The first time you open CISO Assistant’s risk assessment module, you might stare at the screen for a while, wonder where to start, and then go make coffee. We get it. Risk assessment is the part of information security that feels most overwhelming when you’re doing it for the first time. There are threats everywhere, vulnerabilities in every system, and the whole thing can spiral into a wall of spreadsheets and uncertainty pretty fast.
Once you’ve built the structure, maintaining it becomes second nature. This guide walks you through the entire process, from your first assessment to a fully connected picture of threats, vulnerabilities, assets, and controls.
How the pieces fit together
Five elements make up a risk assessment in CISO Assistant. Here’s how they connect.
Risk scenarios describe what could go wrong. Things like “Unauthorized Data Access” or “Malicious Code Infection.” Threats are the forces that could cause that harm, whether it’s social engineering, equipment failure, or a natural disaster. Vulnerabilities are the weaknesses that threats exploit, like missing MFA, outdated software, or lack of encryption. Assets are what you’re trying to protect - your asset inventory is where these live. And applied controls are what you’ve done (or plan to do) to reduce the risk.
A complete risk scenario ties all of these together. “Our cloud infrastructure (asset) is vulnerable to unauthorized access (threat) because of excessive permissions (vulnerability), and we mitigate this through access reviews and MFA (controls).” That’s the picture you’re building.
Create your risk assessment
Go to Risk > Risk Assessments and click Add Risk Assessment. Give it a meaningful name like “Annual Risk Assessment 2026” and describe the scope clearly. What’s included, what’s excluded, and why you’re doing this.
For the risk matrix, the 4x4 EBIOS-RM matrix works well for most organizations. It gives you four levels for both probability and impact without being overly complex.
You’ll also need a Perimeter to define what’s in scope. Go to Context > Perimeters and create one if you haven’t already. Name it after your organization or the scope boundary.
Build your threat catalog
Before creating risk scenarios, populate your threat library at Context > Threats. CISO Assistant includes built-in libraries like MITRE ATT&CK, but you should also add custom threats that reflect your specific reality.
Think through threats in categories. Physical and environmental threats include fire, flood, power outages, lightning strikes, and in some regions, bomb threats or similar disruptions. They’re unlikely, but when they hit, the impact is almost always critical.
Technical threats target your IT systems directly. Equipment failure happens more often than most people plan for, and it’s not just servers. Routers die, switches fail, disks corrupt. Telecommunications link failure cuts off remote workers and breaks VPNs. Malicious code, meaning malware and ransomware, is a near certainty for most organizations over a long enough timeline. Application errors cause crashes, data corruption, and security holes. And general unavailability, where systems just stop being accessible for any reason, is its own category.
Human threats are honestly where most risk lives. User error is the most common threat in any organization. People misconfigure systems, delete data, click phishing links. Operational errors happen when processes break down, like a wrong deployment or a skipped backup. Social engineering, impersonation, and fraud target the human layer deliberately. And password disclosure, whether through phishing, weak passwords, or simple carelessness, opens the door to everything else.
Access-related threats cover unauthorized data access, unauthorized network access, unauthorized physical access to restricted areas, user account takeover, and information leaks or disclosures.
If your organization uses AI tools, and it probably does, add AI-specific threats too. AI data leakage through prompts or training data, AI hallucination where the model generates convincing but false information, and prompt injection attacks where malicious inputs trick the AI into bypassing controls.
For each threat, write a name and a clear description of what it is and what damage it could cause. Put them in the Global domain since threats can affect the whole organization.
Document your vulnerabilities
Writing down all the ways your organization is exposed is uncomfortable. That honesty is what makes the exercise worth doing.
Go to Context > Vulnerabilities and work through these areas systematically.
Access control weaknesses are often the biggest gap. Think about whether you’re missing multi-factor authentication anywhere, whether users have more permissions than they need, whether shared accounts exist with no individual accountability, whether your password policies are actually enforced, whether access reviews happen regularly, and whether privileged accounts have extra controls around them.
Data protection weaknesses include missing encryption (both at rest and in transit), untested or nonexistent backups, data that isn’t classified or labeled, storage media that gets disposed of without proper erasure, and critical information that exists in only one copy. That last one is more common than anyone likes to admit.
