- Designed to support the Risk Management Program (RMP) to conduct recurring risk assessments.
- Leverages the Security, Compliance & Resilience Risk Management Model (SCR-RMM) from the SCF for scalability.
- Immense time & cost savings - enables subject matter experts to fill in the details that only they know.
Don't Write It From Scratch.
Almost every framework and customer questionnaire asks for evidence of a risk assessment, but when was your last one, and could you hand an auditor a credible, repeatable result? Outsourcing each assessment to consultants is expensive, and ad hoc spreadsheets rarely hold up to scrutiny. The Cybersecurity Risk Assessment (CRA) Template gives you a running start: editable Microsoft Word and Excel templates that walk you through scoping, calculating, and reporting risk, with a completed example to model. Built on the Secure Controls Framework and grounded in NIST 800-30, 800-37, and 800-39, it gets you roughly 80 to 90 percent of the way there, then you tailor the scope and inputs to your environment.
Most companies have requirements to perform risk assessments, but they lack the knowledge and experience to undertake such assessments. That means businesses are faced to either outsource the work to expensive consultants or they ignore the requirement and hope they do not get in trouble for being non-compliant with a compliance requirement. In either situation, it is not a good place to be. The good news is that we created an affordable solution for businesses to conduct their own information security risk assessments.
The Cybersecurity Risk Assessment (CRA) Template provides organizations with a professional, repeatable format for performing cybersecurity risk assessments. It is editable Microsoft Word and Excel documentation that walks users through calculating risk and reporting on it — even when the team lacks formal risk assessment training. The CRA includes both blank templates and a fully completed example so users have a reference for what good output looks like.
The CRA is built using the Secure Controls Framework (SCF) control set, which means it serves as a metaframework applicable to over 200 cybersecurity laws, regulations, and frameworks including NIST 800-53, NIST 800-171, NIST CSF, ISO 27001/27002, PCI DSS, HIPAA, and the SCF itself. The methodology is grounded in NIST 800-30, NIST 800-37, and NIST 800-39 for technical credibility with auditors and certified assessors.
If you can use Microsoft Word and Excel, then you can perform a risk assessment by simply following the instructions and editing the template to suit your specific requirements. While this is a template, we did the hard work of creating the formatting, bringing together the correct scope of information that needs to be assessed, and we built the calculations to make your work as simple as selecting from a few drop-down answers!
What Is The CRA?
Need to perform an information security risk assessment? This is a pretty common requirement that can seem like an insurmountable obstacle, since most people are not trained on how to perform a risk assessment or they lack a simple tool that is comprehensive enough to meet their needs. This is where our Cybersecurity Risk Assessment Template comes into play - we developed a simple Microsoft Excel template to walk you through calculating risk and a corresponding Word template to report on that risk. If you can use Word and Excel, you can successfully use our templates to perform a risk assessment. We even give you a completely filled-out example risk assessment, so that you can use that as a reference.
Our products are one-time purchases with no software to install - you are buying Microsoft Office-based documentation templates that you can edit for your specific needs. If you can use Microsoft Office or OpenOffice, you can use this product! The RMP is an editable Microsoft Word document that providers program-level guidance to directly supports your organization's policies and standards for managing cybersecurity risk. Unfortunately, most companies lack a coherent approach to managing risks across the enterprise:
- The CRA is an editable risk assessment template that you use to create risk assessments.
- It contains both an editable Microsoft Word document and Microsoft Excel spreadsheet that allows for professional-quality risk assessments.
- Included is an example risk assessment that can be used as a guide.
- The CRA supports the Risk Management Program (RMP) product in answering the “how?” questions for how your company manages risk.
- You do not need the RMP to generate risk assessments with the CRA.
- The RMP just tells the rest of the story for how risk is managed at your organization.
- Where the RMP lays the groundwork for how risk is to be managed, the CRA is a template that allows you to product the end product of risk management, which is a professional-quality risk assessment report.
No Software To Install
The CRA is a one-time purchase of editable Microsoft Office-based documentation templates. There is no software to install, no agent to deploy, no account to provision, and no cloud environment to configure. If the organization can open and edit Microsoft Word and Excel files, the CRA is ready to use.
Microsoft Word & Excel
Delivered as fully editable .docx and .xlsx files. Compatible with Word and Excel 2016 and newer, Microsoft 365, OpenOffice, LibreOffice, and Google Workspace. The Excel workbook contains the risk calculation engine; the Word document is the report template.
Email Delivery
Documentation is delivered via email download link within 1-2 business days of purchase, often the same business day. There is no installer, no license server, and no activation step.
One-Time Purchase
A single-entity license is included with purchase at $1,925. There is no recurring subscription requirement, and the CRA is also included as part of the RMP for organizations that need both the program and the assessment template together.
