A cybersecurity risk assessment is the foundation of any mature security programme. It identifies what you need to protect, what threatens it, and how likely and impactful a breach would be - enabling you to allocate security resources where they matter most. This template is aligned with NIST SP 800-30 and ISO 27001 Annex A controls.
On this page
Step 1 - Define Scope & Build an Asset Inventory
Start narrow, expand later
Your first risk assessment doesn't need to cover everything. Scope to your most critical systems: customer data, payment processing, and core production infrastructure.
- 1
Define the assessment boundary
Agree with leadership which systems, processes, and locations are in scope. Document explicitly what is out of scope to avoid misunderstandings.
- 2
Build the asset inventory
List all assets: servers, endpoints, cloud services, SaaS tools, databases, network devices, and physical media. Include asset owner, data classification, and business criticality.
- 3
Classify data by sensitivity
Apply labels: Public, Internal, Confidential, Restricted. This determines the impact level if an asset is compromised.
Asset ID | Asset Name | Type | Owner | Data Class | Criticality | Location ---------|------------------|-------------|--------------|--------------|-------------|---------- A001 | Customer DB | Database | CTO | Restricted | Critical | AWS RDS A002 | Web App Server | Compute | Dev Lead | Confidential | High | AWS EC2 A003 | Finance System | SaaS App | CFO | Restricted | High | Cloud/SaaS A004 | Staff Laptops | Endpoint | IT Manager | Confidential | Medium | On-Premise A005 | CCTV System | IoT/Physical| Facilities | Internal | Low | On-Premise
Step 2 - Identify Threats & Vulnerabilities
| Asset Type | Common Threats | Common Vulnerabilities |
|---|---|---|
| Web Application | SQL injection, XSS, CSRF, credential stuffing | Unpatched CMS, weak auth, no WAF, exposed admin panels |
| Cloud Infrastructure | Misconfiguration exploits, S3 data exposure, privilege escalation | Public S3 buckets, over-permissive IAM, no MFA on root |
| Employee Endpoints | Phishing, ransomware, malware, insider threat | No EDR, unencrypted drives, unpatched OS, weak passwords |
| Third-Party SaaS | Supply chain attacks, data breaches at vendor | No SSO enforcement, excessive permissions granted |
| Network | Man-in-the-middle, lateral movement, DDoS | No network segmentation, unencrypted internal traffic, weak WiFi |
| People | Social engineering, phishing, vishing | No security awareness training, no MFA, no clear reporting process |
Web Application
- Common Threats
- SQL injection, XSS, CSRF, credential stuffing
- Common Vulnerabilities
- Unpatched CMS, weak auth, no WAF, exposed admin panels
Cloud Infrastructure
- Common Threats
- Misconfiguration exploits, S3 data exposure, privilege escalation
- Common Vulnerabilities
- Public S3 buckets, over-permissive IAM, no MFA on root
Employee Endpoints
- Common Threats
- Phishing, ransomware, malware, insider threat
- Common Vulnerabilities
- No EDR, unencrypted drives, unpatched OS, weak passwords
Third-Party SaaS
- Common Threats
- Supply chain attacks, data breaches at vendor
- Common Vulnerabilities
- No SSO enforcement, excessive permissions granted
Network
- Common Threats
- Man-in-the-middle, lateral movement, DDoS
- Common Vulnerabilities
- No network segmentation, unencrypted internal traffic, weak WiFi
People
- Common Threats
- Social engineering, phishing, vishing
- Common Vulnerabilities
- No security awareness training, no MFA, no clear reporting process
Threat Intelligence Resources
Use MITRE ATT&CK (attack.mitre.org) to map threats to tactics and techniques relevant to your industry. CISA's Known Exploited Vulnerabilities catalogue (cisa.gov/kev) lists actively exploited CVEs.
