How to perform an IT risk assessment

How to perform an IT risk assessment

By performing an IT risk assessment, you can guarantee that all vulnerabilities are properly addressed. You’ll also be able to keep costs under control and make auditing a lot easier.

But how do you go about performing an IT risk assessment?

1. Prepare a plan of action

First of all, come up with an assessment checklist to help you review all the risks your business faces. You should also identify an advisory committee that includes someone from every area of the business where risks could be contained.

2. Collect data

Make a list of every asset (both hardware and software) that carries an element of risk, along with their strengths and weaknesses. After passing this to the IT department, you’ll be left with the basis of a review covering the purpose and responsibilities of the risk assessment.

3. Look at key vulnerabilities

Using both automated and manual tools, perform a vulnerability assessment that details your current security situation. It often helps to use real-life scenarios to envision the possible consequences.

4. Carry out risk analysis

Any threats to security will need a fool proof defence strategy. Analyse each vulnerability, the actual threat, and the probability of it occurring. Pay close attention to the likelihood and magnitude of harm from unwanted access.

5. Start making recommendations

Compile a report of your recommendations and issue this to all relevant stakeholders. Remember to include findings from your analysis and the response strategy. Individual departments should also devise their own strategies to further reduce dangers.

6. Develop risk mitigation plan

Any department strategies should also include a risk mitigation plan, which must include a timeline to follow when implementing procedures. Once again, this should be sent to the IT department for review.

7. Sign-off from IT

If the mitigation plan is coherent and comprehensive, then it can be approved and signed-off by the IT department. However, additions or revisions will often be necessary.

8. Final implementation

Your final assessment policy should be geared towards identifying and controlling risk, as well as how to eliminate dangers and their consequences. Don’t forget to include how third parties, such as insurance companies, may also be affected.

9. Ongoing reviews and maintenance

Adopt a proactive approach to risk management and you’ll always stay on top of this duty. Review dangers periodically and constantly update your assessment policy.


Real people making a real difference


  • Mulberry Court, Bourne Ind. Park, Bourne Rd, Dartford, DA1 4BF, UK
  • +44 (0)845 006 7777