Quantitative Risk Assessment – ISO 27001 & NIST Overview

This project presents a quantitative risk assessment conducted on critical business assets exposed to natural disaster scenarios, including earthquakes, fires, and floods.

The analysis applies industry-standard risk management methodologies such as:

Single Loss Expectancy (SLE) Annual Loss Expectancy (ALE) Annual Rate of Occurrence (ARO)

The objective is to estimate potential annual losses, evaluate business impact, and propose risk mitigation strategies aligned with ISO 27001 and NIST security frameworks.

Methodology

The assessment follows the quantitative risk analysis approach:

SLE SLE = Asset Value × Exposure Factor ALE ALE = SLE × ARO Definitions Asset Value (AV): Monetary value of the asset Exposure Factor (EF): Percentage of damage caused by an event Annual Rate of Occurrence (ARO): Expected yearly frequency of the event Risk Scenarios

The assessment evaluates:

Flood impact on business facilities Earthquake impact on datacenter infrastructure Fire impact on critical assets

Each scenario includes:

Asset valuation Exposure factor calculation Annual occurrence estimation Annualized loss calculation Risk interpretation Risk Mitigation

Recommended controls include:

Disaster recovery planning Business continuity strategies Infrastructure redundancy Physical security improvements Risk transfer through insurance ISO 27001 risk treatment processes Framework Alignment ISO/IEC 27001 NIST Risk Management Framework (RMF) Quantitative Risk Assessment Methodology

Author

Nouman Javed Nizami.