Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded
Knowing that a vulnerability exists is not the same as knowing how much it matters. A critical CVE in software that is air-gapped and never exposed to untrusted input is very different from the same CVE in a public-facing service. Assessing impact and likelihood for each identified risk lets you prioritize remediation based on actual exposure rather than headline severity scores.
Implementation steps
- 1
Define impact and likelihood scales
Agree on a consistent scoring approach before you start assessing risks. A simple 5x5 matrix with high, medium-high, medium, medium-low, and low scales for both impact and likelihood is sufficient for most organizations. Define what each level means in concrete terms: high impact means loss of more than X customers or more than $Y revenue, high likelihood means the threat occurs multiple times per year across the industry.
google-sheetsconfluencenotion - 2
Assess likelihood and impact for identified threats and vulnerabilities
For each threat-vulnerability pair in your risk register, score the likelihood (given current controls, how likely is exploitation in the next 12 months?) and the impact (if exploitation occurs, what is the realistic business impact?). Use threat intelligence data, vulnerability scoring, asset criticality, and existing control effectiveness to inform each score. Record your reasoning.
jiraarcherservicenowgoogle-sheets - 3
Calculate inherent risk scores and update the risk register
Combine likelihood and impact scores to get an inherent risk rating for each entry. Record these ratings in the risk register alongside the threat, vulnerability, affected assets, and the scores. The risk register is a living document: update it when threat intelligence changes, when new assets are added, or when controls are added or removed.
jiraarcherservicenownotion
Evidence required
Risk register with impact and likelihood scores
A risk register containing threat-vulnerability pairs with assessed likelihood, impact, and resulting risk scores for each entry.
- · Risk register spreadsheet with likelihood and impact columns and scoring rationale
- · GRC platform risk entries showing scored and prioritized risks
- · Risk heat map derived from the scored register
Risk scoring methodology
A documented methodology defining how impact and likelihood are measured, including what each level on the scale means.
- · Risk management policy section defining the scoring matrix
- · Risk assessment guide with worked examples of scoring decisions
- · One-page risk scoring reference card used by the assessment team
Related controls
Risk information is used to understand inherent risk and prioritize responses
Risk Assessment
Internal and external threats to the organization are identified and recorded
Risk Assessment
Vulnerabilities in assets are identified, validated, and recorded
Risk Assessment
Critical suppliers are assessed prior to acquisition
Risk Assessment