This deployment model is intentional. Risk assessment documentation belongs in the organization's own hands, inside its own GRC or document management system, rather than locked inside a vendor's SaaS tool. Once delivered, this product belongs to the buyer.
What Problems Does the CRA Solve?
Organizations face common cybersecurity risk assessment challenges that the CRA is designed to address with a defensible, repeatable, audit-ready assessment template.
Lack of In House Security Experience
Many organizations lack internal staff who can come up with quality risk assessments. The CRA is an affordable solution for managers or IT staff to conduct quality risk assessments.
Compliance Requirements
Most organizations run into trouble in audits when asked to provide evidence of risk assessments being performed. The CRA provides a template to conduct repeatable risk assessments in a very professional format. The CRA provides this evidence!
Audit Failures
It is very common for clients and partners to request evidence of a risk assessments. Clients and partners often ask to see evidence of risk assessments so they can also understand your risks. The CRA provides this evidence!
Vendor Requirements
Requirements such as PCI DSS, HIPAA, MA 201 CMR 17.00 and NIST 800-171 establish a mandate to conduct risk assessments. The CRA addresses these compliance requirements!
How Does the CRA Solve These Problems?
The CRA addresses each risk assessment challenge with concrete, measurable outcomes. It is designed so that someone who can use Microsoft Word and Excel can successfully perform a risk assessment by following the instructions and editing the template.
Clear Documentation
The CRA provides the comprehensive documentation to prove that your risk program exists.
Time Savings
You can start assessing risk as soon as you receive the CRA. Orders are generally delivered the same business day!
Alignment With Leading Practices
The CRA covers natural and man-made risks, as well as risk associated with the absence or state of cybersecurity controls (as defined by NIST 800-171). This creates a quality scope for a cybersecurity risk assessment.
What Is Included?
The CRA is delivered as editable Microsoft Office documentation. Purchase includes a single-entity license at $1,925 and the first year of product updates. The CRA is also bundled as part of the Cybersecurity Risk Management Program (RMP) for organizations adopting both the program-level documentation and the assessment template together.
Our latest version of the Cybersecurity Risk Assessment Template includes:
- Section for assessing both natural & man-made risks.
- Section for assessing reasonably-expected cybersecurity controls. The CRA uses the Secure Controls Framework (SCF) control set, so as a metaframework it is applicable to over 100 cybersecurity laws, regulations and frameworks, including NIST 800-53, NIST 800-171 and ISO 27001/27002!
- Section for assessing Capability Maturity Model (CMM) - built into cybersecurity control assessment portion of the risk assessment.
- Blank templates in Microsoft Word & Excel formats.
- Fully filled-out example of the templates that you can edit in Microsoft Word & Excel
Cost Savings Estimate
When you look at the costs associated with either (1) hiring an external consultant to write cybersecurity documentation for you or (2) tasking your internal staff to write it, the cost comparisons paint a clear picture that buying from ComplianceForge is the logical option. Compared to hiring a consultant, you can save months of wait time and tens of thousands of dollars. Whereas, compared to writing your own documentation, you can potentially save hundreds of work hours and the associated cost of lost productivity. Purchasing the CRA from ComplianceForge offers these fundamental advantages when compared to the other options for obtaining quality cybersecurity documentation:
Internal Staff Cost
For your internal staff to generate comparable documentation, it would take them an estimated 100 internal staff work hours, which equates to a cost of approximately $8,000 in staff-related expenses. This is about 2 to 3 months of development time where your staff would be diverted from other work.
The CRA is approximately 19% of the cost for your internal staff to generate equivalent documentation.
External Consultant Cost
If you hire a consultant to generate this documentation, it would take them an estimated 70 consultant work hours, which equates to a cost of approximately $20,500. This is about 1 to 2 months of development time for a contractor to provide you with the deliverable.
The CRA is approximately 8% of the cost for an external consultant to generate equivalent documentation.
Product Examples
The CRA is built to be evaluated before purchase. The PDF examples below show representative content from both the Word risk assessment report template and the Excel calculation worksheet so the quality and structure of the documentation can be assessed before placing an order. The examples also illustrate the 6x6 risk matrix scoring and the before/after risk charts that the Excel workbook produces automatically.
The completed example assessment included with the product is the same artifact that ships in the deliverable package, so customers can see what a finished CRA looks like end-to-end before committing.
Below is a PDF example containing a sample of the policies & standards you would receive upon purchasing the CRA.
Below is a PDF example containing a sample of the worksheets you would receive upon purchasing the CRA.
How Much Customization Remains?
Given the difficult nature of writing templated risk assessment documentation, ComplianceForge aims for approximately an 80% solution because it is impossible to write a 100% cookie-cutter document that can be equally applied across every organization. Risk assessments depend on the specific assets in scope, the threat model, and the controls in place, so the remaining work is fine-tuning the CRA with the specific information that only the organization knows.
