How to do a cybersecurity risk assessment for a small business

Guide · 9 min · For Owners

Why every small business needs one (whether or not a regulator requires it)

Four reasons. One — cyber-insurance carriers ask. The application now has a question that reads roughly "Do you maintain a written information security program based on an annual risk assessment?" The honest answer needs to be yes, and the assessment is the evidence. Two — if you're a HIPAA-covered entity, the FTC Safeguards Rule applies to you (any financial activity, including bookkeeping for clients), or you handle CJI for a municipal contract, the assessment is explicitly required by law. Three — it produces a prioritized punch-list of what to fix next, instead of buying tools in whatever order the vendor email arrived. Four — if something goes wrong, the assessment is the document that proves you took the obligation seriously.

The shape of a small-business risk assessment

One- to two-page document plus an evidence folder. Four sections:

Inventory — the assets that matter.
Threats — what could go wrong.
Controls — what's in place.
Gaps and plan — what's missing and the order to close it.

That's it. The document is short on purpose — long risk assessments don't get re-read. The evidence folder is where the proof lives.

Section 1: Inventory

List the systems and data that, if compromised or unavailable, would hurt the business. For a 12-person professional-services firm, that usually means:

Microsoft 365 tenant (email, OneDrive, SharePoint, Teams)
Line-of-business application(s) — the dispensing system, the EHR, the practice-management software, the tax software, the accounting platform
File server (if any) and the data on it
Backup system — where backups go, how they're protected
Endpoint fleet — workstations, laptops, mobile devices (count and owner)
Network — firewall, switches, wireless
Identity — the directory (Microsoft Entra ID, Google Workspace), the password-management tool
Third-party vendors with access — the MSP, the bookkeeper, the payroll provider, the practice-management vendor, the e-fax vendor

Each item gets a row with: what it is, who's responsible for it, where the data lives, and what category of data is on it (PHI, PCI, CJI, PII, financial, intellectual property).

Section 2: Threats

The threats are mostly the same across small businesses. List them, and check which apply to your environment:

Phishing-led account compromise — an employee clicks, attacker gets into Microsoft 365.
Ransomware — either via phishing or via an unpatched vulnerability.
Business email compromise / wire fraud — an attacker impersonates a vendor or executive to redirect payments.
Insider error — an employee sends data to the wrong recipient, loses a laptop, copies files to a personal account.
Lost or stolen device — with whatever was on it.
Vendor compromise — a third party with access to your systems is breached.
Physical incident — fire, flood, theft of equipment.
Regulatory enforcement — a HIPAA breach notification, a state attorney-general inquiry, an FTC complaint, a PCI fine.

Section 3: Controls

For each threat, document the controls in place. The minimal modern small-business stack covers most threats with the same nine-or-so controls:

MFA on every account that touches sensitive data (see MFA).
EDR with 24/7 monitoring on every endpoint (see EDR).
Email security — advanced anti-phishing on Microsoft 365 or Google Workspace, plus impersonation rules.
DNS filtering on every endpoint (see DNS filtering).
OS and third-party patching on a documented cadence.
Immutable, restore-tested backups (see backup is the answer; restore is the test).
Disk encryption on every laptop.
Workforce training plus quarterly phishing simulation.
Written wire-change-confirmation rule for AP and finance staff (see wire fraud).

For each control, the evidence folder gets: the configuration export, the deployment report (showing coverage of every endpoint or account), the most recent test (restore log, phishing-simulation result, training completion record).

Section 4: Gaps and plan

This is the punch list — the controls that aren't fully in place and the plan to close each one. For each gap:

What's missing.
What threat it leaves open.
The likelihood and impact estimate (low / medium / high — reasonable judgment, not a calculation).
Who's responsible.
Target completion date.

Three to seven items is normal for a small business with an existing managed-IT relationship. Twelve or more is normal for a business that hasn't done this before. The plan is what closes them in priority order.

