Risk identification is the process by which we determine what could happen to cause an impactful event. It is the first step in [[risk assessment]]. We aim to gain insights into how, where, and why this might happen. This process should include all risks. This includes risks that are not under the control of the organisation (a risk that global warming drowns our datacentres), and risks whose source or cause is not obvious. Risk identification can be done in an event-based, or an [[asset]]-based approach. ## Asset-based 1. identify and determine the value of the information assets that are in scope for protection 2. identify the [[threat|threats]] and [[vulnerability|vulnerabilities]] that exist or may exist 1. ?? This feels uncomfortably like speculation and guessing 3. identify the existing [[control|security controls]], and their effects on the aforementioned [[risk|risks]]