System and application weaknesses cover outdated software with known vulnerabilities, missing antivirus or endpoint protection, incorrect configurations, no separation between development, testing, and production environments, and undocumented custom software that only one person understands.
Network weaknesses include flat networks with no segmentation, unmonitored access, unprotected connections to public networks, and missing firewalls or web filtering.
Organizational weaknesses are the human and process gaps. Staff who haven’t had security training, incomplete or outdated documentation, no vendor verification procedures, poor separation of responsibilities, and insufficient monitoring of user activities.
Physical weaknesses round out the picture. Inadequate office security, equipment vulnerable to temperature or humidity, unsecured cabling, and mobile devices that could be stolen.
Create your risk scenarios
Now you’re building the actual scenarios that represent realistic risks to your organization. Go to Risk > Risk Scenarios and start creating them.
For each scenario, you’ll assess both probability (how likely is this to happen) and impact (how bad would it be). On a 4-level scale, level 0 means unlikely and minimal damage, level 1 means it could happen and would cause noticeable damage, level 2 means it happens regularly or is expected with serious impact, and level 3 means it’s frequent or near-certain with severe consequences.
Here are the scenarios we recommend as a starting set.
Physical and environmental risks tend to be low probability but high impact. Fire and flood are unlikely (0) but critical (3) if they happen. Power outages are more common (1) with important impact (2). Bomb threats are unlikely (0) but critical (3).
Technical and operational risks are where most of the action is. Equipment failure is very likely (2) with important impact (2). Telecom failures, application errors, and data loss are all likely (1) with important impact (2). Malicious code is very likely (2) with important impact (2), and honestly, given current threat activity, that probability might be conservative.
Human-related risks include user error, which is very likely (2) but usually has only significant impact (1) per incident. Social engineering is very likely (2) with important impact (2). Theft and loss is likely (1) with important impact (2). Embezzlement is unlikely (0) but important (2) when it happens.
Access and information risks are critical for most organizations. Unauthorized data access and unauthorized network access are both very likely (2) with important impact (2). Information leaks are likely (1) with important impact (2).
AI-specific risks are newer, but they belong in every assessment at this point. AI data leakage is very likely (2) with important impact (2). AI hallucination leading to bad decisions is very likely (2) with significant impact (1). AI model bias, dependency issues, regulatory non-compliance, and prompt injection are all likely (1) with varying impact levels.
For each scenario, also set target values for probability and impact, representing where you want to get after implementing controls. Be realistic. You’re not going to eliminate risk, but reducing it by one level for most scenarios is a reasonable goal. Always write a justification explaining why you chose this treatment and what specific measures will make it work. Future you, and your auditors, will be grateful.
Connect threats to risk scenarios
Now edit each risk scenario and link the relevant threats from your catalog. This part is straightforward but a bit tedious. There’s no way around it.
Unauthorized Data Access connects to threats like unauthorized data access itself, social engineering, password disclosure, user account takeover, and unauthorized physical access. Malicious Code connects to malicious code threats, unauthorized code execution, and unauthorized software installation. Data Loss links to data loss, accidental modification, media damage, record destruction, and equipment failure. Social Engineering connects to social engineering, impersonation, phishing, and fraud.
For AI scenarios, AI Data Leakage connects to information leak and unauthorized data access threats. AI Hallucination connects to user error and application error threats. Work through each scenario methodically.
Connect vulnerabilities to risk scenarios
Same process, different connections. The logic here is “this risk scenario is possible because these vulnerabilities exist.”
Unauthorized Data Access is possible because of missing MFA, excessive permissions, shared accounts, weak passwords, and insufficient identity management. Malicious Code is enabled by missing antivirus, outdated software, uncontrolled downloads, and no web filtering. Data Loss comes from missing encryption, no backups, single copies of data, and improper media disposal. Social Engineering succeeds because of insufficient training and phishing susceptibility.
The pattern continues for each scenario. This step is repetitive, but these connections are what make your risk assessment actually useful rather than just a list of scary things that could happen.
Connect assets to risk scenarios
This is where the risk assessment gets concrete. For each risk scenario, ask yourself which of your assets would be affected if this risk materialized.
