I am putting our together our first Risk Assessment. As a small start-up (10 people) with limited assets, I was hoping to put together a simple Risk Assessment with more generic items.
I took these lists from different NIST Standards. Do you believe this would create a compliant risk assessment:
Asset List: Person, Organization, System, Software, Database, Network, Service, Data, Computing Device, Circuit, Website
Threat Options: Adversarial, Accidental, Structural, Environmental, Vulnerability Options, Information -Related, Technical – Architectural, Technical – Functional, Operational/Environmental
Basically, are these categories too broad to be used in a compliant risk assessment?