What is Security Risk Assessment and Audit (SRAA) ?

Security Risk Assessment and Audit (SRAA) help organizations ensure compliance with guidelines from regulators like the Hong Kong Office of the Government Chief Information Officer (OGCIO). The risk assessment process involves steps recommended by the OGCIO, such as identifying threats, estimating likelihood and impacts, and calculating risks. This allows organizations to prioritize the most significant risks as required in the OGCIO’s code of practice. Corresponding security audits then evaluate that appropriate controls are in place according to baselines established in OGCIO guidelines. 

What Is SRAA

Asset Visibility Through Security Risk Assessment and Audit




Wireless access points




Mobile/IoT devices

Internal applications

Third party software

Web applications

ERP/CRM systems

SQL and noSQL databases

File shares & network drives

Cloud platforms & services

Remote access solutions

Websites & web interfaces

Development environments

How Security Risk Assessment Works?

Security Risk Assessment identifies vulnerabilities and evaluates associated risks to inform management’s risk-based security program. Appropriate protections are then implemented through a secure framework of controls, policies, and assigned responsibilities. Constant monitoring of operations and activities supports incident handling while ensuring ongoing compliance. Periodic reviews and reassessments ensure controls meet changing needs by identifying enhancements from audits, providing continuous feedback to address evolving threats through this cyclical risk management process.

Workflow of Security Risk Assessment


Establish the scope and objectives of the assessment. This step determines what systems, data and infrastructure will be evaluated.

Information Gathering

Information gathering involves collecting relevant technical details and organizational context data. Things like system configurations, infrastructure details, and existing security controls are documented.

Risk Analysis

It analyzes aspects like human resources, assets, access control, security measures, operations, communications, systems and continuity plans. Key assets are identified and their importance rated. Potential threats are then examined along with vulnerabilities within each domain. Assets, threats and vulnerabilities are mapped to correlate their relationships and overlapping areas. The potential impacts of each risk are evaluated along with their likelihoods of occurrence. Finally, a risk results analysis integrates all findings to provide an overall view of the risk profile based on priority ratings. This systematic process identifies assets, examines threats and weaknesses, assesses impacts and likelihoods, and prioritizes risks to comprehensively evaluate exposures.

Identifying & Selecting Safeguards

Based on the findings from risk analysis, appropriate security controls and risk treatment options are identified and selected. These help strengthen defenses against the organization’s most serious exposures.

Monitoring & Implementation

The chosen safeguards undergo monitoring and implementation. Controls are deployed, integrated into operations, and their effectiveness monitored on an ongoing basis. Compliance with security standards is also verified.

Need Help for Security Risk Assessment and Audit?

Please enable JavaScript in your browser to complete this form.
Looking for