Scope Notes: Includes assessing the critical functions necessary
            for an enterprise to continue operations, considering the controls
            in place, and evaluating the cost for such restrictions. Risk
            analysis often involves an evaluation of the probabilities of a
                           2
            particular event.

            ISACA defines risk analysis as:
            1. A process by which the frequency and magnitude of IT risk
            scenarios are estimated.

            2. The initial steps of risk management: analyzing the value of
            assets to the business, identifying threats to those assets and
            evaluating how vulnerable each asset is to those threats

            The ISO/IEC27005 considers risk assessment to include the
            phases of Risk Identification, Risk Estimation, and Risk
            Evaluation. It considers Risk Analysis to be the subset of Risk
            Assessment that only consists of the Risk Identification and Risk
            Estimation phases.

            The NIST SP800-30 states that the two terms of assessment and
            analysis are synonymous. We will not make a distinction
            between risk analysis and risk assessment in this book.



            What is Risk Assessment?
            Risk assessment is the first step in protecting assets from threats.
            Risk assessment is a systematic process of identifying threats,
            exposing vulnerabilities, and rating the impact of an adverse
            event, no matter how it could happen - intentionally,


            2  ISACA Glossary www.isaca.org