2023 IT Examiner School

Risk Assessment Process

Identify and value information assets

Identify potential internal/external threats and/or vulnerabilities

Assess likelihood & impact of threats/vulnerabilities

Risk Response (Accept, Transfer, Reduce, Ignore)

Assess sufficiency of risk control policies, procedures, information systems, etc.

Risk Monitoring & Reporting

• A risk response is designed and implemented based on a risk assessment that was conducted at a single point in time. • Because of the changing nature of risk and associated controls, ongoing monitoring is an essential step of the risk

management life cycle. • Controls can be less effective • The operational environment may have changed, and new threats have emerged.

48