"What is the difference between a risk assessment and a cybersecurity control self-assessment?"
That was the question posed during one of Tandem's recent "Ask Me Anything" webinars, and it's one we hear pretty regularly. On the surface, these two types of assessments may seem interchangeable. After all, both aim to strengthen an organization's cybersecurity posture by identifying potential weaknesses and opportunities to improve maturity.
But dig a little deeper, and you'll find they have distinct origins, objectives, and outcomes.
In this article, we'll break down the key similarities and differences between risk assessments and cybersecurity control self-assessments and explain how they can best be used in harmony with each other.
About Risk Assessments
Risk assessments, and more specifically, information security risk assessments (ISRA) are the foundation of an organization's information security program. The purpose of the assessment is to help the organization identify, measure, and control risks facing systems and data.
One reason financial institutions perform ISRAs is because it is required. The requirement stems from the Gramm-Leach-Bliley Act (GLBA) and the resulting Interagency Guidelines Establishing Information Security Standards, which expect financial institutions to do the following:
- Identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems.
- Assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information.
- Assess the sufficiency of policies, procedures, customer information systems, and other arrangements in place to control risks.
To learn more about how to conduct an ISRA, check out our blog: What is a GLBA Risk Assessment?
About Cybersecurity Control Self-Assessments
A cybersecurity control self-assessment is a process in which an organization benchmarks its own security practices against established standards. For simplicity's sake, we're going to call these "cybersecurity assessments" in the rest of the article.
The purpose of a cybersecurity assessment is to help the organization determine whether controls are implemented and create plans to improve control maturity.
One reason financial institutions perform cybersecurity assessments is because it is encouraged. According to an August 2019 press release from the FFIEC:
"Firms adopting a standardized approach are better able to track their progress over time and share information and best practices with other financial institutions and with regulators. Institutions may choose from a variety of standardized tools aligned with industry standards and best practices to assess their cybersecurity preparedness."
FFIEC Encourages Standardized Approach to Assessing Cybersecurity Preparedness
The Similarities
There are some similarities between risk assessments and cybersecurity assessments. For example, both assessments can:
- Improve cybersecurity. Both assessments can help financial institutions strengthen their cybersecurity posture and protect critical systems and data.
- Inform decision-making. Both assessments can offer leadership the context and data needed to justify cybersecurity investments and make strategic decisions.
- Support compliance activities. Both assessments can demonstrate required cybersecurity and risk management practices are in place.
- Provide evidence for audits. Both assessments can produce records and documentation that demonstrate proactive risk management.
- Encourage security awareness. Both assessments can raise awareness of cybersecurity and foster a culture of security throughout the organization.
That said, the similarities between the two types of assessments largely end there. While they share a few high-level traits, their purpose, focus, and outputs are fundamentally different.
The Differences
Risk assessments and cybersecurity assessments are not the same and they are not interchangeable. Each serves a distinct purpose and delivers unique value. Here are some key differences between the two.
|
|
Risk Assessments |
Cybersecurity Assessments |
|
Perspective |
Threat-centric view: What could go wrong and how bad could it be? |
Control-centric view: What protections are in place and how strong are they? |
|
Purpose |
Identify, analyze, and prioritize risks to guide response and resource allocation |
Assess control maturity to improve cybersecurity posture and support compliance |
|
Focus |
Threats to confidentiality, integrity, and availability of systems, data, and operations |
Controls implemented to prevent, detect, and respond to threats |
|
Scope |
Evaluates the inherent and residual likelihood, impact, and risk of threats |
Evaluates the presence, maturity, and effectiveness of controls |
|
Methodology |
Measures likelihood and impact of threats based on internal criteria |
Benchmarks control maturity based on a defined standard or framework |
|
Ratings |
Risk scale (e.g., Insignificant, Low, Medium, High, Extreme) |
Maturity scale (e.g., Not Implemented, Partially Implemented, Fully Implemented) |
|
Output |
Risk register with prioritized threats and risk management plans |
Maturity matrix and gap analysis with action plans for control improvement |
|
Legally Required |
Yes - Required for GLBA compliance |
No - Not required, but encouraged |
|
Prescribed Format |
No - Format is flexible and organization-specific |
Yes - Format is prescribed based on the selected framework |
|
Board Communication |
Provides high-level insight into risks and risk management strategies |
Provides a detailed view of control posture relative to standards |
Inherent and Residual Risk in Cybersecurity Assessments
Another common question we receive is whether inherent and residual risk should be included in a cybersecurity assessment. While this confusion is understandable, the short answer is:
No, inherent and residual risk do not belong in a cybersecurity assessment.
