TIM-5030 v4

Ryan, O. (2017). Assessing cyber risk: Critical questions for the board and the C-suite. Deloitte & Touche.
The importance of this document is that it is written from the perspective of the board and the C-suite with regards to the questions they think about. This will help you frame how they might think about cyber risk and what items you should be considering.

Ames, B., Foster, F., Glynn, C., Lynn, M., Nakama, D., Penrose, T. & Rai, S.(n.d.). Assessing cybersecurity risk. The Institute of Internal Auditors.
This document is important because it discusses assessing cybersecurity risk from the perspective of information systems auditors. This perspective is often a little different from security professionals and important to understand.

National Institute of Standards and Technology. (2012, September). Guide for conducting risk assessments SP 800-30.
The importance of this document is to provide you NIST's best practices for conducting a cyber risk assessment. Even though the resource is from 2012, the methodology of the assessment process remains the same.

Cybersecurity and Infrastructure Security Agency (n.d.). Cyber Resource Hub. Retrieved from https://www.cisa.gov/cyber-resource-hub
This website provides access to a variety of templates used for risk and vulnerability assessment, scanning, evaluation, and standardization.

National Institute of Standards and Technology. (2012, September). Assessing security and privacy controls in information systems and organizations SP 800-53A.
This industry-standard document provides guidelines and information security standards.