2023 IT Examiner School

Internal Use Only

Risk Assessment Review

The risk assessment must identify: • Information and technology assets of the organization • Assess likelihood and impact of threats & vulnerabilities (inherent risk) • Risk Response (Accept, Transfer, Reduce, Ignore) • Audit controls/provide assurance

Internal Use Only

Expanding the Depth of Review

Plan to expand the depth when:  A risk assessment has not been reviewed at least annually.  There have been changes in management and/or environment.

 Risks identified do not incorporate Technical, Human, Environmental risks.  The risk assessment has been completed with limited input from other departments.  There are discrepancies between the services/ topology and assets identified in the risk assessment.  Significant audit and independent review findings are evident.  You are not confident in management's responses.