Free NIST SP 800-30 Risk Assessment Template

Q: What is NIST SP 800-30?

NIST Special Publication 800-30 Revision 1 is a free publication from NIST defining a nine-step process for information security risk assessment.

Q: How does NIST SP 800-30 relate to NIS2?

NIST SP 800-30 satisfies the risk analysis requirement of NIS2 Article 21(2)(a) and its structured output supports NIS2 documentation requirements.

Q: What is the difference between NIST SP 800-30 and ISO 27005?

NIST SP 800-30 is free with detailed threat catalogues. ISO 27005 is a paid standard aligned with ISO 27001. Both are accepted under NIS2.

Q: Is NIST SP 800-30 mandatory for NIS2?

No. NIS2 does not mandate NIST SP 800-30. Other frameworks such as ISO 27005 are also acceptable.

About the framework

What is NIST SP 800-30?

NIST Special Publication 800-30 Revision 1, Guide for Conducting Risk Assessments, is a free publication from the US National Institute of Standards and Technology (NIST). It defines a structured nine-step process for identifying, analysing, and prioritising information security risks across organisations and information systems.

Although it originates from the US government’s FISMA framework, NIST SP 800-30 is used globally. Its detailed threat source and threat event catalogues (Appendices D and E) make it particularly practical — you do not need to build your own threat library. The publication is freely available from the NIST Computer Security Resource Center.

The nine-step process

All 9 NIST SP 800-30 assessment steps

Open Risk Register implements every step of the NIST SP 800-30 R1 process in a guided, browser-based workflow. Each step is required — you cannot skip ahead.

Identify the Purpose

Define why the assessment is being conducted, what decisions it will inform, and which systems or processes are in scope.

Identify the Scope

Establish the boundaries of the system under assessment, including its operational context and data flows.

Assumptions and Constraints

Document assumptions the assessment relies on and any constraints limiting the scope or depth of analysis.

Identify Threat Sources

Using the NIST Appendix D catalogue, identify adversarial, accidental, structural, and environmental sources relevant to your system.

Identify Threat Events

From the NIST Appendix E catalogue, map specific events each threat source could initiate against your system.

Identify Vulnerabilities

Document predisposing conditions and control weaknesses that would make threat events more likely to succeed.

Determine Likelihood

Score the overall likelihood of each threat event on a qualitative scale, accounting for threat source characteristics and vulnerabilities.

Determine Impact

Score the magnitude of harm from each threat event, covering operational, financial, and reputational dimensions.

Determine Risk

Combine likelihood and impact to calculate risk levels. Review the prioritised register and determine appropriate responses.

NIS2 mapping

How NIST SP 800-30 maps to NIS2 Article 21

NIS2 does not prescribe a risk assessment methodology, but requires the output to justify “appropriate and proportionate” security measures. NIST SP 800-30 produces exactly the kind of structured, documented analysis that satisfies this requirement.

Steps 1–3 (Purpose, Scope, Assumptions) support Art. 21(2)(a) risk analysis policies by establishing the governance framework.
Steps 4–5 (Threat Sources, Threat Events) address Art. 21(2)(d) supply chain and Art. 21(2)(e) acquisition security by identifying dependencies and attack vectors.
Step 6 (Vulnerabilities) feeds into Art. 21(2)(j) by identifying weaknesses that MFA and secure communications would mitigate.
Steps 7–8 (Likelihood, Impact) provide the evidentiary basis for proportionate measures under Art. 21(2)(f).
Step 9 (Risk Register) produces governance documentation required across all 10 Article 21(2) measures, supporting board-level oversight.

Framework comparison

NIST SP 800-30 vs ISO 27005

Both NIST SP 800-30 and ISO 27005 are recognised risk assessment frameworks accepted under NIS2. Here is how they differ.

Aspect	NIST SP 800-30 R1	ISO/IEC 27005:2022
Cost	Free (US government publication)	Paid (ISO standard purchase required)
Threat catalogue	Detailed Appendices D & E included	Generic guidance, no built-in catalogue
Structure	9 defined steps with worksheets	Process-oriented, more flexible
ISO 27001 alignment	Partial alignment	Fully aligned with ISO 27001
NIS2 acceptance	Accepted methodology	Accepted methodology
Best suited for	Practical, time-constrained assessments	ISO 27001 certification programmes

Frequently asked questions

NIST SP 800-30 questions

What is NIST SP 800-30?

NIST Special Publication 800-30 Revision 1 is a free NIST publication defining a nine-step process for identifying, analysing, and prioritising information security risks. It includes detailed catalogues in Appendices D and E.

How does NIST SP 800-30 relate to NIS2?

NIS2 Article 21 requires risk assessments but does not mandate a specific methodology. NIST SP 800-30 satisfies the risk analysis requirement of Article 21(2)(a), and its structured output directly supports NIS2's documentation requirements.

What is the difference between NIST SP 800-30 and ISO 27005?

NIST SP 800-30 is free with detailed threat catalogues, practical for organisations without a dedicated risk team. ISO 27005 is a paid standard aligned with ISO 27001, better suited for certification programmes. Both are accepted under NIS2.

Is NIST SP 800-30 mandatory for NIS2?

No. NIS2 does not mandate NIST SP 800-30. However its structured approach and threat catalogues make it highly suitable. Other frameworks such as ISO 27005 or ENISA guidelines are also acceptable.

Start your NIST SP 800-30 risk assessment

Free, guided, and entirely in your browser. No account required.

Open the Tool →