The terms risk assessment and control assessment are often comingled and used interchangeably or incorrectly. It’s easy to do this, and even security professionals can slip up if they’re not careful. It’s time to sort these terms out and create a reference point we can fall back on. To start, let’s review the background on each to cover what they are and what they’re not.
Controls Assessment
A controls assessment can be either an independent assessment or a self-assessment. At its most basic, it’s a review of an entity’s controls. These controls are typically based on an industry framework but don’t have to be. For instance, some smaller firms in an unregulated industry may have implemented controls out of operational necessity or because they wanted to be safer, to do the right thing. But, given the number of readily available security frameworks, there’s no reason to start from scratch if you don’t have to. Popular frameworks include:
- NIST 800-53
- NIST Cybersecurity Framework
- COBIT 5
- ISO 270001 Annex A
- IRS Pub 1075
- HIPAA Security Rule
If your risk assessment consists of looking at a control framework and assessing compliance, you’re not doing a risk assessment. If you’re starting with a control framework, a control matrix, a list of things you do, or anything other than the concept of risk, it’s unlikely that you’re performing a risk assessment. These can be valuable standalone activities, but shouldn’t be classified as a risk assessment.
Risk Assessment
In simple terms, start by looking at the assessment name. To be a risk assessment, it should start with risk! Risk can mean many different things to different people, which is where a risk management framework like NIST 800-30 makes life infinitely easier. NIST 800-30 breaks risk down into four risk factors:
- Threat
- Vulnerability
- Impact
- Likelihood
This list enables the process for identifying potential risks (i.e., identify potential threats, potential vulnerabilities, potential impact, and likelihood). Once we’ve calculated inherent risk, we come to the step that causes the most confusion between control and risk assessments. To go from inherent risk to residual risk, we need to identify whether we have a control in place to address the risk. This is where the real value of a risk assessment comes into play. If we don’t have a control in place, we now have justification for implementing a new control. After all, the risk out in the open now – no more “ignorance is bliss.”
This can also be flipped on its head. What if we were to say, “Why do we have so many gaps in our risk assessment? We have all these other controls, but they weren’t mapped to any risks.” This could be for a couple reasons; don’t jump to conclusions. Once we’ve done due diligence to ensure that the unmapped control does not apply to an identified risk, we may have an opportunity to start saving some time and money by sunsetting unnecessary controls.
Conclusion
To summarize:
- Risk assessments identify applicable risks, thereby serving to inform control decisions.
- Control assessments give us insight into our control performance, which can help with the tail end of a risk assessment and determine how to treat risk.
- Both are valuable, related activities but not the same thing!
For more detail on the risk assessment process, check out these additional resources from NuHarbor:
https://nuharborsecurity.com/risk-assessments-in-everyday-life/
https://nuharborsecurity.com/hipaa-risk-analysis-vs-gap-assessment/
