Written by Mike Pearlstein, CISSP, CEO of Fusion Computing Limited. Helping Canadian businesses build and manage secure IT infrastructure since 2012 across Toronto, Hamilton, and Metro Vancouver.
A cybersecurity risk assessment answers three questions: what does the business own, what could reach it, and how bad would the impact be. Done well, it produces a scored risk register an insurer, board, or PIPEDA reviewer can read without translation. This playbook walks the seven-step methodology Fusion Computing runs on Canadian SMB engagements.
KEY TAKEAWAYS
- A cybersecurity risk assessment scores findings by likelihood and impact to produce a prioritized risk register, then maps that register to controls.
- Most Canadian SMBs use NIST SP 800-30 r1 as the methodology, NIST CSF 2.0 as the program spine, and the Canadian Centre for Cyber Security baseline controls as the local floor.
- The seven steps run two to four weeks: asset inventory, threat identification, vulnerability identification, likelihood and impact scoring, risk register, treatment plan, reporting and re-assessment.
- A risk assessment is broader than a vulnerability scan or penetration test; the three artifacts answer different questions and stack on each other.
- Scored risk registers mapped to NIST CSF 2.0 are what cyber-insurance underwriters and Canadian privacy regulators ask for first.
Book a Cybersecurity Risk Consultation
What is a cybersecurity risk assessment?
A cybersecurity risk assessment is a structured process that identifies assets, threats, and vulnerabilities, scores each finding by likelihood and impact, and produces a prioritized risk register with recommended controls. NIST SP 800-30 r1 defines it as determining the probability and magnitude of harm to organizational operations; ISO 27005:2022 frames the same work as the bridge between asset value and treatment decisions.
The output is a register listing each risk, its score, its current control, and a target date. Two adjacent artifacts get confused with the assessment.
Risk assessment vs vulnerability assessment vs pen test
A vulnerability assessment enumerates CVEs across hosts, applications, and cloud services. A penetration test proves which of those CVEs an attacker can chain into business impact. A risk assessment sits above both: it scopes which assets matter, scores findings against business consequences, and produces the register an insurer or auditor signs off on.
| Artifact | Question answered | Typical tooling |
|---|---|---|
| Risk assessment | What is the prioritized list of business risks and their treatments? | Risk register, NIST CSF 2.0 control map, Power BI dashboard |
| Vulnerability assessment | Which CVEs and misconfigurations exist on which assets right now? | Microsoft Defender Vulnerability Management, Tenable Nessus, Qualys |
| Penetration test | Which of those weaknesses can an attacker actually exploit to reach data? | Manual red-team, OffSec-certified tester, scoped engagement |
Run a vulnerability assessment first, feed it into the risk assessment, then commission a penetration test against the highest-scored items.
The seven-step risk assessment methodology
NIST SP 800-30 r1 organizes the work into preparing, conducting, and maintaining the assessment. Translated for Canadian SMBs, that becomes seven concrete steps: asset inventory, threat identification, vulnerability identification, likelihood and impact scoring, risk register, treatment plan, reporting and re-assessment. The Canadian Centre for Cyber Security baseline controls slot into steps 4 and 6 as the local floor.
| Step | Activity | Output |
|---|---|---|
| 1. Asset inventory | Catalog hardware, software, SaaS, data stores; tag criticality | Asset register with criticality ratings |
| 2. Threat identification | Map relevant threat actors and scenarios per asset | Threat catalog tied to assets |
| 3. Vulnerability identification | Run scans, review configurations, interview owners | CVE list, misconfiguration list, process gaps |
| 4. Likelihood and impact scoring | Apply 5×5 matrix per finding | Composite scores 1 to 25 |
| 5. Risk register | Document asset, threat, vulnerability, score, owner | Single source of truth artifact |
| 6. Treatment plan | Decide accept, mitigate, transfer, or avoid per risk | Prioritized roadmap with owners and dates |
| 7. Reporting and re-assessment | Executive readout, schedule next review | Board-ready report, cadence calendar |
Step 1: Asset inventory and criticality
Start with a complete inventory of hardware, software, SaaS tenants, identity providers, and data stores. Tag each entry with a criticality rating (high, medium, low) based on revenue impact, regulatory exposure, and recovery time tolerance. Pull device data from RMM, identity data from Microsoft Entra ID, and SaaS data from Microsoft Purview. Skipping inventory work is the most common reason assessments miss real risks.
