This paper demonstrates the application of an agile risk management approach to perform asset-based risk analysis to meet the information security requirements of SMEs (Small and Medium-sized Enterprises). This approach is proposed as an alternative to traditional methods that are cumbersome, resource intensive and costly, often hindering their value and use by SMEs. The organisation being studied is an Aged Care Facility (ACF) with legal and ethical responsibilities. Within the business there is little knowledge regarding potential information technology threats that could impact on these responsibilities. The ACF maintains a system containing client personal and medical records, network communications, as well as financial and business information assets. Understanding the susceptibility of this data to unauthorised access and/or exploitation has become a key concern for the organisation. In order to analyse and communicate potential risks to current IT assets and propose suggestions to mitigate and minimise risk factors, an agile IT security risk assessment approach was developed in a collaborative research venture with ACF and their External IT Provider (EIP).