Any organization that uses information technology should conduct cybersecurity risk assessments from time to time. Each organization, however, faces its own unique set of security risks, and needs to tailor its approach to addressing those specific risks within its risk management processes.

To get started you first need to identify all the IT assets your organization has, which might be subject to those risks. Then you can understand the losses you might incur should certain risk events happen, and implement prudent steps to keep those risks in check.

IT assets include servers, customer contact information, sensitive partner documents, trade secrets, and much more. Some assets are physical, such as computing devices; other assets are electronic, such as data or software. Not all assets are of equal value, either. Some are more costly than others, and some have higher risk exposure.

Each asset has different associated risks, and the importance (the “criticality”) of each asset varies as well. Your cybersecurity risk management plan will need to account for all those factors.

Creating an Asset Register for IT Risk Analysis

Risk assessments typically take one of two approaches. Most common is to start by compiling an inventory of your IT assets; the other method is to consider various scenarios or identified risks that can lead to a compromised asset or breach.

An asset-based risk assessment starts with an asset register or asset inventory: a document that specifies all the places where sensitive information is stored and the estimated value of the asset. So one of the first things an organization should do when performing a cybersecurity risk assessment is to identify those IT assets.

Creating an asset register helps to clarify what is valuable in your company and who is responsible for it. Without knowing what you have and who is in charge of protecting those assets, you will never fully understand the technology risks to your company.

First, generate the register itself: the list of hardware, software, devices, and databases that store sensitive information. To do this, consult with the asset owners. An “asset owner” is the person or entity responsible for controlling an information asset’s production, development, maintenance, use, and security.

The asset owners will be familiar with how information moves through their department. Involving them in the process will be quicker and less intrusive than having your implementation or compliance team go through the entire company.

It might be that asset owners aren’t sure what assets fall within their responsibility. In that case, recommend that they list all the software they use, the documents in their binders and file cabinets, the employees in the department, and the equipment in their office, among others. Assets might include:

  • Hardware: laptops, servers, printers, cell phones, USB sticks.
  • Software: purchased software and free software.
  • Information: electronic media, such as databases, PDF files, Word documents, Excel spreadsheets, and the like, as well as paper documents.
  • Infrastructure: offices, electricity, and air conditioning (the loss of these assets can cause information to be unavailable).
  • Outsourced services: Legal services, shipping services, online services (Dropbox, Gmail, and so forth). These aren’t assets in the purest sense of the word, but you control these services in the same way as assets, which is why they are often included in an asset inventory.

Identifying Risks to Your Listed Information Assets

When executing the risk assessment, identify the risks that these different types of assets might encounter. The purpose of an information security risk assessment is to help inform stakeholders and decision-makers about the risks they face, so they can consider and support proper risk responses. So think expansively about what risks might happen, and how.


With the increase in bring your own device (BYOD) policies, the hardware risks that affect companies also extend to employees’ personal equipment. At the same time, technology solutions are available to enforce removable media policies, limiting unauthorized extraction of information and malware infection.


The main risk of the software your company uses are its vulnerabilities, and the ease with which cybercriminals can exploit those vulnerabilities to infect your organization.

Vulnerability scanners can help here by highlighting vulnerable software and pending security updates. Constantly updating your tools, along with enforcing shadow IT and legacy software policies, significantly reduces cybersecurity risks.


No risk identification process can be complete without taking infrastructure risks into account. Physical access controls play a crucial role in mitigating unauthorized access to critical systems.

At the same time, natural disasters are specific threats that hinge upon local geographic factors. Business continuity and data security policies must be in place to prevent cyberattacks during these critical events.

Outsourced Services

Your organization may rely on various third-party services for its operations. This includes traditional vendors and cloud service providers for your information systems.

Your information security risk assessment should consider your suppliers’ risks and their data protection policies to determine their risk level. This activity allows your company to assess third-party risk and the cost-benefit of these services.

Human Resources

Human resources present risks that your company should assess, too. For example, phishing attacks are common cyber threats that depend heavily on the cybersecurity awareness of your employees. Malicious insiders may also exist, so put mechanisms in place to identify potentially dangerous behavior patterns and intercept them.

Manage and Mitigate Risks with Help from Reciprocity ROAR

Whether your organization has its own IT team to conduct an information security risk assessment or outsources the task, the Reciprocity ROAR platform can help make the process easier for you.

As part of the ROAR product suite, ZenRisk helps your organization implement, manage, and monitor your risk management framework. Prioritize tasks with automated workflows so everyone knows what to do and when to do it. Insightful reporting and dashboards visualize information making it easy to share with stakeholders.

On the compliance end, ZenComply is equipped with templates to help your organization streamline the complete lifecycle management of all your relevant cybersecurity risk management frameworks, including PCI-DSS, HIPAA, and more.

Contact us today for a free consultation and demo and start managing risk worry-free the Zen way!