This is possibly one of the most important steps toward preparing your organization for true security and not just paper security. There are risk assessment templates that a data security team can use but what is relevant to an organization are the true risks related to their particular environment and assests.
A methodical approach is required so the security controls are applied to the right areas. Information security cannot be managed based on perceived risks but on real risks. The starting point perhaps is the culture of an organization itself. People should be trained to think and accept that security risks are present. They should be given the freedom to speak up. For instance, a project team should not hesitate to bring up any possible risks to the team lead while they are working on it. These should then need to be tested and assessed.
As ‘Search Security’ refers to in their article, here are some basic steps you may want to follow to manage the area of Risk Assessment.