Information Security Risk Assessment Template - Uses NIST 800-171 Cybersecurity Control Set


NIST-Based Cybersecurity Risk Assessment Template (CRAT)

Need to perform an information security risk assessment? This is a pretty common requirement that can seem like an insurmountable obstacle, since most people are not trained on how to perform a risk assessment or they lack a simple tool that is comprehensive enough to meet their needs.

This is where our Information Security Risk Assessment Template comes into play - we developed a simple Microsoft Excel template to walk you through calculating risk and a corresponding Word template to report on that risk. If you can use Word and Excel, you can successfully use our templates to perform a risk assessment. We even give you a completely filled-out example risk assessment, so that you can use that as a reference.

What Is The Cybersecurity Risk Assessment (CRAT)?

  • The CRAT is an editable risk assessment template that you use to create risk assessments.
    • It contains both an editable Microsoft Word document and Microsoft Excel spreadsheet that allows for professional-quality risk assessments.
    • Included is an example risk assessment that can be used as a guide.
  • The CRAT supports the Risk Management Program (RMP) product in answering the “how?” questions for how your company manages risk.
    • You do not need the RMP to generate risk assessments with the CRAT. 
    • The RMP just tells the rest of the story for how risk is managed at your organization.
  • Where the RMP lays the groundwork for how risk is to be managed, the CRAT is a template that allows you to product the end product of risk management, which is a professional-quality risk assessment report.

  What Problem Does The CRAT Solve?  

  • Lack of In-House Risk Experience - Many organizations lack internal staff who can come up with quality risk assessments. The CRAT is an affordable solution for managers or IT staff to conduct quality risk assessments.
  • Audit Failures - Most organizations run into trouble in audits when asked to provide evidence of risk assessments being performed. The CRAT provides a template to conduct repeatable risk assessments in a very professional format. The CRAT provides this evidence!
  • Vendor Requirements - It is very common for clients and partners to request evidence of a risk assessments. Clients and partners often ask to see evidence of risk assessments so they can also understand your risks. The CRAT provides this evidence!
  • Compliance Requirements - Requirements such as PCI DSS, HIPAA, MA 201 CMR 17.00 and NIST 800-171 establish a mandate to conduct risk assessments. The CRAT addresses these compliance requirements!

 How Does the CRAT Solve It?  

  • Clear Documentation - The CRAT provides the comprehensive documentation to prove that your risk program exists.
  • Alignment With Leading Practices - The CRAT covers natural and man-made risks, as well as risk associated with the absence or state of cybersecurity controls (as defined by NIST 800-171). This creates a quality scope for a cybersecurity risk assessment. 

Common Scenarios That Require Information Security Risk Assessments

If you fall in scope for any of these compliance requirements, you have to perform risk assessments and you need this template:

  • Payment Card Industry Data Security Standard (PCI DSS) - Section#12.2 requires companies to perform a formal risk assessment!
  • Massachusetts MA 201 CMR 17.00 - Section# 17.03(2)(b) requires companies to "identify & assess" reasonably-forseeable internal and external risks! 
  • Oregon Identity Theft Protection Act - Section 646A.622(2)(d)(B)(ii) requires companies to assess risks in information processing, transmission & storage!
  • Health Insurance Portability and Accountability Act (HIPAA) - Security Rule (Section 45 C.F.R. §§ 164.302 – 318) requires companies to conduct an accurate & thorough assessment of potential risks!
  • Gramm-Leach-Bliley Act - Safeguard Rule requires company to identify and assess risks to customer information!
  • NIST 800-171 - Protecting CUI in Nonfederal Information Systems and Organizations - Section 3.11 requires risks to be periodically assessed!

Given that we designed this risk assessment template based on industry-recongized best practices, you can use our template to address those information security risk assessment requirements. The authoritative sources we used are based on National Institute for Standards and Technology (NIST) frameworks - NIST 800‐30 (Risk Management Guide for Information Technology Systems), NIST  800‐37  (Guide  for  Applying  the  Risk  Management  Framework  to  Federal Information Systems) & NIST 800‐39 (Managing Information Security Risk).


Simple Solution To Create Professional-Quality IT Security Risk Assessments

Most companies have requirements to perform risk assessments, but they lack the knowledge and experience to undertake such assessments. That means businesses are faced to either outsource the work to expensive consultants or they ignore the requirement and hope they do not get in trouble for being non-compliant with a compliance requirement. In either situation, it is not a good place to be. The good news is that we created an affordable solution for businesses to conduct their own information security risk assessments.

If you can use Microsoft Word and Excel, then you can perform a risk assessment by simply following the instructions and editing the template to suit your specific requirements. While this is a template, we did the hard work of creating the formatting, bringing together the correct scope of information that needs to be assessed, and we built the calculations to make your work as simple as selecting from a few drop-down answers!


Complete Example Risk Assessment Comes With The Template! 

One great feature is we provide a completely filled out example information risk assessment, so that you can see what one looks like and use it as a guide for your own needs. This template will save you dozens of hours of work and frustration in building your own template! 

Take a look at the example to see for yourself!


example-cybersecurity-risk-assessment-report.jpg   example-cybersecurity-risk-assessment-worksheet.jpg

If you have any questions at all about this product, please contact us - we would be more than happy to help explain how this solution works and why it is worth it!


Risk Assessment Template Contents - What You Get! 

Our latest version of the Information Security Risk Assessment Template includes:

  • Section for assessing both natural & man-made risks.
  • Section for assessing reasonably-expected cybersecurity controls (uses NIST 800-171 recommended control set) - applicable to both NIST 800-53 and ISO 27001/27002! 
  • Section for assessing Capability Maturity Model (CMM) - built into cybersecurity control assessment portion of the risk assessment.
  • Blank templates in Microsoft Word & Excel formats.
  • Fully filled-out example of the templates that you can edit in Microsoft Word & Excel


Graph Depicting Natural & Man-Made Risks

The Excel-based worksheet comes with graphs showing before & after risk levels. These are just embedded into the report to provide a good visual. The calculations from the worksheets make it easy to show raw risk scores and also weighted scores, which take into consideration the importance of the control, the maturity of the protections in place, and any compensating measures that may exist to reduce the risk. 


Risk Assessment Matrix 

The calculations show raw risk scores and also take into account weighting factors, such as the importance of the control, the maturity of the protections in place, and any compensating measures that may exist to reduce the risk. The CRAT utilizes a 6x6 risk assessment matrix. The CRAT is able to show both the raw risk score, as well as the final score when compensating controls are taken into consideration.




Cybersecurity Risk Assessment Template (CRAT) Cost Savings Estimate

Similar to the RMP example above, when you factor in internal staff time to perform reviews and refinements with key stakeholders, purchasing a CRAT from ComplianceForge is approximately 34% ($2,000+ savings) of the cost as compared to writing your own documentation and 21% ($4,500+ savings) of the cost as compared to hiring a consultant to write it for you!



Sort by:

Sign up for our Newsletter!