2023 IT Examiner School

Internal Use Only

Risk Assessment: Risk Response

Internal Use Only

Risk Mitigation is Not Risk Elimination!

• Impossible to eliminate threats 100%

• Risk response is to reduce the impact or consequence of the vulnerability

• Exposure is in line with Risk Appetite

• Board aware and agree to the outcomes

One needs a process to ensure you are implementing countermeasures that actually limit risk.