What Is a Security Risk Assessment (SRA)? Definition, Steps & Examples

A Security Risk Assessment (SRA) is a structured process for discovering what you must protect, what could go wrong, how likely it is, and what to do about it. It connects cyber threats to business impact so you can prioritize investments, reduce exposure, and demonstrate due diligence.

A well-run SRA produces an asset inventory, targeted vulnerability analysis, a prioritized risk register with risk mitigation strategies, and a roadmap for security control implementation and continuous monitoring. The sections below walk you through the core steps with practical examples.

Identify and Map Assets

Start by building a complete asset inventory. Catalog hardware, software, data, people, facilities, third parties, and cloud services. For each asset, record owner, location, data sensitivity, business criticality, and dependencies.

Map how data moves between assets. Simple system context and data flow diagrams reveal trust boundaries, integration points, and single points of failure you might otherwise miss.

• What to include: endpoints, servers, SaaS apps, containers, OT/IoT, credentials, APIs, backups, and key business processes.
• How to prioritize: tag assets that process sensitive data (PII, PHI, CUI), have high availability needs, or underpin revenue and safety.

Example: You map a payroll SaaS that receives employee SSNs from an HR system via an integration platform. The flow shows a neglected admin account on the connector; this becomes a candidate risk.

Identify Threats and Vulnerabilities

Threats are potential adverse events; vulnerabilities are weaknesses that make threats more likely or more damaging. Use vulnerability analysis to uncover misconfigurations, missing patches, exposed services, weak authentication, and risky processes.

Consider multiple threat sources: cybercriminals, insiders, supply chain compromises, physical hazards, and process failures. Combine automated scanning with manual reviews and threat modeling workshops.

• Common threats: phishing-led credential theft, ransomware, web app exploitation, API abuse, data exfiltration, vendor compromise.
• Common vulnerabilities: unpatched software, default credentials, excessive permissions, flat networks, weak logging, shadow IT.

Example: A scan finds outdated VPN firmware (known remote exploit) and overly permissive S3 buckets. Both map to data theft and outage scenarios.

Assess and Analyze Risks

For each scenario, estimate likelihood and impact, then rate overall risk (qualitatively or as a score). Consider inherent risk (before controls) and residual risk (after existing controls). Align decisions with your risk appetite.

Document results in a risk register: scenario, affected assets, causes, existing controls, likelihood, impact, residual rating, owner, due date, and treatment plan. This keeps stakeholders aligned and accountable.

• Example 1: Ransomware on file servers—likelihood: medium; impact: very high (operations halted). Residual risk: high due to weak segmentation and stale backups.
• Example 2: Credential stuffing on a customer portal—likelihood: high; impact: medium; residual risk: medium because MFA is missing for a subset of users.
• Example 3: Insider data leakage via misconfigured sharing—likelihood: low; impact: high; residual risk: medium; monitoring gaps identified.

Implement Security Controls

Select risk treatment: avoid (stop the risky activity), mitigate (reduce likelihood/impact), transfer (e.g., insurance), or accept (with justification). Plan security control implementation that ties directly to prioritized risks and business outcomes.

Combine administrative, technical, and physical safeguards. The CIS Top 18 controls offer a pragmatic baseline you can phase in by Implementation Groups to match your capacity and risk profile.

• Quick wins: enforce MFA, harden email filtering, patch high-CVSS issues, disable unused services, restrict admin rights, and verify offline, immutable backups.
• Defense-in-depth: network segmentation, EDR with containment, application allowlisting, secrets management, encryption at rest and in transit, least privilege with regular access reviews.
• Process controls: secure change management, incident playbooks, vendor risk reviews, and security training tailored to common attack paths.

Example: To mitigate ransomware risk, you deploy MFA, EDR auto-isolation, 3-2-1 backups with routine restore tests, and tighten SMB exposure through segmentation—measurably lowering both likelihood and impact.

Monitor and Review

Embed continuous monitoring to ensure controls work and new risks are caught early. Track leading indicators (patch latency, phishing click rate, critical findings age) and lagging indicators (MTTD/MTTR, incident counts, loss events).

Automate where possible: vulnerability scans, configuration drift checks, log analytics, attack surface monitoring, and control validation. Calibrate alerts to business context to reduce fatigue.

• Cadence: monthly vulnerability management reviews, quarterly control effectiveness checks, and an annual SRA refresh—or after major changes like mergers, new SaaS, or regulatory updates.
• Feedback loop: update the risk register, retire low-value controls, and reinvest in the ones that move your KPIs/KRIs in the right direction.

Example: You set a policy that critical vulnerabilities on internet-facing assets must be fixed within 7 days; exceptions require documented acceptance and compensating controls.

Review Security Risk Assessment Frameworks

CIS Top 18 controls

A prioritized set of safeguards designed for broad applicability and quick risk reduction. It emphasizes asset discovery, secure configuration, vulnerability management, controlled use of admin privileges, logging, and incident response. Use it to structure near-term improvements and measure operational hygiene.

ISO 27001 standard

A risk-based Information Security Management System (ISMS). It formalizes governance, roles, policies, and continual improvement. Expect deliverables such as a Statement of Applicability, risk treatment plan, internal audits, and management reviews—ideal when you need certification to prove maturity to customers and regulators.

NIST 800-171 framework

Requirements for protecting Controlled Unclassified Information (CUI) in non-federal systems. It centers on documented controls, a System Security Plan (SSP), and a Plan of Actions and Milestones (POA&M). If you handle CUI, map SRA findings to 800-171 requirements to close compliance gaps efficiently.

Apply Industry Standards

Use your SRA to choose the right combination of standards. Many teams adopt the CIS Top 18 controls for fast, measurable hardening, then align the ISMS under the ISO 27001 standard, and apply the NIST 800-171 framework where contractually required.

• Start: baseline with CIS Top 18 controls tied to your top five risks; publish a 90-day hardening plan.
• Formalize: stand up ISO 27001 governance, define risk criteria, produce a Statement of Applicability, and link risks to control objectives.
• Comply: for CUI, maintain an SSP and POA&M that reference your risk register; show progress through evidence and metrics.
• Operate: integrate continuous monitoring so control health and residual risk are visible to leadership every month.

Key takeaways

• An effective SRA ties asset inventory, vulnerability analysis, and business impact into actionable risk mitigation strategies.
• Security control implementation should be prioritized, measurable, and mapped to recognized frameworks.
• Continuous monitoring is essential to keep residual risk within appetite as your environment and threats evolve.

FAQs

What is the purpose of a Security Risk Assessment?

To identify and prioritize the risks that matter most, then guide cost-effective controls that reduce likelihood and impact. An SRA creates transparency for leadership, informs budgets, and documents due diligence for customers and regulators.

How often should a Security Risk Assessment be conducted?

At least annually, with interim updates after significant changes—such as new systems, major incidents, mergers, or regulatory shifts. High-velocity environments benefit from quarterly light-touch refreshes anchored by continuous monitoring data.

What are common frameworks used in Security Risk Assessments?

Teams most often use the CIS Top 18 controls for operational hardening, the ISO 27001 standard for an ISMS and governance, and the NIST 800-171 framework when protecting CUI. Many organizations map across these to reduce duplication and close gaps faster.

How do you prioritize risks in an SRA?

Rate each scenario by likelihood and impact, consider inherent versus residual risk, and compare against your risk appetite. Then sort by business-critical assets and regulatory exposure, assign owners and deadlines, and fund the controls that deliver the largest risk reduction per dollar.