Get Started
Conducting IT Risk Assessments Quick Guide

SaltyCloud Research Team

Updated Apr 15, 2020 Read Time 7 min


Implementing an IT risk assessment program is crucial for a mature security program and increasingly becoming a regulatory requirement, though it can be a daunting task with various obstacles and emotions, including denial, anger, bargaining, depression, and finally acceptance.

IT Risk Assessments are a critical component of any mature security program. And more and more, they’re becoming a regulatory requirement. That being said, implementing a risk assessment program from scratch can be a daunting task faced with many obstacles. You might find yourself experiencing the following emotions as you progress toward accepting that a risk assessment must be done.

  • Denial
    “If we don’t assess risk we don’t have risk.” — Management
  • Anger
    “Why are you doing this?!” — Stakeholders
  • Bargaining
    “What if we start with CIS 20 or NIST CSF/800-171/ 800-53 P1 controls in year one? And we only focus first on the highest risk department.” — Savvy CISO
  • Depression
    “What do you mean you saved over my spreadsheet?” — Risk Officer
  • Acceptance
    “ Yes! We documented risk over time and identified key areas to reduce risk.” — Happy Organization

Why conduct a risk assessment?


Conducting a risk assessment is essential to identify and prioritize security budgets and awareness campaigns for an organization to be more resilient to cyber attacks, with universities’ most common needs being to begin documenting risk across their campus and demonstrate regulatory compliance, often by focusing on specific units that need to comply with regulations such as GLBA or HIPAA.

In recent conversations with university CISOs and CIOs, the two most common needs for a risk assessment include:

  • begin documenting risk across their campus
  • demonstrate regulatory compliance (i.e., GLBA or HIPAA)

Begin documenting risk

Conducting a risk assessment is the best way to discover where risk exists in an organization. Organizations can prioritize security budgets and awareness campaigns to be more resilient to cyber attacks. Usually, these campuses have an overarching framework in mind like CIS 20 or NIST 800-53, a subset of questions, and specific departments or units with the highest risk they would like to start with. This gives them an initial risk snapshot. In subsequent years when their risk culture has matured, the goal evolves to expand the question set and units covered to achieve a broader campus-wide risk assessment.

Demonstrate regulatory compliance

The catalyst to pursuing risk assessment near term include research universities that are increasingly required to document CUI compliance through NIST 800-171 or NIST 800-53 risk assessments as well as schools that need to comply with campus, system, state, or federal regulations such as GLBA, HIPAA, NIST, COBIT etc. In an effort to demonstrate compliance, these campuses may choose to focus only on the specific units that need to demonstrate regulatory compliance.

Where do I start?


To implement a risk program, an organization must set its goals, choose a security framework that aligns with their needs, create a multi-year plan that focuses on critical units, secure stakeholders, conduct a risk assessment with questionnaires, review the collected risk data using a questionnaire-based risk assessment tool, implement and repeat.

Implementing a risk program looks differently for every campus. However, everyone usually arrives there the same. Here’s what you’ll need to do:

  • Set your goals
  • Choose your framework
  • Create a plan
  • Secure your stakeholders
  • Start assessing
  • Review your risk
  • Implement and repeat

Set your goals

Before anything, you have to understand your immediate and long-term goals. Do you want to start documenting risk in an effort to build a more resilient organization or are you simply trying to prove compliance? Are you also wanting to inventory and classify assets? Whatever your goals, make sure you and your team are in agreement as it will dictate which framework you choose and the direction of your risk assessment program.

Choose your framework

Choosing a security framework can be challenging. There are a lot out there, and depending on your goals, you’ll need to choose one that best fits your needs. Remember, you don’t have to commit to an entire framework from the get go. You may find that certain sections are more relevant to your campus and your current goals. This is especially true for regulatory compliance which may only require you to adhere to certain sections of a larger framework.

Create a plan

Successful risk programs are multi-year commitments. It is rare to assess an entire campus in the very first risk assessment. It is wise to roll out a risk assessment program in small steps and overtime mature the risk culture at your campus. In other words, you can’t expect to get results if no one takes the risk assessment seriously. Take a look at your organization and begin to identify your most critical units. You could leverage this smaller sample set to pilot your program, receive feedback, and iterate on your plan. Over time, you can roll out the program to more and more units until you’ve reached a campus-wide risk assessment.

Secure your stakeholders

With your goals aligned and a plan in place, you’ll also need to bring major stakeholders on board. This can easily be the most challenging part of getting a risk assessment program off the ground as it usually involves getting budget. If you’ve done your due diligence, you can easily make several compelling arguments to get your stakeholders onboard.

Start assessing

Conducting a risk assessment for the first time can be a starkly different undertaking depending on your goals and the size of your organization. Typically, it involves emailing spreadsheets to individuals across your organization. Then, periodically reminding them to complete them and send them back. Even if you’re successful at getting all of your spreadsheets filled out, you can easily end up with tens of spreadsheets and no efficient way of tracking it all. Fortunately, you can leverage a questionnaire-based risk assessment tool to help you efficiently launch, manage, and track your risk assessments.

Review your risk

Once you’ve concluded your first risk assessment you’ll have a wealth of insightful risk data. If you’re using spreadsheets, you’ll first have to spend some time and resources to create reports manually. However, if you’re using a questionnaire-based risk assessment tool, you can easily roll up the collected risk data from across your organization to create risk reports.

Implement and repeat

After a successful risk assessment, you’ll hopefully be able to take your insights to justify your security budget and focus your efforts where the most risk exists. You’ll also have learned a few lessons to help you streamline your process when the time for the next risk assessment rolls around.

How Isora GRC from SaltyCloud can help


Isora GRC from SaltyCloud is the powerfully simple solution making regulatory compliance easier while helping organizations improve their cyber resilience.

The stakes have never been higher for organizations as they confront escalating cyberattacks and mounting regulations.

With business-critical data and privacy on the line, companies need a simple solution that helps them move beyond a ‘check-the-box’ mindset towards a risk-informed, data-driven, and proactive approach.

Isora GRC from SaltyCloud is the powerfully simple solution changing how information security teams manage governance, risk, and compliance (GRC). A new intuitive, automated, and collaborative platform designed by GRC experts, Isora GRC helps organizations ace compliance audits, build information security culture, and strengthen cyber resilience at scale.

  • Ace compliance audits with collaborative surveys, adaptable security frameworks, dynamic dashboards, and insightful reporting for key regulations.
  • Improve your organization’s security posture with maturity models, preloaded security frameworks, and remediation tracking.
  • Protect critical data with comprehensive inventory management, seamless integration, continuous assessments, and insightful reporting.
  • Minimize third-party risk with a complete vendor inventory, risk assessment surveys, and approval workflows.

Join dozens of information security teams partnering with Isora GRC from SaltyCloud to build a risk and compliance program they can trust.

Discover how Isora GRC from SaltyCloud can streamline compliance and risk management at your organization.

Learn More
Our GRC Resources

Dive into our research-backed resources–from product one pagers and whitepapers, to webinars and more–and unlock the transformative potential of powerfully simple GRC.

Learn More
Other Relevant Content

This guide contains everything you need to know about conducting an information security risk assessment questionnaire at your organization.

Learn what self-assessment questionnaires (SAQs) are and why they're a valuable tool for your security risk assessments.

Dive into this Complete Guide for a comprehensive yet accessible pathway for developing an Information Security Risk Management program

Stay ahead of the curve
Get insightful guides, original research, regulatory updates, and novel solutions delivered straight to your inbox.
Get Started
Manage assessments
confidently with
collaborative GRC tooling