2023 IT Examiner School

Internal Use Only

Reducing the Depth of Review May be able to significantly reduce the depth of the risk assessment review when:  The risk assessment was recently reviewed by a qualified auditor and found to be adequate.  There have been no changes in management or the environment since the last examination.  The quality of the risk assessment process has been validated.

Internal Use Only

Risk Assessment: Management Responsibilities  Effective risk assessments are done by qualified personnel, have executive-level ownership & are enterprise-wide.  Risk assessments should be done annually or when significant changes occur.  An effective risk assessment process includes identification of assets, threats & vulnerabilities.  Management should be able to explain rationale for security devices they use and for not including devices that would further mitigate risk.