STEP-BY-STEP APPROACH TO

ASSET-BASED
RISK
ASSESSMENT
What is Asset-Based
Risk Assessment?
An asset-based risk assessment focuses
on identifying and evaluating the risks to
an organization's assets.

Assets include:

People Digital Service

Hardware Software Paper

1 Identify & Create
an Asset Inventory
Start by identifying all the assets along
with the asset owners used by the
business and inventorize them.

Laptops Firewall

Servers Database

Softwares Contracts

Desktops Fire Extinguisher

 2 Valuate the Assets
After creating an asset inventory, assign a
Confidentiality, Integrity, Availability (CIA)
value to the assets and determine the
average value.

Values Confidentiality Integrity Availability

Low 1 1 1

Medium 2 2 2

High 3 3 3

Very High 4 4 4
 3 Classify the Assets
Classify the assets based on the average of
CIA value. Classifying the assets will help to
determine the controls required to protect
that asset.

Asset
Classification

1 Low

2 Medium
Average Asset
Value 3 High

4 Very High

Ex: Senior Management Laptop

Valuation & Classification = 4
 4 Identify potential
threats
Identify potential threats & determine their
likelihood & impact

Likelihood

Threat Score Could Very

Unlikely
Happen Likely
(1)
(2) (3)

Low (1) 1 2 3

Medium (2) 2 4 6
Impact

High (3) 3 6 9

Very
(4) 4 8 12
High

Ex: Threat for a Laptop could be a Virus

Likelihood of a virus attack = Could Happen (2)
Impact would be = High (3)
 5 Assess the
vulnerabilities
Assess the vulnerabilities of each asset and
determine how susceptible they are to the
identified threats

Ease of Exploitation Vulnerability Value

Very Difficult Low 1

Difficult Medium 2

Easy High 3

Very Easy Very High 4

Ex: Ease of Exploit of Virus is Very Easy = 4

 6 Calculate the
Inherent Risk
Calculate the inherent risk based on the
Asset Value, Threat Value and Vulnerability
value.

Inherent risk = Asset value * Threat Value *

Vulnerability Value

Final Inherent Risk Value

Laptop Asset Value = 4,
Threat Value = Likelihood (2) * Impact (3) = 6
Vulnerability Value = Ease of Exploit = 4

Inherent risk = 4*6*4

Inherent risk = 96
 7 Risk Evaluation
Once the inherent risk is identified,
compare it with organization's Risk Appetite.

Inherent risk < Acceptable risk = STOP THE

RISK ASSESSMENT

Inherent risk > Acceptable risk = PROCEED

WITH RISK TREATMENT

Assume that the Risk Appetite = 8

96 > 8
PROCEED WITH THE RISK TREATMENT
 8 Risk Treatment
If the inherent risk is greater than the risk
appetite, choose one of the below risk
treatment options.

Risk Treatment

Avoid Mitigate

Transfer Accept

In our example, since the Inherent risk is

greater than risk appetite, we proceed
towards TREATING the risk.
 DID YOU LIKE OUR PLAYBOOK
AND IF YOU NEED MORE

CHECKLISTS | WHITEPAPERS
TEMPLATES | VIDEOS

FOLLOW US ON