Identifying Systems and Associated Risks

System selection is critical to the risk management process. We just talked about how risk assessments operate in the context of a given system. This means that the system should dictate what risks an assessor weighs when examining the system and its associated security controls. For instance, you wouldn't use the same risk assessment about the safety of flying in a plane vs. the safety of traveling in a submarine. The risks and controls to mitigate risk are vastly different.

Risk professionals must keep that in mind before performing an assessment. They must understand the system boundary (where the system begins and ends) as well as the system function before beginning an assessment. It's entirely possible that an assessor begins an assessment of a system and realize that the chosen system is either too narrow or broad and need to make adjustments before continuing.

What risks should you actually evaluate against a system? This is generally a matter of experience, but you can turn to certain sources like previously conducted risk assessments, certain risk management frameworks, prior audits, or your knowledge of cybersecurity to create risk statements that are appropriate for the system you plan to assess. What's important is to think about each risk in the context of the system, disregard any risk statements that don't apply to your system, and assess against relevant, meaningful risk statements.