Because every organization has a limited set of resources, organizations should assess the impacts to organizational operations (that is, mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the like. Organizations can experience the consequences/impact of adverse events at the individual ICS system level (for example, failing to perform as required), at the business process level (for example, failing to fully meet business objectives), and at the organizational level (for example, failing to comply with legal or regulatory requirements, damaging reputation or relationships, or undermining long-term viability). An adverse event can have multiple consequences and different types of impact, at different levels, and in different time frames.

The organization may perform a detailed risk assessment for the highest-impact systems and assessments for lower-impact systems as deemed prudent and as resources allow. The risk assessment will help identify any weaknesses that contribute to information security risks and mitigation approaches to reduce the risks. Risk assessments are conducted multiple times during a system's life cycle. The focus and level of detail varies according to the system's maturity.

At the start of the security planning process, an initial risk assessment should be performed to give an impression of the current security posture. To prevent getting overwhelmed with discovered vulnerabilities, it can be decided to keep this initial assessment at a high level. Depending on the maturity of the security, a gap analysis or an (network) architecture review can provide enough information to start implementing high-impact controls and mitigations. Subsequent assessments can become increasingly more detailed to tighten security controls as the maturity of the security plan evolves.