Skip to Content

Scoring and Prioritizing Your Findings

Scoring and Prioritizing Your Findings

Scoring and Prioritizing Your Findings

Photo by Polina Zimmerman on Pexels

After completing your IT audit, you will have a list of findings — gaps, vulnerabilities, and improvement opportunities. But not all findings are equally urgent. This lesson teaches you a systematic method for scoring and prioritizing your findings so you can focus limited resources where they matter most.

The Risk Scoring Framework

Every finding should be assigned a risk score based on two factors: Impact and Likelihood. This creates a prioritized roadmap for remediation.

Impact (1-5): How bad would it be?

  • 5 — Catastrophic: Business closure possible, legal liability, massive data breach affecting all customers
  • 4 — Severe: Extended downtime, significant data loss, regulatory fines likely
  • 3 — Moderate: Partial downtime, limited data exposure, manageable but costly to fix
  • 2 — Minor: Single-user impact, easily recoverable, minimal cost
  • 1 — Negligible: Cosmetic issue, no operational impact

Likelihood (1-5): How likely is it to happen?

  • 5 — Almost Certain: Will happen within 30 days without intervention (e.g., unsupported OS with active exploits)
  • 4 — Likely: Will probably happen within 6 months (e.g., no MFA on email accounts)
  • 3 — Possible: Could happen within a year (e.g., weak passwords, no backup testing)
  • 2 — Unlikely: Could happen but would require specific conditions (e.g., segmented network with weak firewall rules)
  • 1 — Rare: Unlikely to occur but theoretically possible (e.g., physical theft of server in locked room)

Risk Score = Impact × Likelihood (range: 1-25)

Risk Level Categories

  • 20-25: Critical — Address immediately (within 30 days). These are existential threats.
  • 12-19: High — Address within 60 days. Significant risk to operations or data.
  • 6-11: Medium — Address within 90 days. Moderate risk that should not be ignored.
  • 1-5: Low — Address when resources permit. Plan for annual resolution.

Example Scoring

Here are common audit findings with their scores:

  • No MFA on email — Impact 5 × Likelihood 4 = Score 20 (Critical) — Email compromise leads to full business compromise
  • No backup testing — Impact 4 × Likelihood 4 = Score 16 (High) — You may not be able to recover when needed
  • Unsupported OS — Impact 4 × Likelihood 5 = Score 20 (Critical) — Active exploits targeting unsupported systems
  • No inventory documentation — Impact 3 × Likelihood 3 = Score 9 (Medium) — Slows incident response but not an immediate threat
  • No screen lock on workstations — Impact 2 × Likelihood 3 = Score 6 (Medium) — Physical access risk in office environment
  • Cosmetic issue in documentation — Impact 1 × Likelihood 1 = Score 1 (Low) — Fix when convenient

Additional Prioritization Factors

Beyond the risk score, consider these factors when prioritizing:

  • Cost to fix — Some high-risk items may have low-cost solutions (e.g., enabling MFA is free)
  • Effort to implement — Quick wins should be done immediately regardless of risk score
  • Regulatory requirement — Compliance-driven fixes may need priority even if risk score is moderate
  • Dependencies — Some fixes depend on others (e.g., configure MDM before enforcing device policies)
  • Business impact during remediation — Some fixes require downtime — schedule accordingly

Step-by-Step Scoring Process

  1. Compile all findings — Gather every issue discovered during the audit
  2. Score each finding — Assign Impact and Likelihood values, calculate risk score
  3. Categorize by risk level — Sort into Critical, High, Medium, Low
  4. Consider additional factors — Factor in cost, effort, compliance, and dependencies
  5. Rank within each category — Order items by score, then by cost-to-fix (lowest cost first within same score)
  6. Assign remediation owners — Each finding needs a responsible person
  7. Set deadlines — Critical: 30 days, High: 60 days, Medium: 90 days, Low: 180 days

Creating a Remediation Tracker

Build a spreadsheet with these columns to track progress:

  • Finding ID and description
  • Category (Security, Backup, Network, Compliance, etc.)
  • Risk score and level
  • Recommendation and action needed
  • Estimated cost
  • Assigned owner
  • Target completion date
  • Status (Not Started, In Progress, Complete)
  • Date completed
  • Verification notes

Free Tools for Tracking

  • Google Sheets / Excel — Simple remediation tracker template
  • Trello Free — Visual Kanban board for tracking remediation progress
  • Asana Free — Task management with deadlines and assignees
  • Notion Free — Database views for tracking findings and status

Key Takeaways

  • Score every finding using Impact × Likelihood to prioritize objectively
  • Address Critical findings (score 20+) within 30 days — they are existential threats
  • Factor in cost, effort, and compliance needs beyond the raw risk score
  • Assign clear ownership and deadlines for every remediation item
  • Track progress in a shared remediation tracker — visibility drives accountability

Scoring and Prioritizing Your Findings

Scoring and Prioritizing Your Findings

Photo by Polina Zimmerman on Pexels

After completing your IT audit, you will have a list of findings — gaps, vulnerabilities, and improvement opportunities. But not all findings are equally urgent. This lesson teaches you a systematic method for scoring and prioritizing your findings so you can focus limited resources where they matter most.

