Cybersecurity Risk Assessment: Free Template and Step by Step Guide

A cybersecurity risk assessment identifies what can go wrong, how likely it is to happen, and how bad the damage would be. It is the foundation that every other security decision rests on: what to protect, how much to spend, which tools to buy, and where to focus your team's limited time. Most organizations know they need one but struggle with where to start. This guide provides a practical, step-by-step framework and a ready-to-use template that works for businesses of any size.

Why Risk Assessments Matter

Without a risk assessment, security spending is guesswork. You might invest $50,000 in a next-generation firewall while ignoring the unpatched web application that is actually your biggest exposure. A risk assessment forces you to identify, quantify, and prioritize risks so your limited budget goes where it has the most impact.

Risk assessments are also required by virtually every security compliance framework. SOC 2, HIPAA, PCI DSS, ISO 27001, and NIST all mandate regular risk assessments. Even cyber insurance applications now ask whether you perform annual risk assessments. Not having one is both a security gap and a compliance violation.

The Risk Assessment Framework

We will use a simplified version of the NIST Risk Management Framework that works for organizations of any size. The process has five steps:

Step 1: Identify Your Assets

List everything that has value and needs protection. Be specific. Generic entries like "servers" are not useful. Instead, document specific systems with their business function, data classification, and owner.

Asset categories to inventory:

• Data assets: Customer databases, financial records, intellectual property, employee records, health information, payment card data.
• System assets: Web applications, internal applications, email systems, file servers, cloud accounts (AWS, Azure, GCP), SaaS platforms.
• Network assets: Firewalls, VPN gateways, switches, wireless access points, DNS infrastructure.
• Physical assets: Servers, workstations, mobile devices, backup media, network equipment.
• People: Employees with privileged access, contractors, third-party vendors with system access.

Step 2: Identify Threats and Vulnerabilities

For each asset, identify what could go wrong. Threats are external factors (attackers, natural disasters, power outages). Vulnerabilities are internal weaknesses that threats can exploit (unpatched software, weak passwords, lack of encryption).

Common threat and vulnerability pairs:

• Ransomware attack exploiting unpatched VPN or phishing email.
• Data breach through SQL injection in a web application.
• Insider threat leveraging excessive access privileges.
• Business email compromise targeting executives without MFA.
• Cloud misconfiguration exposing storage buckets or databases.
• Third-party breach compromising a vendor with access to your systems.
• Physical theft of unencrypted laptops or mobile devices.

A good starting point for external threats: run a free domain exposure scan to identify what attackers can see from the outside. This gives you a concrete list of vulnerabilities to include in your assessment.

Step 3: Assess Likelihood and Impact

For each threat/vulnerability pair, score two factors on a 1 to 5 scale:

Likelihood (how likely is this to happen in the next 12 months):

• 1 = Very unlikely (requires multiple unlikely events to align)
• 2 = Unlikely (possible but no evidence of active targeting)
• 3 = Possible (known threat actors target your industry)
• 4 = Likely (you have seen attempts or near-misses)
• 5 = Almost certain (you have been hit before or are actively being targeted)

Impact (how bad would it be if it happened):

• 1 = Negligible (minor inconvenience, no financial or data loss)
• 2 = Low (limited financial loss under $10,000, no sensitive data exposed)
• 3 = Moderate (financial loss $10,000 to $100,000, some customer data exposed)
• 4 = High (financial loss $100,000 to $1 million, significant data breach, regulatory action)
• 5 = Critical (financial loss over $1 million, massive data breach, potential business closure)

Step 4: Calculate Risk Score and Prioritize

Risk Score = Likelihood x Impact. This gives you a score from 1 to 25 for each risk. Categorize the scores:

• Critical (20 to 25): Requires immediate action. These risks should be addressed within 30 days.
• High (12 to 19): Requires prompt action. Address within 90 days.
• Medium (6 to 11): Requires planned action. Address within 6 months.
• Low (1 to 5): Accept or monitor. Review at next annual assessment.

Step 5: Define Treatment Plans

For each risk, choose one of four treatment options:

• Mitigate: Implement controls to reduce likelihood or impact. Example: deploy MFA to reduce the risk of credential-based attacks.
• Transfer: Shift the financial impact to a third party. Example: purchase cyber insurance to cover breach costs.
• Accept: Acknowledge the risk and choose to do nothing because the cost of mitigation exceeds the expected loss. Document this decision and the reasoning.
• Avoid: Eliminate the risk entirely by removing the vulnerable asset or process. Example: stop storing credit card numbers by using a tokenization service.

