The Security Risk Assessment Process: A Step-by-Step Guide for Australian Organisations

Home » The Security Risk Assessment Process: A Step-by-Step Guide for Australian Organisations

The security risk assessment process is a structured way to identify the security risks an organisation faces, analyse how serious each one is, and decide what to do about it, so that limited resources are directed at the risks that matter most. Done well, it replaces opinion with evidence and gives a board a defensible basis for the controls it funds. The process below follows the sequence set out in AS ISO 31000:2018, the Australian risk management standard, and applies whether the subject is a single building or a national operation.

Key takeaways

A security risk assessment moves through a set sequence: establish the context, identify assets and threats, analyse vulnerability, rate each risk by likelihood and consequence, evaluate against risk appetite, and treat.
The process is built on AS ISO 31000:2018, with monitoring, review and communication running throughout rather than as a final step.
A risk is only useful once it is rated, because the rating is what decides the order of treatment.
The output is a documented risk register and treatment plan, often presented as a Security Threat and Risk Assessment or a Security Risk Management Plan.
An assessment differs from a security audit: the assessment decides which risks matter, while the audit verifies that the agreed controls are in place and working.

What is a security risk assessment?

A security risk assessment is a structured process that identifies, analyses and prioritises the security risks to an organisation’s people, information, assets and operations, and recommends treatments in priority order. It produces a documented view of the risks an organisation actually faces, rated so the most serious are addressed first.

The assessment is distinct from a general risk review in that it focuses on deliberate and malicious threats, such as intrusion, theft, violence, sabotage and information compromise, alongside the natural and accidental hazards that affect security. In Australia it is normally conducted in line with AS ISO 31000:2018, Risk management — Guidelines, which sets out the process described here.¹

What are the steps in the security risk assessment process?

Step 1: Establish the context and scope

Define what is being assessed and why. Agree the assets, sites, operations and threats in scope, the period under review, the risk criteria, and the obligations the assessment must address. A clear scope keeps the assessment focused and its findings comparable over time. The context also captures the organisation’s risk appetite, which later decides which risks are tolerable and which must be treated.

Step 2: Identify the assets and their criticality

List the people, information, physical assets and services that need protection, and rate how critical each is to the organisation. Criticality matters because a control that protects a minor asset and one that protects a critical one are not equal priorities. This step is where the assessment is anchored to what the organisation values, rather than to a generic checklist.

Step 3: Identify the threats and hazards

Identify who or what could cause harm, and how. Sources include the organisation’s incident history, sector threat reporting, the local environment, and the knowledge of staff who run the operation. A threat is credible when there is a plausible actor or event, a motive or cause, and the capability to act. Recording the threat clearly is what allows the later analysis to be defensible.

Step 4: Assess the vulnerabilities and existing controls

Examine how exposed each asset is to each credible threat, taking account of the controls already in place. The gap between the protection a control is supposed to provide and the protection it actually provides is where the real exposure usually sits. This step tests the current state honestly, rather than assuming controls work as designed.

Step 5: Analyse and rate the risk

Rate each risk by combining the likelihood of the threat being realised with the consequence if it is. AS ISO 31000:2018 frames this as risk analysis, and a consistent likelihood and consequence scale is what makes the ratings comparable across a portfolio. The rating, not the list of findings, is the output that tells an organisation what to address first.

Step 6: Evaluate against risk appetite

Compare each rated risk against the risk criteria and appetite set in Step 1. Some risks will fall within tolerance and need only monitoring; others will exceed it and require treatment. Evaluation is the decision point that separates the risks an organisation can accept from those it cannot.

Step 7: Treat the risk

Recommend treatments for the risks that exceed appetite, in priority order. Treatment options include reducing the likelihood, reducing the consequence, transferring the risk, or accepting it with a documented rationale. Each treatment should name an owner, an indicative priority and a target date, so the plan can be acted on rather than filed.

Step 8: Monitor, review and communicate

Monitoring, review and communication run through the whole process, not only at the end. Risks change as threats, operations and controls change, so a security risk assessment is a cycle rather than a one-off document. Communicating the findings clearly, to both the board and the staff who implement the treatments, is what turns an assessment into action.

How does a security risk assessment differ from a security audit?

The two are related but answer different questions. A security risk assessment asks what could harm the organisation, how serious each risk is, and what should be done about it. A security audit asks whether the controls the organisation relies on are present and operating against a defined benchmark. Mature security programs use both: the assessment sets the priorities, and the audit verifies that the agreed controls are holding.

What standards and obligations apply to a security risk assessment?

The process is grounded in AS ISO 31000:2018, Risk management — Guidelines.¹ Beyond the standard, the obligations that prompt an assessment shape its benchmark:

Australian Government entities and their suppliers work to the Protective Security Policy Framework, whose risk domain calls for a security risk management process, supported by the Information Security Manual for information and communications technology.²
Critical infrastructure responsible entities address the Security of Critical Infrastructure Act 2018 and the Critical Infrastructure Risk Management Program Rules, which require all-hazards risk management across personnel, supply chain, physical and cyber and information security.³
Many organisations also assess against physical security requirements, board or insurer expectations, and contractual obligations.

The benchmark is agreed at the start, because it defines what the assessment is measuring against.

How often should a security risk assessment be conducted?

A common practice is a full assessment annually, with an interim assessment after a significant change such as a new or refurbished site, a restructure, a major incident or a new regulatory obligation. The right interval is the one that keeps the risk picture current between assessments, since an out-of-date assessment can be more misleading than none.

Who should conduct a security risk assessment?

A security risk assessment is best conducted by an assessor independent of the team that designed or operates the controls, so that the analysis is not shaped by the need to defend existing arrangements. Independence, sector knowledge and familiarity with the relevant Australian standards are the qualities that make an assessment credible to a board and to a regulator.

How Agilient can assist

Agilient conducts independent security risk assessments for government and major commercial organisations across Sydney, Melbourne, Brisbane, Adelaide and Canberra. As an independent, vendor-neutral consultancy, Agilient assesses risk without any interest in selling the equipment or services a treatment might recommend, which keeps the analysis objective. Each assessment is conducted in line with AS ISO 31000:2018 and is delivered as a documented Security Threat and Risk Assessment or Security Risk Management Plan, with a prioritised risk register and a treatment plan an executive can act on. Where the work extends to verifying controls, Agilient’s security audit service confirms that the agreed treatments are in place and operating.

Request a security risk assessment Book a short briefing

Frequently asked questions

What is the security risk assessment process?

It is a structured sequence that establishes the context, identifies assets and threats, assesses vulnerability, rates each risk by likelihood and consequence, evaluates it against risk appetite, and recommends treatments, with monitoring and review throughout. In Australia it follows AS ISO 31000:2018.

What is the difference between a security risk assessment and a security audit?

A security risk assessment identifies and prioritises the risks an organisation faces and recommends treatments. A security audit verifies that controls are present and operating against a benchmark. The assessment sets priorities; the audit checks the controls.

Which standard governs the security risk assessment process in Australia?

AS ISO 31000:2018, Risk management — Guidelines, sets out the process of establishing context, identifying, analysing, evaluating and treating risk, with monitoring, review and communication throughout.

What does a security risk assessment produce?

A documented assessment, often a Security Threat and Risk Assessment or a Security Risk Management Plan, containing a prioritised risk register and a treatment plan with owners and indicative priorities.

How long does a security risk assessment take?

It depends on the number of sites, the breadth of assets, and the evidence available. A single-site assessment may take one to two weeks, while a complex multi-site assessment takes longer. Agreeing a tight scope at the outset is the main factor in keeping it efficient.