Most Canadian SMBs discover 10 to 25 percent more assets than expected. Shadow SaaS accounts and unmanaged endpoints surface here, not later.
Step 2: Threat identification
Map plausible threats to each high-criticality asset using a small, locally relevant catalog: ransomware operators, business email compromise actors, infostealer commodity malware, supply-chain compromise of an MSP or SaaS vendor, insider error, and physical loss. The Canadian Centre for Cyber Security National Cyber Threat Assessment names ransomware and credential phishing as the dominant SMB threats, which is where to start.
Authoritative threat sources: the Canadian Centre for Cyber Security baseline controls set the local SMB floor. NIST SP 800-30 r1 is the methodology canon. The IBM 2025 Cost of a Data Breach Report puts the global average breach cost at USD 4.44 million.
Step 3: Vulnerability identification
Vulnerability identification combines automated scanning with configuration review and process interviews. Run Microsoft Defender Vulnerability Management or Tenable Nessus across endpoints and servers, Qualys or Defender for Cloud across SaaS and infrastructure, and review identity, backup, and incident-response documentation against NIST CSF 2.0 and the CCCS baseline.
Process gaps account for roughly half of high-scored findings on Canadian SMB engagements. Tools surface CVEs; interviews surface untested backups and missing admin MFA.
Step 4: Likelihood and impact scoring
Score each finding on a 5×5 matrix. Likelihood runs 1 (theoretical) to 5 (actively exploited against organizations like yours). Impact runs 1 (negligible) to 5 (business-ending). Multiply for a composite score from 1 to 25. The qualitative approach is the practical default for SMBs because most do not have the historical incident data quantitative methods require.
| Composite score | Tier | Required action |
|---|---|---|
| 20 to 25 | Critical (red) | Remediate immediately, escalate to executive sponsor |
| 12 to 19 | High (orange) | Documented mitigation plan with owners and dates |
| 8 to 11 | Medium (yellow) | Active monitoring, scheduled review |
| 1 to 7 | Low (green) | Accepted with documentation |
Step 5: Risk register
The risk register is the single document the rest of the program runs on. Each row contains the asset, threat, vulnerability, existing control, composite score, proposed treatment, accountable owner, and target date. Most Canadian SMBs maintain it in Excel or a custom Power BI dashboard tied to NIST CSF 2.0 categories, so insurers and the board read the same artifact.
Across Fusion Computing engagements through Q1 2026, median register length sits between 38 and 65 line items for a 10 to 150 employee organization. The pattern underpins PIPEDA-aligned safeguard analysis.
Step 6: Treatment plan
For each scored risk choose one of four treatments: mitigate (add or strengthen a control), transfer (cyber insurance, contractual indemnity), accept (document and monitor), or avoid (stop the activity). ISO 27005:2022 calls these the four risk treatment options, and they map directly onto NIST CSF 2.0 functions Govern, Identify, Protect, Detect, Respond, and Recover.
FIELD NOTE
Mike Pearlstein here. A Hamilton manufacturer came to us after their underwriter flagged the renewal. They had antivirus, firewall, and nightly backups, plus MFA on email but not on the Microsoft 365 global-admin role. We enforced admin MFA in 90 minutes, ran a restore drill that uncovered a silent backup failure, and rolled out Microsoft Defender for Endpoint plus Defender Vulnerability Management. Renewal closed at 6 percent instead of the 31 percent originally quoted.
Step 7: Reporting and re-assessment
Three artifacts come out of a finished assessment: the technical risk register, an executive summary written in business risk language, and the remediation roadmap with owners and dates. Schedule the next full assessment for 12 months out; run a lightweight delta review after any material infrastructure change, security event, or insurance renewal. Continuous vulnerability scanning fills the gap between cycles.
Why the register matters at renewal: the Office of the Privacy Commissioner of Canada requires safeguards proportional to data sensitivity under PIPEDA. NIST CSF 2.0 and ISO 27005:2022 are the two methodologies cyber-insurance underwriters most often ask about. A scored register mapped to either lets an SMB answer underwriter questionnaires in days, not weeks.
