According to NIST SP 800-30 R1, risk assessment is the process of identifying, estimating, and prioritizing information security risks. This definition matches the one in ISO 31000; estimating refers to the analysis, while prioritizing refers to evaluation.
However, the guideline uses two terms in the risk assessment process that may confuse people: assessment approach and analysis approach.
- Assessment approach: e.g., quantitative, qualitative, or semi-qualitative
- Analysis approach: e.g., threat-oriented, asset/impact-oriented, or vulnerability-oriented
Risk Framing Components
The assessment approach defined in the Frame stage should apply to the “risk assessment process” as a whole, while the analysis approach should refer to the approach used to “estimate” risk as a part of the risk assessment process.
FIGURE 2: RELATIONSHIP AMONG RISK FRAMING COMPONENTS (NIST SP 800-30 R1)
Risk Assessment “Slash” Analysis?
It seems that both ISO and NIST distinguish risk assessment from risk analysis. However, it’s common for people to use them interchangeably. I think it’s a good practice to use them precisely.