The Risk Assessment Report will contain all the elements illustrated in Step 10 on page 97 in the book Information Security Risk Analysis by Thomas Peltier. These elements include an Introduction, Background (why the assessment is being conducted) Scope Statement (explaining what is being reviewed), the Approach (how the assessment is being addressed and an outline of steps and expected deliverables), an Executive Summary (dicussing the entire process and findings in a 1 -2 page overview), Threat Identification (risks and concerns usually categorized by CIA), Risk Factor Determination (weighing each risk to determine priority and impact), Safeguard Identification (what controls are available, why they were chosen, and a comparison or result of other companies that have used the same control), a Cost-Benefit Analysis, Safeguard Recommendations (control to be implemented or risk to be accepted), and an Appendix including the members of the assessment, definitions, Threats by Priority, and research reports.

Overall the risk assessment report provides the documentation showing how an enterprise assessed risk and how they based their determination of how to mitigate it or accept it and why, demonstrating due diligence on the part of the company.

You are spot on Warrick. The confidentiality agreement/statement of work would definitely be part of the report process. Other info that could be useful would be some detail as to why a control/safeguard is being selected and maybe a sample as to how another company successfully mitigated risk with the recommended control.

Hope you had a great holiday!

As stated in a previous post, a good point of reference for items to include in the final report of a risk assessment can be found on page 97 of Peltier's book Information Security Risk Analysis.  However, nothing is etched in stone per se.  The format and components of a risk assessment report can vary greatly from instance to instance depending on many factors. 

In some cases, stakeholders or management may only be interested in seeing certain aspects of the assessment outlined in  the report.  Also, whether or not the assessment done was quantitative or qualitative would play a significant role in the determination of whether or not certain tasks would be conducted.  

A risk assessment report might include some, all of or more than the items listed below:

Introduction - purpose or objective

Overview - importance and key roles

Scope

Threat Identification - likelihood, impact, risk calculation

Mitigation Options - control options, categories, cost-benefit analysis

Conclusion - good security practice for future success.

The final report should be a concise report of all the findings of the risk analysis performed. While formatting can vary it should contain these main parts (m), while optional parts (o) may be added as well if required by the organization. Page 97 as all others mentioned is a great start, however other sources can also be used as a reference. This report will vary from organization to organization; it is best to establish the requirements during the risk analysis when you define deliverables.

(m) Introduction

(m) Background- why analysis is being performed

(o) Existing Standards and Practices- documented existing standards and practices

(m) Access Scope Statement- Scope statement as well as, how risk assessment met deliverables

(m) Explanation of approach-approach used for risk assessment

(m) Executive Overview-one to two page summary of entire process

(m) Threat Identification-process used to identify threats, how catagories etc

(m) Risk Factor Determination-probability treat will occur, as well as impact

(m) Safeguard Identification- safeguards and how they were determined

(m) Cost Benefit Analysis- controls costs (human, time , monetary) etc

(m) Safeguard Recommendations- Teams Recommendations

(m) Appendix- list of team members, definitions, threats (in priority order), etc

I think the detailed report is based on the kind of risk assessment that we do on a particular system or entity .For instance when we do assessment on information technology system and other system like let using chain saw for tree (hypnotically speaking) we gone have different kind off report outlined for each The following things should be concluded on the detailed report .for instance this is a detailed report content that I have for information technology

·         Introduction for the purpose

·         Scope of this risk assessment

·         Participant’s name

·         Techniques used

·         Risk model

o   Threat likelihood

o   Magnitude impact

o   Computation of the risk

·         System characterization

·         system components

·         Physical location

·         Kind of data used by the system

·         Users

·         System diagram illustration

·         Vulnerability statement

·         Threat statement

·         Assessment results

The final report should contain background information about the resource that is being analyzed.  The report should have a clear objective as well as listing threats, impacts and recommendations.  Also, the report should have tables and/or charts to visually explain the researched findings. 

The final report can consist of a summary of all the findings of conducting the assessment. It is the final product of all the work done and gives proof of due diligence. The report can contain the following elements: Introduction, Background, scope statement identifying the asset and reason its being reviewed , explanation of how the assessment was carried out, executive overview, threat identifications, impacts and probabilities of the threats, safeguards that were found to control and address the threats along with threats already in place, cost/benefit analysis to shed light on what controls are cost effective or even feasable, and an appendix. Those who attended, participated, and team members should also be included. These elements are a sample of what should be included and can change or be modified to fit one's needs. Tables, charts and graphs would be a great addition to give visuals to management, making things easier to understand and follow.