conducting-cyber-risk-assessment-with-nist-800-30

Installation
SKILL.md

Conducting a Cyber Risk Assessment with NIST SP 800-30

When to Use

  • When the organization needs a real risk assessment — an analysis of specific threats, likelihoods, and impacts — rather than a maturity score against a framework. (Maturity tells you how mature your practices are; a risk assessment tells you what could hurt you and how badly.)
  • When another framework requires a documented risk analysis as a mandatory input: NIST CSF (ID.RA), ISO 27001 (Clause 6.1.2), NIST RMF / 800-37 (the Prepare and Select steps), SOC 2 (CC3), PCI DSS, or HIPAA (§164.308(a)(1)(ii)(A)).
  • When standing up or significantly changing a system and you must understand its risk before authorization or go-live.
  • When leadership asks for the organization's top risks, ranked, with a rationale they can defend to a board or regulator.
  • When building or refreshing an enterprise risk register.

Prerequisites

  • An inventory of in-scope assets, systems, and the information types they handle (system boundary defined).
  • Access to threat intelligence (internal incident history, sector ISAC feeds, MITRE ATT&CK) to ground threat-event likelihood in observed behavior.
  • Vulnerability data (scan results, pen-test findings, configuration/architecture review) for the in-scope systems.
  • Business context: which missions/processes the systems support, and what impact to confidentiality, integrity, or availability would mean in business terms.
  • Agreement on the risk model and scales before scoring, so results are comparable and repeatable (see references/standards.md).
  • Familiarity with the three-tier risk-management context from NIST SP 800-39 (organization, mission/business process, information system).
Installs
31
GitHub Stars
24.2K
First Seen
14 days ago
conducting-cyber-risk-assessment-with-nist-800-30 — mukul975/anthropic-cybersecurity-skills