How to perform an IT risk assessment (plus definition)

By Indeed Editorial Team

Published 14 November 2022

The Indeed Editorial Team comprises a diverse and talented team of writers, researchers and subject matter experts equipped with Indeed's data and insights to deliver useful tips to help guide your career journey.

Information technology risk assessments are essential for an organisation to regularly perform to a high standard. They identify and evaluate threats that may potentially harm an organisation's technological structure and hinder the security of its private data. Having a thorough understanding of what these risk assessments involve can help you protect your employer and effectively manage their cybersecurity. In this article, we explain what an IT risk assessment is, outline how to perform one and list some of its benefits.

What is an IT risk assessment?

An IT risk assessment is a process that identifies and evaluates both internal and external threats to an organisation's assets that are at risk of attempted cyberattacks. Traditionally, organisations perform these risk assessments to identify potential impacts on specific areas, including data confidentiality and availability. Then, they use these evaluations to determine the costs a cyberattack may cause. These risk assessments are useful for enabling organisations to specially tailor their data protection controls and cybersecurity efforts to these evaluated risks.

Related: A guide to risk assessment (with a risk assessment template)

How to perform an information technology risk assessment

Here's a step-by-step guide on how to perform an effective information technology risk assessment:

1. Identify and prioritise assets

The first step involves identifying and prioritising the organisation's IT assets that need protecting. It's crucial that the identified assets aren't just valuable on a technical scale but a business-wide scale. To complete this step, it's often advantageous to collaborate with the organisation's management team. Some examples of common IT assets include:

  • confidential partner documents

  • servers

  • client and employee contact information

As there's typically a set budget for completing risk assessments, it's key to prioritise the most at-risk assets. To determine the significance of each IT asset, gather as much information as possible and consider the following:

  • hardware

  • software

  • users

  • purpose

  • security

  • interfaces

  • requirements

Related: What are business assets? Definitions and examples

2. Determine potential threats

The next step is to identify the potential threats that may cause significant damage to your employer. It's key to note that these threats aren't simply limited to cyberattacks and hacking. There are many different threats to be aware of when creating your risk assessment. Here are some examples of potential threats to consider:

  • Hardware failure: Whether this is likely to be a potential threat to an organisation typically depends on the quality of that organisation's servers and whether they're relatively new. If the organisation uses fairly new equipment and modern technology, the chances of the hardware failing are lower, meaning it poses less of a threat to the organisation.

  • Natural disasters: These have the potential to severely damage an organisation's servers, data and appliances, so it's crucial to consider the optimal location to store the organisation's servers for optimal protection. If natural disasters are unlikely to impact this location, it poses less of a threat to the organisation.

  • Malicious behaviour: These threats include interception, interference and impersonation. Interception refers to data theft from an organisation, interference is when someone actively damages an organisation by stealing servers or deleting vital data and impersonation is the purposeful misuse of somebody else's professional credentials.

Related: 13 popular security certifications for cybersecurity roles

3. Consider vulnerable areas

Next, consider the vulnerable areas within the organisation that are likely to lead to potential threats. To do this, carry out an analysis that identifies these vulnerability areas, including producing a series of audit reports and completing automated scans that check for vulnerabilities in IT systems. When completing this step, be mindful of human and physical vulnerabilities, alongside software and technical weaknesses.

Related: What is data security and why is it important? (With types)

4. Analyse controls

Once you've considered the organisation's vulnerabilities, it's crucial to analyse the organisation's existing controls. Doing this, alongside planning new controls, plays a key role in helping to reduce threats and minimise vulnerable areas that may potentially impact an organisation. To complete this step, analyse the technical and non-technical controls and then determine whether they're effective at preventing threats to the organisation. Some of the technical controls to analyse include:

  • authentication and identification solutions

  • encryption

  • intrusion detection mechanisms

Some of the non-technical controls to analyse include:

  • environmental and physical mechanisms

  • cybersecurity policies

  • administrative actions

Related: How to perform a risk analysis (with tips)

5. Determine the likelihood of an incident

The next step is to determine the likelihood of incidents by assessing the probability of an exploited vulnerability. You can do this by labelling and organising potential threats and vulnerabilities into categories. For instance, you may categorise them as low, medium or high risk. While organising threats into categories is one of the most popular methods, some people prefer to use a numerical scale to judge the threat level.

6. Assess a threat's impact

Next, take these identified threats and vulnerable areas and assess the level of impact that these threats may have on the organisation. For example, if an identified threat includes the loss of confidential data, consider whether this threat impacts the organisation's ability to function. To analyse the impact that threats have on an organisation's assets, consider these factors:

  • how vulnerable the asset is to potential threats

  • the specific asset's value to the organisation

  • the asset's function and purpose

7. Prioritise security risks

This next step involves prioritising security risks, which requires you to determine the level of risk to the organisation's IT systems. To do this, look at your identified threats and all the information you've gathered so far to determine which threats might do the greatest level of damage to the organisation's overall IT infrastructure. You can prioritise these risks by considering the following with each IT asset:

  • the asset's cost, including the cost to fix it

  • whether the existing security controls can reduce the threat or completely eradicate it

  • the likelihood of the threat successfully exposing the organisation's vulnerabilities

8. Recommend controls and steps to take

The penultimate step to performing an information technology risk assessment involves recommending specific controls based on the risk level's guidelines. Once you've determined the risk level of these specific threats, you can use this threat level to inspire your next steps. Below are some of the common risk levels, including the recommended actions for organisations to take:

  • High risk: These threats require the immediate development of corrective measures and an efficient plan to combat them as soon as possible.

  • Medium risk: Medium-risk threats require a detailed plan for corrective measures, which the organisation then creates and implements within a reasonable period.

  • Low risk: These threats mean that corrective measures may not necessarily need implementing at all.

When evaluating the potential controls to introduce to help mitigate these risks, consider the following:

  • the controls' feasibility

  • the cost of implementing these controls

  • the controls' operational impact

  • the safety and reliability of these controls

Related: What is a risk rating and how do risk assessments use them?

9. Record the results

The final step in performing an effective information technology risk assessment is to create a risk assessment report that documents your findings and threat determinations. Typically, the organisation's management team receives this report where they decide the funds to allocate to prevent any identified risks, the policies to introduce and the procedures to implement to combat these threats. To complete this step, include the following in your report:

  • the vulnerabilities related to the threat

  • the likelihood of the threat taking place

  • the assets most at risk from a particular threat

  • the threat's impact on the organisation's IT systems and infrastructure

  • the control recommendations to prevent and combat these threats

Related: What is a business risk assessment and why is it important?

Information technology risk assessment benefits

Below are some of the main benefits to organisations of carrying out frequent information technology risk assessments:

  • identifying any weaknesses in an organisation's IT security

  • choosing the most appropriate and successful controls to prevent and mitigate risks

  • eliminating controls that aren't working without risking the organisation's IT security

  • complying with industry regulations more easily

  • preventing data breaches

  • prioritising the protection of an organisation's IT assets

  • considering and evaluating potential security partnerships for an organisation


Explore more articles