Information Security Risk Assessment Checklist: Risk Assessment and Analysis Methods: Qualitative and Quantitative

Information Security Risk Assessment Checklist

  • Framing Risk
    • Understand the business
    • Define & document the environment
    • Decide Risk Assessment Approach
    • Define how risk dcecisions will be made
    • Qualitative vs Quantitive vs Semi
  • Identifying Risk
    • Document threat environment
    • Identify threat scenarios & actors
    • Identify vunlnerabilities
    • Calculate likelihood & Impact
    • Consider current security controls
  • Responding to Risk
    • Document risk remediation plans
    • Accept, Mitigate, Avoid, or Transfer
    • Derive Risk Ratings
    • Focus on High Risk first
  • Monitoring Risk
    • Perform effective monitoring
    • Monitor high risks for remediation
    • Track risks over time
    • Perform audits ensuring risk treatment

Threat modeling, the cloud, and shared responsibility

An interesting aspect of cloud-related threat models is that cloud-based threats must take into account shared responsibility models that are specific to each cloud provider and service.

If a key output of any threat modeling exercise is a set of identified threats, then the ideal state for any threat is that you eliminate it completely by way of design, engineering, or otherwise. Of course, the value of threat modeling is that you not only identify threats that you can eliminate, but that you make thoughtful decisions about how to deal with the remaining threats that you cannot.


In this model, threats end up in one of three states:

  • Green, which is as good as it gets for a threat you can’t eliminate outright. Of course, if controls are available, there’s a good question to be asked re: whether those controls can be implemented such (i.e., by using restrictive defaults or policies) that the threat is eliminated and thus removed from this grid entirely.
  • Yellow, which is probably the most common. In this state, you’re able to rely on either security controls or on monitoring. The trick with relying solely on monitoring to mitigate a threat is that monitoring is only an effective mitigation when coupled with detection (knowing the threat occurred) and response (doing something about it).
  • Red, which should leave you questioning your design, your cloud provider, or both. In particular, threats in this state require putting significant trust in both your cloud provider and the security inherent to their platform, as well as your ability to engineer for safety.


  • ISO 27001:2022 Lead Implementer