Common risk-assessment mistakes
Five mistakes recur across Canadian SMB engagements. Treating the assessment as a vulnerability scan and skipping process review. Letting the team that built a system also score it. Producing a register no executive can read. Scoring impact on technical severity instead of business consequence. Filing the deliverable and never running a re-assessment. Each one is avoidable when the seven steps are followed in order.
Book a 30-Minute Risk Consultation Scoping Call
Frequently asked questions
What is a cybersecurity risk assessment?
A cybersecurity risk assessment is a structured process that identifies assets, threats, and vulnerabilities, scores each finding by likelihood and impact, and produces a prioritized risk register with recommended controls. The output is broader than a vulnerability scan because it covers people, processes, and compliance obligations alongside technical CVEs. NIST SP 800-30 r1 is the most common methodology used by Canadian SMBs.
How is a risk assessment different from a penetration test?
A risk assessment scopes which assets matter and scores findings against business consequences. A penetration test actively exploits specific weaknesses to prove real-world impact. The assessment runs first; the pen test targets the highest-scored items from the register. The two artifacts complement each other for underwriter and board reporting.
How often should a Canadian SMB run a risk assessment?
At minimum, annually. Trigger an extra assessment after a material infrastructure change (cloud migration, acquisition, new office), a security event, a regulatory change, or an insurance renewal asking for updated documentation. Regulated industries (health, finance, legal) typically run assessments every 6 to 12 months with continuous scans between cycles.
Which framework should we pick: NIST, ISO 27005, or CIS?
Most Canadian SMBs use NIST SP 800-30 r1 as the assessment methodology, NIST CSF 2.0 as the program spine for board reporting, and the Canadian Centre for Cyber Security baseline controls as the local floor. ISO 27005:2022 applies when the business pursues ISO 27001 certification or sells into enterprise customers that require it. CIS Controls v8.1 is a useful prescriptive checklist that overlays cleanly on either methodology.
What tools do you use during the assessment?
Microsoft Defender Vulnerability Management or Tenable Nessus for endpoint and server scanning. Qualys or Microsoft Defender for Cloud for cloud-side findings. Microsoft Purview for data classification and SaaS visibility. A custom risk register in Excel or Power BI for the scored output. The toolset is deliberately auditable so each register line traces back to a source.
How long does an assessment take?
Two to four weeks of elapsed time for a 10 to 150 employee Canadian SMB. Asset inventory and treatment-plan development consume the most hours; scoring goes fast once inventory is clean. Median register length on Fusion Computing engagements through Q1 2026 was 38 to 65 line items. Three weeks is the modal duration.
What does an assessment cost in Canada?
For most Canadian businesses with 10 to 150 employees, a professional assessment runs CA$3,000 to CA$10,000 depending on scope, cloud footprint, and compliance requirements. The price typically includes the technical register, executive readout, and remediation roadmap. Cost climbs above CA$10,000 for multi-site organizations or work aligned to ISO 27001 certification.
Can the internal IT team run the assessment?
Internal teams can run assessments when they have experienced security staff. The limitation is objectivity: teams sometimes carry blind spots on systems they built, and findings reflecting on their own work get softened. A practical hybrid uses the internal team for asset inventory and scanning, then brings in an external CISSP-led assessor to validate scoring and write the executive report.
Does an assessment help with PIPEDA and cyber-insurance compliance?
Yes. PIPEDA requires safeguards proportional to data sensitivity, and a documented, scored risk register is how that proportionality is demonstrated to the Office of the Privacy Commissioner of Canada. Cyber-insurance underwriters increasingly ask for the register at renewal as their first request. Pairing the assessment with a tested incident response plan covers the second most common underwriter question.
What happens after the assessment is delivered?
Execution of the treatment plan: implementing additional controls, patching critical CVEs, fixing misconfigurations, training staff on identified gaps, and scheduling the next review. Many Canadian SMBs scope a managed cybersecurity engagement at this point so there is no continuity gap between the assessment artifact and the work that follows it.
Related Resources
Related Services & Resources
Concerned About Your Cybersecurity Posture?
Tell us about your environment and our CISSP-certified team will reply within one business day.
