Scoring and Prioritizing Your Findings
Scoring and Prioritizing Your Findings

Photo by Polina Zimmerman on Pexels
After completing your IT audit, you will have a list of findings — gaps, vulnerabilities, and improvement opportunities. But not all findings are equally urgent. This lesson teaches you a systematic method for scoring and prioritizing your findings so you can focus limited resources where they matter most.
The Risk Scoring Framework
Every finding should be assigned a risk score based on two factors: Impact and Likelihood. This creates a prioritized roadmap for remediation.
Impact (1-5): How bad would it be?
- 5 — Catastrophic: Business closure possible, legal liability, massive data breach affecting all customers
- 4 — Severe: Extended downtime, significant data loss, regulatory fines likely
- 3 — Moderate: Partial downtime, limited data exposure, manageable but costly to fix
- 2 — Minor: Single-user impact, easily recoverable, minimal cost
- 1 — Negligible: Cosmetic issue, no operational impact
Likelihood (1-5): How likely is it to happen?
- 5 — Almost Certain: Will happen within 30 days without intervention (e.g., unsupported OS with active exploits)
- 4 — Likely: Will probably happen within 6 months (e.g., no MFA on email accounts)
- 3 — Possible: Could happen within a year (e.g., weak passwords, no backup testing)
- 2 — Unlikely: Could happen but would require specific conditions (e.g., segmented network with weak firewall rules)
- 1 — Rare: Unlikely to occur but theoretically possible (e.g., physical theft of server in locked room)
Risk Score = Impact × Likelihood (range: 1-25)
Risk Level Categories
- 20-25: Critical — Address immediately (within 30 days). These are existential threats.
- 12-19: High — Address within 60 days. Significant risk to operations or data.
- 6-11: Medium — Address within 90 days. Moderate risk that should not be ignored.
- 1-5: Low — Address when resources permit. Plan for annual resolution.
Example Scoring
Here are common audit findings with their scores:
- No MFA on email — Impact 5 × Likelihood 4 = Score 20 (Critical) — Email compromise leads to full business compromise
- No backup testing — Impact 4 × Likelihood 4 = Score 16 (High) — You may not be able to recover when needed
- Unsupported OS — Impact 4 × Likelihood 5 = Score 20 (Critical) — Active exploits targeting unsupported systems
- No inventory documentation — Impact 3 × Likelihood 3 = Score 9 (Medium) — Slows incident response but not an immediate threat
- No screen lock on workstations — Impact 2 × Likelihood 3 = Score 6 (Medium) — Physical access risk in office environment
- Cosmetic issue in documentation — Impact 1 × Likelihood 1 = Score 1 (Low) — Fix when convenient
Additional Prioritization Factors
Beyond the risk score, consider these factors when prioritizing:
- Cost to fix — Some high-risk items may have low-cost solutions (e.g., enabling MFA is free)
- Effort to implement — Quick wins should be done immediately regardless of risk score
- Regulatory requirement — Compliance-driven fixes may need priority even if risk score is moderate
- Dependencies — Some fixes depend on others (e.g., configure MDM before enforcing device policies)
- Business impact during remediation — Some fixes require downtime — schedule accordingly
Step-by-Step Scoring Process
- Compile all findings — Gather every issue discovered during the audit
- Score each finding — Assign Impact and Likelihood values, calculate risk score
- Categorize by risk level — Sort into Critical, High, Medium, Low
- Consider additional factors — Factor in cost, effort, compliance, and dependencies
- Rank within each category — Order items by score, then by cost-to-fix (lowest cost first within same score)
- Assign remediation owners — Each finding needs a responsible person
- Set deadlines — Critical: 30 days, High: 60 days, Medium: 90 days, Low: 180 days
Creating a Remediation Tracker
Build a spreadsheet with these columns to track progress:
- Finding ID and description
- Category (Security, Backup, Network, Compliance, etc.)
- Risk score and level
- Recommendation and action needed
- Estimated cost
- Assigned owner
- Target completion date
- Status (Not Started, In Progress, Complete)
- Date completed
- Verification notes
Free Tools for Tracking
- Google Sheets / Excel — Simple remediation tracker template
- Trello Free — Visual Kanban board for tracking remediation progress
- Asana Free — Task management with deadlines and assignees
- Notion Free — Database views for tracking findings and status
Key Takeaways
- Score every finding using Impact × Likelihood to prioritize objectively
- Address Critical findings (score 20+) within 30 days — they are existential threats
- Factor in cost, effort, and compliance needs beyond the raw risk score
- Assign clear ownership and deadlines for every remediation item
- Track progress in a shared remediation tracker — visibility drives accountability
Scoring and Prioritizing Your Findings

Photo by Polina Zimmerman on Pexels
After completing your IT audit, you will have a list of findings — gaps, vulnerabilities, and improvement opportunities. But not all findings are equally urgent. This lesson teaches you a systematic method for scoring and prioritizing your findings so you can focus limited resources where they matter most.
