Professional Documents
Culture Documents
Performing A Risk Assessment
Performing A Risk Assessment
Performing A Risk Assessment
Name
Assignment Name
Institution
Professors Name
PERFORMING RISK ASSESSMENT 2
Risk assessment is the process of identifying factors that could cause harm to the
organization. The NIST SP 800-30 provides guidelines needed to conduct risk assessment of
federal information systems and organizations. The ISO 27006 is an authorization standard used
to guide certification bodies on the official stages to be followed while performing an audit of the
Information Security Management System of their client before certifying or registering that they
The similarity between NIST SP 800-30 and ISO 27006 is that both of them offer
guidance to organization on how to manage their Information security. The difference is that the
provision of ISMS certification while the main purpose of NIST SP 800-30 is provision of
These standards offer guidance on how an organization will be able to enhance its
processes by managing the risks therefore adaptation of the standards by an organization will
minimize the risks (Dotsenko et al., 2019). Results from risk assessment will indicate areas of the
Information system that are likely to be attacked therefore a chief security officer could come up
with strategies to enhance the security posture of the organization thus ensuring information and
Adopting a standardized approach for quantitative risk assessment makes easier for an
organization to perform the risk assessment since it requires following a preset guideline. Using
the standardized approach will also be faster. According to (Chang Lee, 2014) the disadvantage
is that the organization will have to make adjustments during the adaptation of the new
guidelines.
PERFORMING RISK ASSESSMENT 3
when performing a qualitative risk assessment is that the organization will have a clearer
information regarding potential hazards. The disadvantage is that this approach could be unsuited
potential factors that threaten an organization are identified in advance and strategies put in place
to prevent the occurrence or minimize the damages. The similarity between NIST SP 800-30 and
ISO 27006 is that they both provide guidance. The difference however is in the intended purpose
where NIST SP 800-30 focuses on risk assessment while ISO 27006 focuses on accrediting
certification bodies.
PERFORMING RISK ASSESSMENT 4
References
Chang Lee, M.-. (2014). Information Security Risk Analysis Methods and Research Trends:
AHP and Fuzzy Comprehensive Method. International Journal of Computer Science and
Dotsenko, S., Illiashenko, O., Kamenskyi, S., & Kharchenko, V. (2019). Integrated Model of
15408 and ISO/IEC 18045. Information & Security: An International Journal, 43 (3),
305–317. https://doi.org/10.11610/isij.4323
Eichenhofer, J. O., Heymann, E., Miller, B. P., & Kang, A. (2020). An In-Depth Security
128050–128067. https://doi.org/10.1109/access.2020.3008395
Trim, P., & Lee, Y. (2014). Cyber Security Management: A Governance, Risk and Compliance