← Glossary·Risk

Risk Assessment

SOC 2ISO 27001HIPAANIST

Structured identification, analysis, and evaluation of risks to assets, processes, or data.

A risk assessment systematically identifies risks (threats × vulnerabilities × impact), analyses them (qualitative or quantitative), and evaluates them against risk-appetite thresholds. ISO 27005 and NIST SP 800-30 are the standard methodologies.

Why it matters
Risk Assessment is a foundational requirement in every major framework. Stale (>12 month) or missing risk registers are a near-automatic finding.

Related terms

Risk Treatment
The action chosen for each identified risk: avoid, mitigate, transfer, or accept.
DPIA (Data Protection Impact Assessment)
Mandatory GDPR risk assessment for processing likely to result in a high risk to data subjects (Art. 35).
Vendor / Third-Party Risk Management (TPRM)
Process for assessing, monitoring, and contracting security risk introduced by third parties.

Does your program actually cover Risk Assessment?

Run a free ComplianceIQ audit against SOC 2 and we'll surface every gap on this — and the other controls auditors flag — with the exact clause references to fix.

Free SOC 2 auditBack to glossary