Your identity and security systems like 1Password and JumpCloud are affected by unauthorized data access, social engineering, malicious code, unavailability, user error, and theft. Cloud infrastructure is affected by unauthorized access (both data and network), data loss, information leaks, malicious code, unavailability, operational errors, and application errors.
Code repositories are at risk from unauthorized access, information leaks, data loss, malicious code, and social engineering. Communication tools face unauthorized access, information leaks, social engineering, malicious code, and unavailability risks. Financial systems are exposed to unauthorized access, information leaks, data loss, embezzlement, social engineering, and application errors.
Physical locations connect to fire, flood, power outage, bomb threats, theft, and access disruption scenarios. AI tools are affected by AI data leakage, hallucination, prompt injection, unauthorized access, and information leak scenarios. Workstations face unauthorized access, malicious code, theft, and data loss.
Connect applied controls to risk scenarios
The final piece. Edit each risk scenario and add the controls from your Statement of Applicability that mitigate it. This closes the loop and lets CISO Assistant show you your residual risk.
Here are the key mappings.
Unauthorized Data Access is mitigated by MFA, JumpCloud MDM, access reviews, encrypted drives, database encryption, DLP, security monitoring, and supplier management.
Unauthorized Network Access is covered by JumpCloud RADIUS, FortiGate UTM, network segmentation with VLANs, MFA, and security monitoring.
Malicious Code is fought with ESET antivirus, web filtering (both FortiGate and ESET), Gmail anti-spam and AV, system updates, DNS protection, security monitoring, and network segmentation.
Data Loss is addressed by backup procedures, encrypted drives, database encryption, data deletion procedures, and DLP.
Social Engineering is mitigated by security awareness training, MFA, the password manager, Gmail anti-spam, web filtering, DNS protection, and security monitoring.
User Error and Operational Errors are reduced through security awareness training, knowledge bases, change management, supplier management, and security monitoring.
Equipment Failure and Unavailability are covered by system updates, change management, business continuity planning, backup procedures, SaaS redundancy, and capacity management.
Fire, flood, and physical risks rely on business continuity planning, backup procedures, and physical security. Theft and loss is mitigated by JumpCloud MDM, encrypted drives, and MFA. Embezzlement is addressed through access reviews and segregation of duties.
Review your risk dashboard
Once everything is connected, go to Risk > Overview and see where you stand. You’ll see a risk matrix showing where your scenarios land, which ones need immediate attention, where you have gaps with no controls assigned, and the difference between current risk and target risk.
Focus on the red zone first. Any scenario with high probability and high impact needs a treatment plan immediately. Look for uncontrolled risks where no controls are linked. Check that your targets are realistic and that you actually have a plan to reach them. If important systems aren’t linked to any risk scenarios, those are blind spots.
Mistakes we see teams make
Treating it as a checkbox exercise is the most common failure mode. If you rate everything as “Unlikely/Minor” just to get green status, you’re lying to yourself and your auditors. Be honest about where things stand.
Forgetting about probability leads to bad prioritization. A critical-impact event that’s extremely unlikely (think asteroid) isn’t the same priority as a significant-impact event that happens weekly (user error). Both dimensions matter.
Not connecting controls to risks is surprisingly common. If your applied controls aren’t linked to risk scenarios, your assessment can’t show residual risk. The connections are the entire analysis.
Ignoring AI risks will catch up with you. If your organization uses AI tools, these risks are real, and auditors have started asking about them.
Never updating turns your risk assessment into historical fiction. New systems, new threats, new regulations. A 2024 assessment doesn’t reflect 2026 reality.
A solid risk assessment doesn’t need to be perfect. It needs to be honest, connected to real assets and controls, and maintained over time. Start with the risks you know are real, build the connections, and improve as you go. The teams that succeed at this are the ones that treat it as a living process rather than a one-time compliance deliverable.
Once your risk assessment is in shape, you’ll want to map your controls to compliance frameworks and conduct a business impact analysis to set recovery priorities. For a quick application-level risk score, try our OWASP Risk Calculator. If you’re also managing third-party risk, our vendor security management guide and Supplier Risk Assessment tool cover the supply chain side. And if you want to see all of this working together in a live environment, try our CISO Assistant demo.
