerabilities A list of the system vulnerabilities
Identification (flaws or weaknesses) that could be (observations) that could be
exploited by the potential threat- exercised by the potential threat
sources. sources
4 Control Analysis analyze the controls that have been List of current or planned controls
implemented, or are planned for used for the IT system to mitigate
implementation, by the organization to the likelihood of a vulnerability’s
minimize or eliminate the likelihood (or being exercised and reduce the
probability) of a threat’s exercising a impact of such an adverse event
system vulnerability.
5 Likelihood An overall likelihood rating that Likelihood rating
Determination indicates the probability that a potential
may be exercised within the construct
of the associated threat environment,
6 Impact Analysis The adverse impact resulting from Magnitude of impact (High,
a successful threat exercise of a Medium, or Low)
7 Risk the level of risk to the IT system. Risk Level (High, Medium, or Low)
8 Determination
Control Reduce the level of risk to the IT Recommendation of control(s) and
Recommendation system and its data to an acceptable alternative solutions to mitigate risk
s level.
9 Results A risk assessment report is a Risk assessment report that
Documentation management report that helps senior describes the threats and
management, the mission vulnerabilities,
owners, make decisions on policy, measures the risk, and provides
procedural, budget, and system recommendations for control
operational and management implementation