This phase assesses the organization's risks and estimates the likelihood and impact of those risks.

Risk assessment is the process of evaluating potential risks and estimating how likely they are to occur and how severe their impact would be. This goes beyond simply listing what could go wrong (risk identification) by giving each risk a sense of its magnitude, which helps organizations prioritize which issues to address first. The assessment can be qualitative, using categories like low/medium/high, or quantitative, assigning numerical probabilities and potential monetary losses. This phase informs decisions on which controls to implement and how to allocate security resources. It’s different from cyber threat intelligence, which focuses on gathering information about threat actors and campaigns, and from risk tracking, which is about monitoring risks over time after controls are in place.