Risk Assessment Template

Use this template for each identified risk. Create a spreadsheet with these columns:

Asset | Threat | Vulnerability | Likelihood (1-5) | Impact (1-5) | Risk Score | Risk Level | Treatment | Owner | Due Date | Status

Example entries:

Web Application | SQL Injection | Unparameterized queries | 4 | 5 | 20 | Critical | Mitigate: Code review + WAF | Dev Lead | 2026-04-30 | In Progress
Employee Laptops | Theft | No disk encryption | 3 | 3 | 9 | Medium | Mitigate: Enable BitLocker/FileVault | IT Manager | 2026-06-30 | Not Started
Customer Database | Ransomware | No offline backups | 4 | 5 | 20 | Critical | Mitigate: Implement 3-2-1 backups | SysAdmin | 2026-04-15 | In Progress
Cloud Infrastructure | Misconfiguration | Public S3 buckets | 3 | 4 | 12 | High | Mitigate: Deploy CSPM tool | Cloud Engineer | 2026-05-31 | Not Started
Executive Accounts | BEC/Phishing | No MFA on email | 5 | 4 | 20 | Critical | Mitigate: Enable MFA immediately | IT Manager | 2026-04-07 | Not Started

Common Risk Assessment Mistakes

• Making it too academic. A risk assessment that takes 6 months and produces a 200-page report is useless. Keep it practical, actionable, and completable within 2 to 4 weeks.
• Scoring risks too generously. People naturally underestimate risk, especially for threats they have not experienced. Use objective criteria and reference industry data (like the Verizon DBIR) to calibrate your likelihood scores.
• Assessing and forgetting. A risk assessment is not a one-time exercise. Schedule annual reviews, plus reassessments after major changes (new systems, acquisitions, regulatory changes, or after an incident).
• Not involving business stakeholders. IT teams tend to focus on technical risks and underweight business impact. Include business owners, legal, compliance, and finance in the impact scoring process.
• Ignoring third-party risk. Your vendors and partners have access to your data and systems. Include their security posture in your assessment. Ask for their SOC 2 report or conduct a vendor security questionnaire.

Frequently Asked Questions

How often should I perform a risk assessment?

At minimum, annually. Additionally, perform assessments after any major change: new system deployment, cloud migration, acquisition, significant headcount change, or new regulatory requirement. Some compliance frameworks specify the cadence: HIPAA requires regular assessments (interpreted as annual by most auditors), PCI DSS requires annual assessments, and SOC 2 expects ongoing risk evaluation. If you have a rapidly changing environment (frequent deployments, growing team, expanding into new markets), consider quarterly lightweight assessments with a comprehensive annual review.

Can I do a risk assessment without hiring a consultant?

Yes, especially for small and mid-sized businesses. The framework in this guide is designed to be self-administered. Start with a free external exposure scan to identify obvious vulnerabilities, then work through the asset inventory and risk scoring process with your IT team and key business stakeholders. The result will not be as polished as a consultant-led assessment, but it will be significantly better than having none at all. For regulated industries (healthcare, financial services), consider having a consultant review your self-assessment for completeness.

What is the difference between a risk assessment and a vulnerability assessment?

A vulnerability assessment identifies specific technical weaknesses in your systems (unpatched software, misconfigurations, weak passwords). It answers "what is broken?" A risk assessment takes those vulnerabilities and evaluates them in business context: how likely are they to be exploited, what would the business impact be, and how should we prioritize fixing them? A vulnerability assessment is one input into a risk assessment, but a risk assessment also considers threats, business impact, existing controls, and treatment options. You need both, and they complement each other. Our vulnerability assessment guide covers the technical scanning side.

The Bottom Line

A cybersecurity risk assessment does not need to be complex or expensive. The framework in this guide, combined with the template, gives you a practical starting point that satisfies compliance requirements and genuinely improves your security posture. Start by identifying your assets, use a free scan to discover external vulnerabilities, score the risks, and create treatment plans with clear owners and deadlines. The act of going through this process, even imperfectly, is far more valuable than not doing it at all.

Related reading: Vulnerability Assessment Guide, Website Security Audit Checklist, Data Breach Cost 2026.