The frameworks worth knowing

HHS SRA Tool — free Office of the National Coordinator tool for HIPAA-covered entities. Comprehensive and audit-ready.
NIST SP 800-30 — the federal risk-management framework. More detailed than most small businesses need but well-respected.
CIS Risk Assessment Method (RAM) — built around the CIS Controls. A good fit for the small-business shape.
FTC Safeguards Rule — the framework the FTC will hold you to if you do any financial activity (including bookkeeping for clients).
NIST CSF 2.0 — the Cybersecurity Framework, mapped to functions (govern, identify, protect, detect, respond, recover). Most cyber carriers reference it.

Pick one. Be consistent. Update annually.

Mistakes to avoid

Mistake 1: making it too long. A 40-page risk assessment doesn't get re-read. Two pages plus the evidence folder is the right shape.
Mistake 2: doing it once. It's a recurring exercise, not a project. Calendar it.
Mistake 3: skipping the evidence folder. The document alone isn't proof. The configuration exports, the deployment reports, the test logs are what an auditor or insurance underwriter wants to see.
Mistake 4: copying a generic template. A template is a starting point, not the deliverable. The risk assessment has to reflect your environment.

How a Micro-IT plan handles the annual assessment

For HIPAA-aligned, GLBA-aligned, and CJIS-aware clients, the annual risk assessment is part of the engagement at no additional charge. We use the HHS SRA Tool for healthcare and a CIS-RAM-based equivalent for non-healthcare. The deliverable is the two-page document plus the evidence folder, refreshed annually and after any significant environmental change. See the security page for the control map, or get a quote for an environment-specific scope.

Frequently asked questions

What is a cybersecurity risk assessment?

A cybersecurity risk assessment is a written exercise that lists your information assets (the systems and data that matter), the threats against them (ransomware, phishing, insider error, vendor compromise), the controls in place, the gaps that remain, and the priority order for closing those gaps. The output is a one- to two-page document plus an evidence file — what auditors, regulators, and cyber-insurance carriers ask to see.

How often should a small business do a risk assessment?

Annually at minimum. Also after any significant environmental change — new line-of-business application, new office or branch, acquisition, major personnel turnover, or a security incident. HIPAA, PCI-DSS, and the FTC Safeguards Rule all explicitly require annual updates.

Do I need to hire a consultant for a risk assessment?

Not for the assessment itself. A capable managed IT provider can run the assessment using a standard framework (HHS SRA Tool, NIST SP 800-30, or CIS Risk Assessment Method) as part of an annual engagement. Hiring a separate consultant makes sense when regulatory scope demands independence — for example, a PCI Report on Compliance for a Level 1 merchant, or a SOC 2 audit where the auditor must be independent of the IT operator.

What does a cybersecurity risk assessment cost?

Costs vary widely by scope. An internal annual assessment using a standard framework typically costs nothing beyond the time it takes — a few hours from the MSP, a few hours from the business owner. A consultant-led assessment runs $3,000 to $15,000 for a small business depending on the framework. Most managed IT contracts at Micro-IT include the annual assessment for HIPAA-aligned, GLBA-aligned, and CJIS-aware clients at no additional charge.

What's the difference between a risk assessment and a security audit?

A risk assessment is forward-looking: it identifies what could go wrong, what controls are in place, and what to fix next. A security audit is backward-looking: it verifies that specific controls are actually deployed and working. Both are valuable; both are required by various frameworks. The assessment usually informs the audit's scope.

How to do a cybersecurity risk assessment for a small business.

Why every small business needs one (whether or not a regulator requires it)

The shape of a small-business risk assessment

Section 1: Inventory

Section 2: Threats

Section 3: Controls

Section 4: Gaps and plan

The frameworks worth knowing

Mistakes to avoid

How a Micro-IT plan handles the annual assessment

Frequently asked questions

Related reading

Want a risk assessment done with the rest of the stack? It's included.

How to do a cybersecurity risk assessment for a small business.

Why every small business needs one (whether or not a regulator requires it)

The shape of a small-business risk assessment

Section 1: Inventory

Section 2: Threats

Section 3: Controls

Section 4: Gaps and plan

The frameworks worth knowing

Mistakes to avoid

How a Micro-IT plan handles the annual assessment

Frequently asked questions

Related reading

Want a risk assessment done with the rest of the stack? It's included.

Plain-talk IT, in your inbox.