In practice, customization is filling in the blanks and following the guidance provided to identify the scope of the assessment, the assets included, the threats considered, the controls assessed, and the risk owners. The Excel workbook is mostly drop-down driven, which removes most of the methodology work; the Word report is structured to be filled in section by section with the outputs from the Excel workbook. The included completed example serves as a working reference throughout.
Professional Services
ComplianceForge offers optional professional services to customize purchased documentation. Professional services are not required to customize ComplianceForge documentation. However, some clients want our subject matter expertise to help customize their documentation to meet their specific business needs. If you have any questions about our professional services, please contact us at:
We offer the following professional service bundles:
5-Hour Bundle
This includes five (5) hours of professional services, which may be beneficial for companies that need some guidance on getting started with how to tailor their documentation.
10-Hour Bundle
This includes ten (10) hours of professional services, which may be beneficial for companies that need additional guidance on tailoring their documentation to meet their compliance requirements.
20-Hour Bundle
This includes twenty (20) hours of professional services, which may be beneficial for companies that need robust services, beyond just 10 hours, to assist in tailoring their documentation to meet their compliance requirements.
Purchased professional service hours expire 120 days (4 months) from the time of purchase if unused. Hours are intended to supplement, not replace, your own customization work, since only your organization knows the exact details to tailor your documentation. For questions regarding scoping a professional services engagement or configuring a custom package, contact ComplianceForge directly through the Contact Us page.
Common Scenarios That Require Information Security Risk Assessments
Formal cybersecurity risk assessments have become a baseline expectation across regulatory, contractual, and customer due-diligence contexts. PCI DSS v4 Section 12.3.1 requires companies to perform formal risk assessments. The HIPAA Security Rule (45 CFR §§ 164.302-318) requires accurate and thorough assessment of potential risks. MA 201 CMR 17.00 Section 17.03(2)(b) requires identification and assessment of reasonably-foreseeable internal and external risks. The Oregon Identity Theft Protection Act, the GLBA Safeguards Rule, NIST 800-171 Section 3.11, and the SEC cybersecurity disclosure rule all carry related risk-assessment obligations.
Without a defensible, repeatable risk assessment process, organizations face audit findings, lost contracts, and elevated insurance premiums. The CRA provides a complete, framework-aligned risk assessment template grounded in NIST 800-30, NIST 800-37, and NIST 800-39 — the same authoritative sources auditors and certified assessors expect to see referenced in risk methodology documentation.
If you fall in scope for any of these compliance requirements, you have to perform risk assessments and you need this template:
- Payment Card Industry Data Security Standard (PCI DSS) - Section # 12.3.1 (PCI DSS v4) requires companies to perform a formal risk assessment!
- Massachusetts MA 201 CMR 17.00 - Section # 17.03(2)(b) requires companies to "identify & assess" reasonably-foreseeable internal and external risks!
- Health Insurance Portability and Accountability Act (HIPAA) - Security Rule (Section 45 C.F.R. §§ 164.302 – 318) requires companies to conduct an accurate & thorough assessment of potential risks!
- Gramm-Leach-Bliley Act - Safeguard Rule requires company to identify and assess risks to customer information!
- NIST 800-171 - Protecting CUI in Nonfederal Information Systems and Organizations - Section 3.11 requires risks to be periodically assessed!
Given that we designed this risk assessment template based on industry-recognized best practices, you can use our template to address those information security risk assessment requirements. The authoritative sources we used are based on National Institute for Standards and Technology (NIST) frameworks - NIST 800‐30 (Risk Management Guide for Information Technology Systems), NIST 800‐37 (Guide for Applying the Risk Management Framework to Federal Information Systems) & NIST 800‐39 (Managing Information Security Risk).
Graph Depicting Natural & Man-Made Risks
The Excel-based worksheet comes with graphs showing before & after risk levels. These are just embedded into the report to provide a good visual. The calculations from the worksheets make it easy to show raw risk scores and also weighted scores, which take into consideration the importance of the control, the maturity of the protections in place, and any compensating measures that may exist to reduce the risk.
How To Score Risks
The CRA methodology is grounded in NIST SP 800-30 (Risk Management Guide for Information Technology Systems), NIST SP 800-37 (Guide for Applying the Risk MaThe calculations show raw risk scores and also take into account weighting factors, such as the importance of the control, the maturity of the protections in place, and any compensating measures that may exist to reduce the risk. The CRA utilizes a 6x6 risk assessment matrix. The CRA is able to show both the raw risk score, as well as the final score when compensating controls are taken into consideration.nagement Framework), and NIST SP 800-39 (Managing Information Security Risk). The technical control set comes from the Secure Controls Framework (SCF), which is a metaframework that maps to over 200 cybersecurity laws, regulations, and frameworks including NIST 800-53, NIST 800-171, NIST CSF, ISO 27001/27002, PCI DSS, and HIPAA.