Step 3 - Score and Prioritise Risks
Risk is calculated as: Risk Score = Likelihood × Impact. Score each factor on a 1–5 scale. The resulting 1–25 score maps to a priority band.
| Score | Likelihood | Impact | Risk Band | Action Required |
|---|---|---|---|---|
| 20–25 | Very likely (5) | Critical / Catastrophic (4–5) | CRITICAL | Immediate executive escalation, emergency remediation |
| 12–19 | Likely (4) | Major (3–4) | HIGH | Remediate within 30 days, assign named owner |
| 6–11 | Possible (3) | Moderate (3) | MEDIUM | Address within 90 days, include in next sprint |
| 1–5 | Unlikely (1–2) | Minor (1–2) | LOW | Accept or address in annual review cycle |
20–25
- Likelihood
- Very likely (5)
- Impact
- Critical / Catastrophic (4–5)
- Risk Band
- CRITICAL
- Action Required
- Immediate executive escalation, emergency remediation
12–19
- Likelihood
- Likely (4)
- Impact
- Major (3–4)
- Risk Band
- HIGH
- Action Required
- Remediate within 30 days, assign named owner
6–11
- Likelihood
- Possible (3)
- Impact
- Moderate (3)
- Risk Band
- MEDIUM
- Action Required
- Address within 90 days, include in next sprint
1–5
- Likelihood
- Unlikely (1–2)
- Impact
- Minor (1–2)
- Risk Band
- LOW
- Action Required
- Accept or address in annual review cycle
Risk Register Template
Risk ID | Asset | Threat | Vulnerability | Likelihood | Impact | Risk Score | Band | Owner | Due Date | Status --------|-----------|----------------------------|-------------------------|------------|--------|------------|----------|----------|------------|---------- R001 | CustomerDB| SQL Injection | No parameterised queries | 4 | 5 | 20 | CRITICAL | Dev Lead | 2026-04-01 | In Progress R002 | All Emails| Phishing | No MFA on O365 | 5 | 3 | 15 | HIGH | IT Mgr | 2026-04-15 | Not Started R003 | Web App | Broken access control | No RBAC on admin routes | 3 | 4 | 12 | HIGH | Dev Lead | 2026-05-01 | Not Started R004 | Endpoints | Ransomware via USB | No USB blocking policy | 2 | 4 | 8 | MEDIUM | IT Mgr | 2026-06-01 | Accepted
Mitigation Strategies by Risk Category
| Risk Category | Technical Controls | Process Controls |
|---|---|---|
| Web App Vulnerabilities | WAF, SAST/DAST scanning, dependency updates (Snyk/Dependabot) | Secure code review process, developer security training |
| Identity & Access | MFA, PAM solution, SSO, regular access reviews | Joiners-movers-leavers process, annual access review |
| Ransomware/Malware | EDR (CrowdStrike/SentinelOne), immutable backups, network segmentation | Incident response plan, user awareness training |
| Cloud Misconfiguration | CSPM (Defender for Cloud, Wiz), IaC scanning (Checkov) | Cloud security baseline, Infrastructure as Code policy |
| Phishing | Email filtering (Defender/Proofpoint), DMARC/DKIM/SPF | Quarterly simulated phishing campaigns, reporting culture |
Web App Vulnerabilities
- Technical Controls
- WAF, SAST/DAST scanning, dependency updates (Snyk/Dependabot)
- Process Controls
- Secure code review process, developer security training
Identity & Access
- Technical Controls
- MFA, PAM solution, SSO, regular access reviews
- Process Controls
- Joiners-movers-leavers process, annual access review
Ransomware/Malware
- Technical Controls
- EDR (CrowdStrike/SentinelOne), immutable backups, network segmentation
- Process Controls
- Incident response plan, user awareness training
Cloud Misconfiguration
- Technical Controls
- CSPM (Defender for Cloud, Wiz), IaC scanning (Checkov)
- Process Controls
- Cloud security baseline, Infrastructure as Code policy
Phishing
- Technical Controls
- Email filtering (Defender/Proofpoint), DMARC/DKIM/SPF
- Process Controls
- Quarterly simulated phishing campaigns, reporting culture
Compliance Framework Mapping
- ISO 27001:2022 - Clause 6.1.2 requires a formal information security risk assessment process. This template satisfies that requirement.
- NIST CSF 2.0 - Risk assessment maps to the "Identify" function (ID.RA controls). Mitigation maps to "Protect" and "Detect".
- Cyber Essentials / Cyber Essentials Plus - UK certification requires mitigating the most common internet-based threats. Use HIGH/CRITICAL risks as your baseline scope.
- ISO 27001 Annex A - Map each risk to relevant controls. A001 (malware) → A.8.7; A003 (access control) → A.8.2–A.8.4.
- GDPR Article 32 - Requires implementing "appropriate technical and organisational measures" for personal data security. A risk register is strong evidence of compliance.
- SOC 2 Type II - CC3.1 requires entity-level risk assessment. This document supports that control.
What’s next?