A cyber security risk assessment report is a fact-finding mission designed to uncover and quantify the IT security risks facing an organisation.
The risk assessment itself is the process of identifying, analysing and evaluating the risks posed to business assets, processes and IT workloads. Internal and external threats are isolated, identified and scrutinised with a view to implementing controls and strategies designed to prevent, reduce and mitigate risk.
The cyber security risk assessment report is the end product of the risk assessment. It serves as a roadmap towards implementing effective controls across the entire risk spectrum, from malware and ransomware to traffic monitoring, endpoint security and user-level controls.
This guide provides step-by-step instructions on how to write a cyber security risk assessment report.
Cyber security assessment reports involve conducting an in-depth analysis of an organisation’s IT infrastructure and policies to uncover risks and vulnerabilities.
The goal is to identify strengths, weaknesses and areas that require improvement with security controls. The assessment's size and scope vary with the business's size and complexity.
IT risks are proliferating, and stats show that virtually all businesses are vulnerable in some way.
Businesses conduct cyber security risk assessments to identify IT risks and reduce potential downtime and disruption. This enables them to:
Read our detailed guide to cyber security assessments and why businesses need them.
Cyber security risks are fast-evolving. By proactively identifying and addressing threats, businesses can clamp down on vulnerabilities, provide assurance to stakeholders and clients and focus on innovation and growth in the knowledge that they’re well-protected
Writing the report involves a multi-step process that progresses from discussions about business architecture, processes and workloads before diving into risk identification, control selection and technical deep dives on IT infrastructure.
Here’s how to perform a cyber security assessment report in 8 steps:
Cyber security authorities and institutions have created several frameworks that act as a reference for implementing cyber security improvements and assessing existing technology and business infrastructures.
These frameworks are designed to direct businesses and organisations to established IT security benchmarks and best practices. You can find more information on cyber security frameworks here.
An initial step in carrying out an assessment is to identify which framework is best suited to your business. Sometimes a combination of frameworks may also apply, such as when an organisation needs to comply with PCI DSS and also wants to achieve ISO 27001 certification.
When Nicolson Bray writes a cyber security health check, we typically use a blend of CIS Critical Security Controls and ISO 27001 Annex A, but we can add other frameworks as required. Some businesses may require custom controls that tailor the control set to the business’s specific needs.
Identifying cyber business risks involves working with senior leadership to understand what types of cyber incidents could have a material impact on the business. For instance, how would a large data breach impact the business’s reputation and ability to sign new customers and clients?
This normally takes the form of a workshop or a series of one-to-one interviews and an in-depth analysis of IT policy and processes and on-premises, cloud and distributed architecture.
The analysis is general at first - what types of risks do businesses in this sector typically face? What type of data is being stored and transferred? Has the business been the target of cyber attacks before, and if so, what happened and why?
Part of this exercise should also include rating these risks to understand their relative impacts. This enables initial prioritisation.
Achieving an overarching understanding of cyber business risk is fundamental to selecting controls and performing technical deep dives.
You can find more about identifying cyber business risks in our article on Reporting Cyber Security to the Board.
Each framework contains a series of controls that can be implemented across any business. However, not every control is relevant to every business.
For instance, data leakage prevention controls (DLP) are not relevant to companies which do not process or store sensitive data.
The selection of controls depends on the identified cyber business risks. Controls should be selected on the basis of their ability to mitigate particular cyber business risks. In the example above, DLP controls should be selected to mitigate risks centred around data breaches of sensitive information.
Having said that, some controls are foundational or essential. For instance, controls around passwords, use of 2FA and security patching are critical to every business and so should always be selected. These controls are generally identified within the cyber security framework.
Selected controls are then tailored to the business’s systems and infrastructure.
Above: There were 20 CIS Controls prior to v8, which now has 18 controls
Checklists are created from appropriate controls. Creating a checklist ensures the assessment is carried out consistently and logically, and that information is collected and collated in one place.
You can use Excel to create your checklist, or there are a number of Governance Risk, and Compliance (GRC) tools which can be used to the same effect
Once complete, these checklists store critical information about the security of your company, and so should be kept in a secure location.
Once a checklist has been created and agreed upon, data and technology assets are identified.
Data and technology assets interact throughout an organisation. Technology assets include both hardware systems (e.g. servers and routers) and software (e.g. databases, applications and SaaS). Technology assets often deliver critical operational processes to an organisation, such as taking bookings for an online travel agency.
Data assets are the types of data which flow through the technology assets, such as customer data, financial data and personnel data.
Two exercises which can be useful to identify data and technology assets are:
This should help identify which assets should be assessed.
Current controls are checked and audited against the checklist to discover what the business is currently doing to protect its assets and data. Control assessments answer the following questions:
The key here is trying to identify gaps in controls. For example, a business might have adequate controls for its on-premises SQL servers but inadequate controls on SQL instances in the cloud.
After identifying these gaps, it’s then possible to quantify and qualify risk to create the final report.
Quantifying and qualifying risks involves assessing data and technology assets against the control gaps to gauge relative risk. Business-critical systems and processes warrant the most attention as they exhibit higher risk. Control gaps on high-risk assets are assigned a higher priority than gaps on lower-risk assets.
Presenting findings involves communication with key decision-makers. A detailed cyber security risk assessment report should contain the following:
Writing a cyber security risk assessment report is a collaborative exercise. Since cyber security percolates all business teams and departments, it’s vital to establish a top-down understanding of risks so key individuals can disseminate knowledge across the business.
Above: Writing a cyber security risk assessment report should involve collaboration from senior management and relevant team leaders/key members of departments exposed to the highest risk
A robust cyber security risk assessment report should involve the following individuals and teams:
The ideal process involves collaboration between cyber security professionals, senior management and relevant departments and functions within the business.
Of course, not all businesses have dedicated risk management and security functions, but the core message remains the same: cybersecurity affects virtually every aspect of a business, including managers and employees at all levels.
Cyber security professionals lead assessment activity, starting with initial discussions with senior management before collaborating with risk management, IT teams, etc.
To build an understanding of business activity, past issues and future direction, assessments should involve the CEO and other members of the senior management team, such as the CFO, COO and CRO.
If the company has pre-existing internal risk management functions, these should be involved in the assessment to discuss relevant risk management strategies, compliance obligations, etc.
Discussions progress to technical analysis and risk identification. This requires input from CIOs or CTOs and the Head of IT. The business’s core IT infrastructure, processes and workloads are identified.
Where present, the Lead Architect can inform cyber security professionals of IT architecture and data assets. The assessment progresses towards a deep dive into relevant systems.
IT engineers assist in the technical deep dive into technical controls in place, as well as system risk exposure and vulnerabilities. Different departments may have different IT teams or engineers responsible for specific functions.
The ideal process involves collaboration between cyber security professionals, senior management and relevant departments and functions within the business.
Of course, not all businesses have dedicated risk management and security functions, but the core message remains the same: cybersecurity affects virtually every aspect of a business, including managers and employees at all levels.