We created the following example of a typical asset assessment to facilitate discussions and provide context for decision makers. Based on this example the total number of assets for a single organization was 4616. The largest counts were determined to be hardware, software , information, people, facilities and telecommunications.

By leveraging a common series of effective, efficient controls such as those listed in ISO 27001 – Information Security Management System it is possible to consolidate risks and maximize the allocation of resources and capital to address all known risks. This framework also establishes the capability to respond to security events and incidents.

During the Risk Assessment process we rationalize threats and vulnerabilities. This is necessary because there are thousands of threats and vulnerabilities, but we know that only a small subset actually maintain the potential to impact the organization. Normally there are more vulnerabilities than threats. The majority of matching threats and vulnerabilities affect hardware, software, information , people, facilities and telecommunications.

The actual number of immediate risks that require corrective action and preventive action may be small. The majority of risk swill be addressed during continuous improvement activities as part of regular ongoing projects listed in the forward schedule of changes.