Risk Assessment: NIST 800-30 vs ISO/IEC 27005

Risk Assessment NIST 800-30 vs ISO IEC 27005

Security risk assessment is one of the key phases of the risk management process. Above all, it refers to the identification of risks, estimation of impact on organizations, and determining sources. Organizations use risk assessment to determine the extent of the potential threats, vulnerabilities, and risks associated with an information technology system. Because of that, it is possible to design appropriate mitigation measures. Certainly, continuous improvement of the risk management plan is an investment in protecting the organization’s reputation, money, and time.


LIFARS Gap Assessment Solution is designed to ascertain your comprehensive information security, risk, and compliance status (current). We’ll help you reach security maturity through a strategy, structure, governance, and operations management plan.


Risk Assessment Standards

NIST SP 800-30 and ISO 27005 are leading standards that describe best practices to conduct an information security risk assessment. What’s important to realize is that they do not describe specific methods, just specify recommended processes that need to be followed. By adopting such standards, organizations ensuring the highest possible quality of their risk management methodology.

Risk assessments According to NIST 800-30

National Institute of Standards and Technology (NIST) provides a guideline in the document named NIST Special Publication 800-30 revision 1. It is also customizable to the needs of any organization with specific requirements and government information systems. In general, it addresses the potential adverse impacts to organizational operations and assets, individuals, other organizations, and the economic and national security interests of the United States.

As stated in the document, risk assessment can be performed at all three tiers in the risk management hierarchy:

  • Organization level
  • Mission/business process level
  • Information system level

Additionally, the risk assessment process according to NIST 800-30 has four main steps:

Preparing for the Risk Assessment

The aim of this step is to determine the context of the risk assessment that results from the risk framing step. In fact, it includes detailed planning associated with the following key activities:

  • Determine the purpose and aim of the assessment.
  • Determine the potential scope of the assessment.
  • Identify all assumptions and constraints which affect the assessment.
  • Identify assessment inputs, such as sources of threat, vulnerability, and impact information.
  • Reconsider the risk model the risk model, assessment approach, and analysis approach to be used in the risk assessment.

Conducting risk assessments

Based on the results from the previous step, the goal of this phase is to create a list of information security risks. To accomplish this objective is necessary to perform these activities:

  • Identify threat sources of organizations and threat events, that could be produced.
  • Identify vulnerabilities, the likelihood of threat exploitation of weaknesses in information systems and environments of operation.
  • Determine possible disadvantage impacts scenarios to specific organizational operations, assets, and individuals.
  • Finally, determine information security risks. These are identified as a combination of the likelihood of threat exploitation of vulnerabilities and the impact of exploitations. Risk levels obtained by the level of impact matrix with the level of likelihood matrix based on the risk scenarios.
  • Overall, the outcome of risk assessments is expected to adequately cover the entire threat space in accordance with the specific definitions, guidance, and direction established in preparation.

Communicating and Sharing Risk Assessment Information

This step involves processing the results from the previous two phases and presenting them further. Obviously, decision-makers across the organization must have appropriate risk-related information to inform and make the right risk decisions. So, at this stage, it is necessary to set:

  • How the results of the risk assessment are to be communicated and
  • Determine how they are to be shared, considering organizational policies.

Maintaining the Risk Assessment

The last phase of the process is maintenance. It is important to realize that risk assessment is a constantly evolving process. Monitoring and re-evaluation of risk factors lead to effective protection. It is necessary to consider risk factors that were identified as well as any new ones.

Risk Assessment According to ISO/IEC 27005

ISO is an independent and non-governmental international organization for standardization. The latest version, ISO/IEC 27005:2018 is a widely used standard by organizations in implementing information security risk management and covers technology, people, and process in risk assessment. Additionally, it supports the general concepts specified in ISO/IEC 27001. Allover it is designed to support the implementation of risk-based information security. This standard can be achieved in various types of organizations, like commercial enterprises, government agencies, and non-profit organizations.

Compared with the NIST 800-30, ISO 27005 is based on conformity with general risk management. The document does not adopt a one-size-fits-all approach but provides a detailed and flexible structure to meet requirements.

The risk management process according to ISO 27005 has six phases:

  • Context establishment
  • Risk assessment
  • Risk treatment
  • The risk acceptance
  • Risk communication and consultation
  • Risk monitoring and review

The Risk assessment phases consist of systematically identifying, analyzing, evaluating, and prioritizing information security risks. In addition, these are in accordance with the criteria and objectives of the risk assessment related to the organization.

Risk identification

  • The essence of this part is state what could cause a potential loss for the organization. So, the following must be identified:
  • Assets, business processes and appropriate information, and supporting. As a result, we get a list of assets for which risk management is required. Also, a list of the processes of the organization’s activities that apply to assets, and their importance.
  • Threats and vulnerabilities applicable to each asset. Weaknesses of the organization in technology, people and processes, information system configuration, etc. All of which need to be identified.
  • Existing and planned controls should be identified. After identification, it is recommended to check the measures. This makes it possible to avoid time losses and vulnerabilities.
  • Impacts, that may mean a loss of confidentiality, integrity, and availability for the asset. As a result of this step, list of incident scenarios with their consequences related to assets and processes.

Risk analysis

This part is divided into 3 smaller parts in the document. This includes risk analysis methodology, impact assessment, and determination of the likelihood of an incident level of risks. Based on the results of these parts, it is possible to create a list of incident scenarios with their impacts and probability. As a result, depending on the methodology, values assigned to the probability and impact can be quantitative or qualitative.

Risk evaluation

Last part of the risk assessment according to ISO/IEC 25005 is risk evaluation. Risks need to be prioritized according to the risk assessment criteria related to the incident scenario. However, if the criterion is not important to the company, the risks with this criterion may not be important either. The importance of assets and processes should also be considered in this phase.




SP 800-30 Guide for Conducting a Risk Assessment

Risk assessment according to NIST SP 800-30