We recommend considering the following points when conducting a risk assessment
Risk Assessment
Security requirements and objectives, e.g., function-specific and non-function-specific system requirements
System or network architecture and infrastructures, e.g., using a network map and component plan that show how assets are configured and interconnected
Services and applications, including data and protocols, e.g., applications with particularly sensitive data
Processes regarding data processing, including input and output parameters, such as business processes, computer operating processes and application operating processes
Dependencies between applications and processes, e.g., processing of particularly sensitive data
Impact assessment, e.g., identification of consequences in case of loss of sensitive data, model-assisted threat analysis, etc.
Technical measures, e.g., selection of suitable security components, such as firewalls, intrusion detection systems, or physical and logical access control systems
Organisational measures, e.g., business continuity management and desaster recovery management
Government laws and regulations pertaining to minimum security control requirements
Documented or informal policies, procedures and guidelines
For further information, please refer to Information Systems Audit and Control Association, ISACA (www.isaca.org)
or the corresponding ISO standard for Risk Management in IT Systems ISO 27005.