The Risk Scoring Framework
Every finding should be assigned a risk score based on two factors: Impact and Likelihood. This creates a prioritized roadmap for remediation.
Impact (1-5): How bad would it be?
- 5 — Catastrophic: Business closure possible, legal liability, massive data breach affecting all customers
- 4 — Severe: Extended downtime, significant data loss, regulatory fines likely
- 3 — Moderate: Partial downtime, limited data exposure, manageable but costly to fix
- 2 — Minor: Single-user impact, easily recoverable, minimal cost
- 1 — Negligible: Cosmetic issue, no operational impact
Likelihood (1-5): How likely is it to happen?
- 5 — Almost Certain: Will happen within 30 days without intervention (e.g., unsupported OS with active exploits)
- 4 — Likely: Will probably happen within 6 months (e.g., no MFA on email accounts)
- 3 — Possible: Could happen within a year (e.g., weak passwords, no backup testing)
- 2 — Unlikely: Could happen but would require specific conditions (e.g., segmented network with weak firewall rules)
- 1 — Rare: Unlikely to occur but theoretically possible (e.g., physical theft of server in locked room)
Risk Score = Impact × Likelihood (range: 1-25)
Risk Level Categories
- 20-25: Critical — Address immediately (within 30 days). These are existential threats.
- 12-19: High — Address within 60 days. Significant risk to operations or data.
- 6-11: Medium — Address within 90 days. Moderate risk that should not be ignored.
- 1-5: Low — Address when resources permit. Plan for annual resolution.
Example Scoring
Here are common audit findings with their scores:
- No MFA on email — Impact 5 × Likelihood 4 = Score 20 (Critical) — Email compromise leads to full business compromise
- No backup testing — Impact 4 × Likelihood 4 = Score 16 (High) — You may not be able to recover when needed
- Unsupported OS — Impact 4 × Likelihood 5 = Score 20 (Critical) — Active exploits targeting unsupported systems
- No inventory documentation — Impact 3 × Likelihood 3 = Score 9 (Medium) — Slows incident response but not an immediate threat
- No screen lock on workstations — Impact 2 × Likelihood 3 = Score 6 (Medium) — Physical access risk in office environment
- Cosmetic issue in documentation — Impact 1 × Likelihood 1 = Score 1 (Low) — Fix when convenient
Additional Prioritization Factors
Beyond the risk score, consider these factors when prioritizing:
- Cost to fix — Some high-risk items may have low-cost solutions (e.g., enabling MFA is free)
- Effort to implement — Quick wins should be done immediately regardless of risk score
- Regulatory requirement — Compliance-driven fixes may need priority even if risk score is moderate
- Dependencies — Some fixes depend on others (e.g., configure MDM before enforcing device policies)
- Business impact during remediation — Some fixes require downtime — schedule accordingly
Step-by-Step Scoring Process
- Compile all findings — Gather every issue discovered during the audit
- Score each finding — Assign Impact and Likelihood values, calculate risk score
- Categorize by risk level — Sort into Critical, High, Medium, Low
- Consider additional factors — Factor in cost, effort, compliance, and dependencies
- Rank within each category — Order items by score, then by cost-to-fix (lowest cost first within same score)
- Assign remediation owners — Each finding needs a responsible person
- Set deadlines — Critical: 30 days, High: 60 days, Medium: 90 days, Low: 180 days
Creating a Remediation Tracker
Build a spreadsheet with these columns to track progress:
- Finding ID and description
- Category (Security, Backup, Network, Compliance, etc.)
- Risk score and level
- Recommendation and action needed
- Estimated cost
- Assigned owner
- Target completion date
- Status (Not Started, In Progress, Complete)
- Date completed
- Verification notes
Free Tools for Tracking
- Google Sheets / Excel — Simple remediation tracker template
- Trello Free — Visual Kanban board for tracking remediation progress
- Asana Free — Task management with deadlines and assignees
- Notion Free — Database views for tracking findings and status
Key Takeaways
- Score every finding using Impact × Likelihood to prioritize objectively
- Address Critical findings (score 20+) within 30 days — they are existential threats
- Factor in cost, effort, and compliance needs beyond the raw risk score
- Assign clear ownership and deadlines for every remediation item
- Track progress in a shared remediation tracker — visibility drives accountability
There are no comments for now.