Although you can choose your security controls based purely upon good practice and policy, according to the 2014 information security breaches survey most SMEs perform risk assessments that cover cyber security.
There are many ways to perform such risk assessments. There are lots of different methodologies you can use. Many general business risk management techniques can be applied to cyber security, but there are also methodologies specifically designed to assess IT security or information security. Some methodologies are highly formal, perhaps with automated tools to gather data and present results, but others are much simpler and can be done with checklists and paper.
Many cyber-specific methodologies are based on identifying assets, threats and vulnerabilities. You prepare lists of each and then identify how a vulnerability in one of your systems presents an opportunity for an attacker to threaten one or more of your assets. Whenever all three occur, there is a risk. If there is a vulnerability but no threat, or a vulnerability and a threat but no asset that can be attacked, there is no risk.
Such methods are very popular, but have the disadvantage that they cannot be applied to vulnerabilities of which you are unaware. There are ways around this. One example is HM Government’s Information Assurance Standard No. 1 (PDF). This assumes vulnerabilities can always exist and that there are threat actors (people who attack your systems or cause accidents) who can find them. Therefore only threats and assets are taken into account.
You may prefer to use a methodology that you already use in other fields, such as in corporate governance or for assessing financial instruments. The choice is yours, but whatever method you choose, it must produce consistent and comparable results if an assessment is repeated later on.
