What is the starting point of a risk assessment?
Gather basic information on how IT & Security is conducted in the organization.
What is the outcome of a risk assessment process?
A prioritized security roadmap with clearly defined action items.
How do you measure risk?
Risk can be assessed both qualitatively and quantitatively. A good risk assessment is a combination of both. Qualitative risk is evaluated based on the business impact and likelihood while quantitative risk is assessed based on the financial value of an asset and the security control used to protect it.