Sarbanes-Oxley, Section 404, requires public companies to annually assess and report on the effectiveness of internal controls over financial reporting. A component of risk management is information technology (IT) risk management and should be part of any IT security program. An internal IT risk assessment can unearth those before the auditors do. NIST Special Publication 800-30, published in July 2002, entitled Risk Management Guide for Information Technology Systems is a good place to start. The risk assessment methodology uses a 9 step process.”]
Source: https://www.cuinfosecurity.com/planning-for-internal-risk-assessment-a-379