Threat Risk Assessment: A practical guide to ISO 27005, ISO 31000, and NIST RMF

Threat Risk Assessment: A practical guide to ISO 27005, ISO 31000, and NIST RMF

What is Threat Risk Assessment (TRA)?

By Kadir Kocayigit

One of the most important lessons I’ve learned over years in cyber security is this: making a system completely secure is impossible. But organizations that know where their risks are hiding — and prioritize accordingly — are always one step ahead. That’s why Threat Risk Assessment isn’t just a compliance checkbox. It’s a strategic decision-making tool.

Threat Risk Assessment (TRA) is the systematic process of identifying threats an organization faces, analyzing the vulnerabilities those threats can exploit, and estimating the impact if they materialize.

Its purpose is straightforward but critical: direct limited resources toward the highest risks. TRA is built on three core components:

  • Threat: Any source or event with the potential to cause harm — cyber attackers, natural disasters, human error, malicious insiders.
  • Vulnerability: A weakness that a threat can exploit — unpatched software, weak authentication, inadequate access controls.
  • Impact: The damage caused if the threat materializes — financial, operational, legal, or reputational.

Together, these produce the foundational risk formula:

Risk = Threat x Vulnerability x Impact

In practice, this is commonly simplified and operationalized as:

Risk = Likelihood x Impact

Both models are valid. The three-factor version is more granular and favoured in formal standards like ISO 27005. The two-factor version is more commonly used in risk matrices and heat maps. Knowing when to use which is a sign of methodological maturity. Please remember that risk cannot be reduced to zero, but it can be managed.

Why TRA matters?

Many organizations still operate with a reactive security posture: something breaks, then they respond. TRA is the opposite — understand first, then act. From a practical standpoint, organizations that conduct formal TRA programs make better budget decisions. The “protect everything” strategy wastes resources. The “protect the highest-risk assets first” strategy delivers actual security outcomes. Beyond operational benefits, formal risk assessment is increasingly non-negotiable from a compliance perspective. ISO 27001 certification, GDPR obligations, national data protection regulations, and sector-specific frameworks all mandate a documented risk assessment process. TRA is the foundation that unlocks compliance across all of these simultaneously.

TRA Steps

Regardless of which standard or framework you’re working within, the same six steps appear at the core of every mature TRA process.

Step 1 – Define scope and context – What are you assessing? The entire organization, a specific system, a new product launch? What is your organization’s risk appetite? Without answering these questions first, risk assessment becomes an unfocused exercise.

Step 2 – Identify assets – List everything worth protecting such as databases, applications, network infrastructure, physical assets, people, and business processes. You cannot protect what you haven’t identified.

Step 3 – Identify threats – What could cause harm? I typically structure this across three categories: (cyber attackers, nation-state actors, competitors, natural disasters), (malicious insiders, human error, process failures), and (supply chain failures, regulatory changes).

Step 4 – Identify vulnerabilities – For each threat, which weaknesses in your assets could be exploited? Technical vulnerabilities matter, but process and human vulnerabilities are just as critical — and often overlooked.

Step 5 – Calculate and prioritize risks – Assign likelihood and impact scores to produce a risk score. The risk matrix is the tool for this step — I’ll walk through it below.

Step 6 – Decide on risk treatment method – Five options: reduce, ignore, accept, transfer, or avoid. Selecting the right treatment for each risk is where security strategy meets business decision-making.

The standards: ISO 27005, ISO 31000, NIST RMF

At this point, the most common question I hear is: “Which standard should we work within?” My answer is always the same: these frameworks are not competitors — they are complementary layers.

ISO 31000 provides sector-agnostic principles and process guidance for risk management applicable to any organization, regardless of size or industry. It does not require certification; it is a guidance document. It has been adopted as a national standard in 82 countries and serves as the foundational layer on which more specific standards are built.

ISO 27005 is ISO 31000 adapted specifically for information security risk management. It provides the practical guidance for satisfying the risk assessment requirements of ISO 27001 certification.

Developed by the U.S. National Institute of Standards and Technology, the NIST RMF is mandatory for federal agencies under FISMA and widely adopted in the private sector. It integrates security, privacy, and supply chain risk management into the system development life cycle through a 7-step process:

  1. Prepare – Establish organizational risk management context and priorities
  2. Categorize – Classify systems based on CIA impact analysis (Low / Moderate / High)
  3. Select – Choose baseline security controls from SP 800-53
  4. Implement – Deploy selected controls in the system
  5. Assess – Independently validate control effectiveness
  6. Authorize – Obtain management approval (Authority to Operate)
  7. Monitor – Continuous monitoring and adaptation to emerging threats

 

Latest Blog Posts

Copyright © 2025 threatriskassessment.com.    All rights reserved.