NIST’s 800-30 methodology takes a broader approach than many other security risk assessments. Rather than simply looking at technology, 800-30 takes a 3-tiered approach while additionally examining business processes as well as organizational structure and governance. This larger view helps to provide much more context around identified risks, as well as increasing the length of the assessment process.
Much like SecureState’s iRisk approach, 800-30 examines potential threats with associated likelihood and impact, as well as identifying vulnerabilities which those threats may act on. NIST provides a very robust framework of potential controls to be implemented to mitigate these risks. Additionally, a lengthy list of potential threats is provided, simplifying the work needed in identifying threats and establishing more consistency.
Finally, 3 different scans are provided for assessing each component: qualitative, quantitative, and semi-quantitative. The assessor is permitted to choose from these 3 measurements, while selecting the one which best matches the scope and goals of the assessment.