IT Examiner School - Oct 2023

Risk Acceptance

• Examples of risk acceptance: • Provide no active mitigation • Based on risk appetite and cost-benefit analysis • Sometimes acceptance is the only choice • Risk acceptance must include due diligence • Level of risk is always changing, and acceptance decisions need to be regularly reviewed.

53

53

Risk Assessment Process

Identify and value information assets

Identify potential internal/external threats and/or vulnerabilities

Assess likelihood & impact of threats/vulnerabilities

Risk Response (Accept, Transfer, Reduce, Ignore)

Assess sufficiency of risk control policies, procedures, information systems, etc.

54