The Risk Scoring Framework

Every finding should be assigned a risk score based on two factors: Impact and Likelihood. This creates a prioritized roadmap for remediation.

Impact (1-5): How bad would it be?

  • 5 — Catastrophic: Business closure possible, legal liability, massive data breach affecting all customers
  • 4 — Severe: Extended downtime, significant data loss, regulatory fines likely
  • 3 — Moderate: Partial downtime, limited data exposure, manageable but costly to fix
  • 2 — Minor: Single-user impact, easily recoverable, minimal cost
  • 1 — Negligible: Cosmetic issue, no operational impact

Likelihood (1-5): How likely is it to happen?

  • 5 — Almost Certain: Will happen within 30 days without intervention (e.g., unsupported OS with active exploits)
  • 4 — Likely: Will probably happen within 6 months (e.g., no MFA on email accounts)
  • 3 — Possible: Could happen within a year (e.g., weak passwords, no backup testing)
  • 2 — Unlikely: Could happen but would require specific conditions (e.g., segmented network with weak firewall rules)
  • 1 — Rare: Unlikely to occur but theoretically possible (e.g., physical theft of server in locked room)

Risk Score = Impact × Likelihood (range: 1-25)

Risk Level Categories

  • 20-25: Critical — Address immediately (within 30 days). These are existential threats.
  • 12-19: High — Address within 60 days. Significant risk to operations or data.
  • 6-11: Medium — Address within 90 days. Moderate risk that should not be ignored.
  • 1-5: Low — Address when resources permit. Plan for annual resolution.

Example Scoring

Here are common audit findings with their scores:

  • No MFA on email — Impact 5 × Likelihood 4 = Score 20 (Critical) — Email compromise leads to full business compromise
  • No backup testing — Impact 4 × Likelihood 4 = Score 16 (High) — You may not be able to recover when needed
  • Unsupported OS — Impact 4 × Likelihood 5 = Score 20 (Critical) — Active exploits targeting unsupported systems
  • No inventory documentation — Impact 3 × Likelihood 3 = Score 9 (Medium) — Slows incident response but not an immediate threat
  • No screen lock on workstations — Impact 2 × Likelihood 3 = Score 6 (Medium) — Physical access risk in office environment
  • Cosmetic issue in documentation — Impact 1 × Likelihood 1 = Score 1 (Low) — Fix when convenient

Additional Prioritization Factors

Beyond the risk score, consider these factors when prioritizing:

  • Cost to fix — Some high-risk items may have low-cost solutions (e.g., enabling MFA is free)
  • Effort to implement — Quick wins should be done immediately regardless of risk score
  • Regulatory requirement — Compliance-driven fixes may need priority even if risk score is moderate
  • Dependencies — Some fixes depend on others (e.g., configure MDM before enforcing device policies)
  • Business impact during remediation — Some fixes require downtime — schedule accordingly

Step-by-Step Scoring Process

  1. Compile all findings — Gather every issue discovered during the audit
  2. Score each finding — Assign Impact and Likelihood values, calculate risk score
  3. Categorize by risk level — Sort into Critical, High, Medium, Low
  4. Consider additional factors — Factor in cost, effort, compliance, and dependencies
  5. Rank within each category — Order items by score, then by cost-to-fix (lowest cost first within same score)
  6. Assign remediation owners — Each finding needs a responsible person
  7. Set deadlines — Critical: 30 days, High: 60 days, Medium: 90 days, Low: 180 days

Creating a Remediation Tracker

Build a spreadsheet with these columns to track progress:

  • Finding ID and description
  • Category (Security, Backup, Network, Compliance, etc.)
  • Risk score and level
  • Recommendation and action needed
  • Estimated cost
  • Assigned owner
  • Target completion date
  • Status (Not Started, In Progress, Complete)
  • Date completed
  • Verification notes

Free Tools for Tracking

  • Google Sheets / Excel — Simple remediation tracker template
  • Trello Free — Visual Kanban board for tracking remediation progress
  • Asana Free — Task management with deadlines and assignees
  • Notion Free — Database views for tracking findings and status

Key Takeaways

  • Score every finding using Impact × Likelihood to prioritize objectively
  • Address Critical findings (score 20+) within 30 days — they are existential threats
  • Factor in cost, effort, and compliance needs beyond the raw risk score
  • Assign clear ownership and deadlines for every remediation item
  • Track progress in a shared remediation tracker — visibility drives accountability
Rating
0 0

There are no comments for now.

to be the first to leave a comment.