These are outputs of a risk assessment, not a cybersecurity control assessment.
- Inherent risk refers to the level of risk that exists before any controls are applied.
- Residual risk refers to the level of risk that remains after controls have been implemented.
Calculating either one requires identifying specific threats, vulnerabilities, likelihoods, and impacts – all of which are core elements of the risk assessment process. These factors typically fall outside the scope of a cybersecurity assessment.
Why the Confusion?
The idea of including inherent risk in a cybersecurity assessment largely stems from the FFIEC Cybersecurity Assessment Tool (CAT), which includes an Inherent Risk Profile section.
This confusion often arises because certain terms are used to mean different things in different contexts. Specifically, in the CAT, the "Inherent Risk Profile" functions more like a business exposure assessment rather than a traditional assessment of threats, likelihood, and impact.
The primary purpose of the Inherent Risk Profile in the CAT is to help financial institutions determine whether their controls are appropriate for their overall exposure. This is a tool-specific design choice, not a universal best practice or requirement.
What Does This Mean for Other Frameworks?
Most modern cybersecurity frameworks do not include inherent risk as part of the framework itself. Instead, they encourage organizations to perform a separate risk assessment to evaluate inherent and residual risk.
For example, the NIST Cybersecurity Framework (CSF) clearly places inherent risk within the risk assessment function.
ID.RA-05: Threats, vulnerabilities, likelihoods, and impacts are used to understand inherent risk and inform risk response prioritization.
Similarly, other frameworks offer supplemental tools or guidance to support the assessment of risk or business exposure. While these resources can help scope the cybersecurity assessment or provide context for interpreting results, inherent and residual risk are not built into the core content of the framework itself.
In short, most modern frameworks treat inherent risk as an input to (not a component of) the cybersecurity assessment process.
How to Address Stakeholder Expectations
If stakeholders such as board members, senior management, auditors, or examiners are accustomed to seeing inherent or residual risk referenced in cybersecurity assessments (especially due to FFIEC CAT familiarity), you may want to include a brief note in your cybersecurity assessment introduction to clarify:
- Risk is addressed separately in the institution's Information Security Risk Assessment (ISRA).
- The cybersecurity assessment focuses solely on control implementation, maturity, and alignment with best practices.
This helps bridge expectations without misrepresenting the intent or scope of your assessment.
In Summary
While it is appropriate (and encouraged) to use cybersecurity assessment results as input when performing a risk assessment (and vice versa), inherent and residual risk do not stand on their own within a cybersecurity assessment.
Cybersecurity assessments evaluate the presence, maturity, and effectiveness of controls. Risk assessments, by contrast, evaluate the risk of threats both before (inherent) and after (residual) controls are applied.
In this way, risk assessments and cybersecurity assessments are complementary, but distinct. While both contribute to understanding an organization's security posture, they serve different purposes and provide different types of insight. Keeping them separate promotes clarity, supports alignment, and enables better decision-making.
For assistance with conducting an ISRA or to request access to a free online tool for performing cybersecurity assessments, check out Tandem. Tandem is a cybersecurity governance, risk management, and compliance (GRC) application, designed specifically to help financial institutions improve their security posture.
Each of our products includes a friendly user interface, multi-user access, helpful notifications, and ready-to-use documents for you to share with your Board of Directors and senior management. Learn more about how we can help you with Tandem Risk Assessment and Tandem Cybersecurity Assessment.
